Sup720/MSFC3/PFC3B does not support NBAR

Unanswered Question
May 29th, 2007
User Badges:

I have been told that Sup720/MSFC3/PFC3B support NBAR only on FlexWAN and SIP modules. It does not support NBAR on VLAN, tunnels interfaces. Can some please confirmed this.


I find it hard to believe that Sup720/MSFC3/PFC3B does not support NBAR on VLAN and mGRE tunnel interfaces.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Amit Singh Tue, 05/29/2007 - 06:05
User Badges:
  • Cisco Employee,

Hello,


NBAR is supported on Vlan interface but not supported on LAN i.e Layer2 interfaces on cat6K. It is also not supported on Interfaces where tunneling or encryption is used, which means that it will not be supported on mGRE interfaces.


Please see the supported links below:


http://www.cisco.com/en/US/partner/products/sw/iosswrel/ps1838/products_feature_guide09186a0080134add.html#wp1030301


http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/ol_4164.htm#wp25624


HTH,Please rate if it does.


-amit singh

pppyyyppp Tue, 05/29/2007 - 06:14
User Badges:

Hi,


Would like to further confirmed.


If I have a SVI as show follows:


int vlan 101

ip address 10.1.1.1 255.255.255.0

ip nbar protocol-discovery


Can confirm if SVI (as shown above) support NBAR? I have been told that NBAR is not supported on SVI, tunnel and routed interfaces


Thus, I have been told that the following interfaces are not supported for NBAR (can help me to confirm):


int vlan 100

ip address 10.1.1.1 255.255.255.0

ip nbar protocol-discovery (told by TAC this is not supported too)


int tunnel 100

ip address 20.1.1.1 255.255.255.0

ip nbar protocol-discovery (told by TAC this is not supported too)


int gig1/3

no switchport

ip address 30.1.1.1 255.255.255.0

ip nbar protocol-discovery (told by TAC this is not supported too)


Amit Singh Tue, 05/29/2007 - 06:30
User Badges:
  • Cisco Employee,

Hello,



All the options listed above doesnot support the NBAR in hardware.Tunnel interface listed doesnot support the NBAR at all. See the NBAR IOS restrictions pasted in the above links.


When NBAR is enabled on a Catalyst 6000 without a FlexWAN module interface, all traffic flows entering or leaving the nBAR-enabled interface will be processed in software on the Multilayer Swich Feature Card.See this restriction in the links pasted above.


The NBAR config will force all packets to be forwarded to the MSFC and software switched. The result may very well be a performance impact on the box (since packets are now being switched in software as opposed to hardware). The Cisco recommendation is to only enable NBAR on FlexWAN interfaces with SUP720 With the traffic classifaction in software, you will see a lot of traffic throughput issue and that's why its not recommended to use NBAR without the FlexWAN module.


HTH,Please rate if it does.


-amit singh

pppyyyppp Tue, 05/29/2007 - 10:55
User Badges:

Hi asingh2,


Can check on the followings:


1. For Sup2/MSFC2/PFC2, with ip nbar protocol-discovery on SVI (interface VLAN x, ip address 1.1.1.1) and routed interface (interface gig1/2, no switchport, ip address 2.2.2.2), is it supported by hardware? If so, PFC2 worked better than PFC3/PFC3B/PFC3BXL as it can do ip nbar protocol-discovery in hardware (without having to use FlexWAN).


2. Will there be an enhancement with the next IOS so that ip nbar protocol-discovery can be support natively by PFC3/PFC3B/PFC3BXL on SVI and routed port?


pppyyyppp Tue, 05/29/2007 - 22:44
User Badges:

Can someone advise on the followings:


1. For Sup2/MSFC2/PFC2, with ip nbar protocol-discovery on SVI (interface VLAN x, ip address 1.1.1.1) and routed interface (interface gig1/2, no switchport, ip address 2.2.2.2), is it supported by hardware? If so, PFC2 worked better than PFC3/PFC3B/PFC3BXL as it can do ip nbar protocol-discovery in hardware (without having to use FlexWAN).


2. Will there be an enhancement with the next IOS so that ip nbar protocol-discovery can be support natively by PFC3/PFC3B/PFC3BXL on SVI and routed port? Or the Sup720/PFC3B/MSFC3 itself does not have the required hardware to support ip NBAR?

Amit Singh Wed, 05/30/2007 - 05:08
User Badges:
  • Cisco Employee,

Hello,


No Sup2/MSFC2/PFC2 doesnot support it in hardware. Without FlexWan Module it is only supported in software the same way we discussed on Sup720.


As I said, it is supported on software only but I think there is a hardware limitation on Sup-720 rt now to support it in hardware. I know that the new Sup-32 is coming with a PISA card which supports NBAR in hardware. I can check for Sup720 support and update you accordingly.


HTH,Please rate if it does.


-amit singh

Actions

This Discussion