match protocol command

Answered Question
Sep 10th, 2007
User Badges:

my setup includes a hub location housing business critical apps. I'm creating class map at remote locations that include the match protocol command for various urls and citrix traffic for citrix servers and webapps at the central hub site. That's seems clear enough, but can I use the same match protocol commands at the hub for the return traffic? I want the return traffic from my servers that was initiated by remote locations to be classfied and given special treatment on my outbound WAN interface. Will match protocol work, or should I use an access-list with the central hub site servers as the source and various remote site subnets as the destination?


thank you,


Bill

Correct Answer by Joseph W. Doherty about 9 years 8 months ago

Either will work, much depends on which you think is a better way to match your traffic.


NBAR protocol match, often, although not always, is the same as having an ACL that matches against known ports.


If you wanted to match ALL traffic to/from a host or hosts, traditional ACLs with addresses would probably be best.


If you want to match just a particular type of traffic, and it uses fixed ports, you could again use an ACL or perhaps NBAR.


If you want to match against a particular type of traffic, to/from a host or hosts, you could use just an ACL, or an ACL AND match protocol.


There are a couple things NBAR protocol matching can do that you can't do with ordinary ACLs. NBAR supports some stateful protocols and occasionally additional analysis into the packets. For instance, later NBAR version can look at the Citrix type code, e.g. "screen scraping" packet vs. remote printer packet. The former you're likely to want to treat well, the latter, not as much so.


PS:

In the 12.4 version of NBAR, you can name custom protocol matchers. I'll often use it to make the config easier to understand than an ACL just matching against a port number.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
spremkumar Tue, 09/11/2007 - 20:07
User Badges:
  • Red, 2250 points or more

hi


since you have the option of knowing your server ip address you can make use of Access-list in place of protocol match.


regs


Correct Answer
Joseph W. Doherty Thu, 09/13/2007 - 05:37
User Badges:
  • Super Bronze, 10000 points or more

Either will work, much depends on which you think is a better way to match your traffic.


NBAR protocol match, often, although not always, is the same as having an ACL that matches against known ports.


If you wanted to match ALL traffic to/from a host or hosts, traditional ACLs with addresses would probably be best.


If you want to match just a particular type of traffic, and it uses fixed ports, you could again use an ACL or perhaps NBAR.


If you want to match against a particular type of traffic, to/from a host or hosts, you could use just an ACL, or an ACL AND match protocol.


There are a couple things NBAR protocol matching can do that you can't do with ordinary ACLs. NBAR supports some stateful protocols and occasionally additional analysis into the packets. For instance, later NBAR version can look at the Citrix type code, e.g. "screen scraping" packet vs. remote printer packet. The former you're likely to want to treat well, the latter, not as much so.


PS:

In the 12.4 version of NBAR, you can name custom protocol matchers. I'll often use it to make the config easier to understand than an ACL just matching against a port number.

WILLIAM STEGMAN Thu, 09/13/2007 - 06:51
User Badges:

thank you. It looks like NBAR is able to recognize traffic from my servers at the central location ( I did some practical testing) and is fulfilling my current needs. It seemed a little unclear whether or not NBAR would recognize return traffic, but that seems apparent now.

Actions

This Discussion