Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Network-Based Application Recognition (NBAR)


Network Based Application Recognition (NBAR) is a Cisco IOS technology that does deep packet inspection on network traffic to find the applications involved.You can say NBAR is a very powerful application-layer firewall that you may already have installed on your Cisco router.Most routers just look at traffic at Layer 3; with NBAR, routers can also look at Layers 4 through 7; As NBAR goes through the whole packet including header and some payload to classify an application and at the same time can work along with QoS (Quality of Service) by helping the network to provide differentiated services to each application.

NBAR used Protocol Description Language Module (PDLM) contains the rules by which NBAR technology recognizes an application during its packet inspection. NBAR analyzes the packets and compares them to a set of rules in the PDLM. If the rules mentioned in the PDLM are met, NBAR recognizes and classifies the can download PDLM file.To know more about PDLM downloading and installation please refer Packet Description Language Module

Configuration Example:

Here are the some examples configuration on the Cisco devices.


Example 1:

Router(config)#class−map match−any http_filter

Router(config−cmap)#match protocol http url “*.ida*”

Router(config−cmap)#match protocol http url “*cmd.exe*”

Router(config−cmap)#match protocol http url “*root.exe*”

Router(config−cmap)#match protocol http url “*readme.eml*”


Once the router is configured to filter worms as mentioned above, the NBAR engine will do a deep packet analysis on traffic passing through the router interface and if the traffic matches above class then administrator can filter them using access list or they can do policy base routing for monitoring infected hosts.


Example 2:


This example shows how we can block P2P with the help of NBAR


class-map match-any OUTBOUND_TRAFFIC

match protocol fasttrack
match protocol gnutella
match protocol kazaa2
match protocol edonkey
match protocol napster
match protocol bittorrent

policy-map OUTBOUND


interface FastEthernet0/0

ip address
duplex auto
speed auto
service-policy output OUTBOUND


All the packets of P2P matching in the Class Map will get dropped as soon as It reaches the outbound interface of the router.

Some verification command:


To check class map use "sh class-map <class-map name>"

To check policy status use "sh policy-map <policy-map name>"

To check various NBAR options

R2#sh ip nbar ?
  filter                   Show current NBAR's filter criteria
  link-age                 Show protocol link age
  pdlm                     Show currently installed PDLMs (PDL modules)
  port-map                 Show StILE Protocol Port Map
  protocol-discovery       Show traffic classes and statistics
  resources                Show memory configuration for tracking Stateful
  unclassified-port-stats  Show NBAR's port statistics for unclassified packets
  version                  Show currently installed PDL Module Version Info


Base Initial configuration:



Related Information:

Network Based Application Recognition Performance Analysis

Network-Based Application Recognition