cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1645
Views
4
Helpful
3
Replies

match protocol command

WILLIAM STEGMAN
Level 4
Level 4

my setup includes a hub location housing business critical apps. I'm creating class map at remote locations that include the match protocol command for various urls and citrix traffic for citrix servers and webapps at the central hub site. That's seems clear enough, but can I use the same match protocol commands at the hub for the return traffic? I want the return traffic from my servers that was initiated by remote locations to be classfied and given special treatment on my outbound WAN interface. Will match protocol work, or should I use an access-list with the central hub site servers as the source and various remote site subnets as the destination?

thank you,

Bill

1 Accepted Solution

Accepted Solutions

Joseph W. Doherty
Hall of Fame
Hall of Fame

Either will work, much depends on which you think is a better way to match your traffic.

NBAR protocol match, often, although not always, is the same as having an ACL that matches against known ports.

If you wanted to match ALL traffic to/from a host or hosts, traditional ACLs with addresses would probably be best.

If you want to match just a particular type of traffic, and it uses fixed ports, you could again use an ACL or perhaps NBAR.

If you want to match against a particular type of traffic, to/from a host or hosts, you could use just an ACL, or an ACL AND match protocol.

There are a couple things NBAR protocol matching can do that you can't do with ordinary ACLs. NBAR supports some stateful protocols and occasionally additional analysis into the packets. For instance, later NBAR version can look at the Citrix type code, e.g. "screen scraping" packet vs. remote printer packet. The former you're likely to want to treat well, the latter, not as much so.

PS:

In the 12.4 version of NBAR, you can name custom protocol matchers. I'll often use it to make the config easier to understand than an ACL just matching against a port number.

View solution in original post

3 Replies 3

spremkumar
Level 9
Level 9

hi

since you have the option of knowing your server ip address you can make use of Access-list in place of protocol match.

regs

Joseph W. Doherty
Hall of Fame
Hall of Fame

Either will work, much depends on which you think is a better way to match your traffic.

NBAR protocol match, often, although not always, is the same as having an ACL that matches against known ports.

If you wanted to match ALL traffic to/from a host or hosts, traditional ACLs with addresses would probably be best.

If you want to match just a particular type of traffic, and it uses fixed ports, you could again use an ACL or perhaps NBAR.

If you want to match against a particular type of traffic, to/from a host or hosts, you could use just an ACL, or an ACL AND match protocol.

There are a couple things NBAR protocol matching can do that you can't do with ordinary ACLs. NBAR supports some stateful protocols and occasionally additional analysis into the packets. For instance, later NBAR version can look at the Citrix type code, e.g. "screen scraping" packet vs. remote printer packet. The former you're likely to want to treat well, the latter, not as much so.

PS:

In the 12.4 version of NBAR, you can name custom protocol matchers. I'll often use it to make the config easier to understand than an ACL just matching against a port number.

thank you. It looks like NBAR is able to recognize traffic from my servers at the central location ( I did some practical testing) and is fulfilling my current needs. It seemed a little unclear whether or not NBAR would recognize return traffic, but that seems apparent now.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: