Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

match protocol command

my setup includes a hub location housing business critical apps. I'm creating class map at remote locations that include the match protocol command for various urls and citrix traffic for citrix servers and webapps at the central hub site. That's seems clear enough, but can I use the same match protocol commands at the hub for the return traffic? I want the return traffic from my servers that was initiated by remote locations to be classfied and given special treatment on my outbound WAN interface. Will match protocol work, or should I use an access-list with the central hub site servers as the source and various remote site subnets as the destination?

thank you,

Bill

1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

Re: match protocol command

Either will work, much depends on which you think is a better way to match your traffic.

NBAR protocol match, often, although not always, is the same as having an ACL that matches against known ports.

If you wanted to match ALL traffic to/from a host or hosts, traditional ACLs with addresses would probably be best.

If you want to match just a particular type of traffic, and it uses fixed ports, you could again use an ACL or perhaps NBAR.

If you want to match against a particular type of traffic, to/from a host or hosts, you could use just an ACL, or an ACL AND match protocol.

There are a couple things NBAR protocol matching can do that you can't do with ordinary ACLs. NBAR supports some stateful protocols and occasionally additional analysis into the packets. For instance, later NBAR version can look at the Citrix type code, e.g. "screen scraping" packet vs. remote printer packet. The former you're likely to want to treat well, the latter, not as much so.

PS:

In the 12.4 version of NBAR, you can name custom protocol matchers. I'll often use it to make the config easier to understand than an ACL just matching against a port number.

3 REPLIES

Re: match protocol command

hi

since you have the option of knowing your server ip address you can make use of Access-list in place of protocol match.

regs

Super Bronze

Re: match protocol command

Either will work, much depends on which you think is a better way to match your traffic.

NBAR protocol match, often, although not always, is the same as having an ACL that matches against known ports.

If you wanted to match ALL traffic to/from a host or hosts, traditional ACLs with addresses would probably be best.

If you want to match just a particular type of traffic, and it uses fixed ports, you could again use an ACL or perhaps NBAR.

If you want to match against a particular type of traffic, to/from a host or hosts, you could use just an ACL, or an ACL AND match protocol.

There are a couple things NBAR protocol matching can do that you can't do with ordinary ACLs. NBAR supports some stateful protocols and occasionally additional analysis into the packets. For instance, later NBAR version can look at the Citrix type code, e.g. "screen scraping" packet vs. remote printer packet. The former you're likely to want to treat well, the latter, not as much so.

PS:

In the 12.4 version of NBAR, you can name custom protocol matchers. I'll often use it to make the config easier to understand than an ACL just matching against a port number.

New Member

Re: match protocol command

thank you. It looks like NBAR is able to recognize traffic from my servers at the central location ( I did some practical testing) and is fulfilling my current needs. It seemed a little unclear whether or not NBAR would recognize return traffic, but that seems apparent now.

332
Views
4
Helpful
3
Replies