Do I need nbar to match protocol ipsec

bwilks · ‎03-11-2014

I have this working and it apears to work. My question is why/how is it working without nbar?

I don't have nbar turned on (and do not whish to) yet it matches protocol ipsec.

This is what I have setup and the goal is;

1. Not drop ipsec traffic from another site (other site cannot send above 2 mbs)

2. Police/drop Internet traffic above 7mbs

Here are the relevent parts of the config

class-map match-any VPN-TRAFFIC
match protocol ipsec

policy-map POLICING-INBOUND
class VPN-TRAFFIC
police cir 2048000 bc 16000
conform-action transmit
exceed-action transmit
class class-default
police cir 7000000 bc 35000
conform-action transmit
exceed-action drop

gw02-bri#sh policy-map interface fastEthernet 0 input
FastEthernet0

Service-policy input: POLICING-INBOUND

Class-map: VPN-TRAFFIC (match-any)
425219 packets, 63348450 bytes
5 minute offered rate 50000 bps, drop rate 0 bps
Match: protocol ipsec
425219 packets, 63348450 bytes
5 minute rate 50000 bps
police:
cir 2048000 bps, bc 16000 bytes
conformed 422778 packets, 33427396 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
transmit
conformed 24000 bps, exceed 0 bps

Class-map: class-default (match-any)
186956 packets, 18883012 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
police:
cir 7000000 bps, bc 35000 bytes
conformed 183754 packets, 18679510 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
drop
conformed 0 bps, exceed 0 bps

gw02-bri#sh ru | include nbar
gw02-bri#sh ip nbar protocol-discovery interface fastEthernet 0

both show no detail on nbar as it is not in the config.

Thanks

mhnedirli · ‎03-11-2014

Hello,

You need to enable ip nbar protocol-discovery under interface configuration which you want to collect statistics. In your configuration you are classifying so you cant see protocol statistics.

bwilks · ‎03-11-2014

Hi Mhnedirl thanks for your input,

I don't need to see the satistics.

I did some of the configuration with Cisco Configuration Professions and it gives me this message.below.

"The QOS policy POLICING-INBOUND is using NBAR protocols for
classification but one or more interfaces that uses this policy is not
enabled with NBAR. Do you want to enable NBAR on those interfaces?"

My question is how can it work without nbar? It looks like it is working and in testing it appears to work.

Joseph W. Doherty · ‎03-11-2014

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

You misunderstand all NBAR features. Your class-map, using match protocol, is using NBAR.

NBAR protcol discovery is an optional feature to tally statistics based on NBAR classification.

bwilks · ‎03-11-2014

Ok thanks,

To clarify for my benift, then NBAR is active by default as I have no NBAR comand in the config?

NBAR protocol discovery, I would need to appy it to an interface (config-if)#ip nbar protocol-discovery to see the statistcs?

Joseph W. Doherty · ‎03-12-2014

yep