Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Do I need nbar to match protocol ipsec

I have this working and it apears to work. My question is why/how is it working without nbar? 

I don't have nbar turned on (and do not whish to) yet it matches protocol ipsec. 

This is what I have setup and the goal is;

1. Not drop ipsec traffic from another site (other site cannot send above 2 mbs)

2. Police/drop Internet traffic above 7mbs


Here are the relevent parts of the config

class-map match-any VPN-TRAFFIC
 match protocol ipsec

  police cir 2048000 bc 16000
   conform-action transmit 
   exceed-action transmit 
 class class-default
  police cir 7000000 bc 35000
   conform-action transmit 
   exceed-action drop 


gw02-bri#sh policy-map interface fastEthernet 0 input 

  Service-policy input: POLICING-INBOUND

    Class-map: VPN-TRAFFIC (match-any)
      425219 packets, 63348450 bytes
      5 minute offered rate 50000 bps, drop rate 0 bps
      Match: protocol ipsec
        425219 packets, 63348450 bytes
        5 minute rate 50000 bps
          cir 2048000 bps, bc 16000 bytes
        conformed 422778 packets, 33427396 bytes; actions:
        exceeded 0 packets, 0 bytes; actions:
        conformed 24000 bps, exceed 0 bps

    Class-map: class-default (match-any)
      186956 packets, 18883012 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any 
          cir 7000000 bps, bc 35000 bytes
        conformed 183754 packets, 18679510 bytes; actions:
        exceeded 0 packets, 0 bytes; actions:
        conformed 0 bps, exceed 0 bps

gw02-bri#sh ru | include nbar                                  
gw02-bri#sh ip nbar protocol-discovery interface fastEthernet 0

both show no detail on nbar as it is not in the config.



Community Member

Hello, You need to enable ip


You need to enable ip nbar protocol-discovery under interface configuration which you want to collect statistics. In your configuration you are classifying so you cant see protocol statistics.

Community Member

Hi Mhnedirl thanks for your

Hi Mhnedirl thanks for your input,

I don't need to see the satistics.

I did some of the configuration with Cisco Configuration Professions and it gives me this message.below.

"The QOS policy POLICING-INBOUND is using NBAR protocols for
classification but one or more interfaces that uses this policy is not
enabled with NBAR. Do you want to enable NBAR on those interfaces?"

My question is how can it work without nbar? It looks like it is working and in testing it appears to work.

Super Bronze

DisclaimerThe Author of this


The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.


You misunderstand all NBAR features.  Your class-map, using match protocol, is using NBAR.


NBAR protcol discovery is an optional feature to tally statistics based on NBAR classification.

Community Member

Ok thanks, To clarify for my

Ok thanks, 

To clarify for my benift, then NBAR is active by default as I have no NBAR comand in the config?

NBAR protocol discovery, I would need to appy it to an interface (config-if)#ip nbar protocol-discovery to see the statistcs?




Super Bronze



CreatePlease to create content