Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

nbar protocol discovery

hi, I have nbar protocol discovery running with netflow, it says users are using edonkey?? But I really think it's Citrix Metaframe, how can I check what ports nbar is using and can they be edited?

This is a Cisco 877 in VPN mode. Version 12.4(15) T1 Advanced Ip services.

26 REPLIES

Re: nbar protocol discovery

Ports numbers for peer-to-peer applications like kazaa, edonkey etc may use any port specified by the user. so its difficult to block them. U may want to try applying an acl with default port No. to block the traffic.

edonkey - tcp 4662

kazaa - tcp 2114

or use route-map to deny traffic matched by nbar as edonkey / kazaa.

New Member

Re: nbar protocol discovery

Thing is none of them are using it or have it installed, so I don't understand why NetFlow is reporting it?

Super Bronze

Re: nbar protocol discovery

NBAR, for some protocols, is just a pretty face on a port match. Applications can sometimes use ports normally used for other applications. So, eDonkey traffic may not be such.

See http://www.cisco.com/en/US/products/ps6616/products_qanda_item09186a00800a3ded.shtml for details on NBAR matching.

Unsure about an 877, but on larger routers you can see what ports NBAR is using by "show nbar port-map". The can be reassigned by using the "ip nbar port-map".

New Member

Re: nbar protocol discovery

Edonkey seems to be on tcp port 4662, could a user dynamically mapped to this port for use with another application?

Also how do I add another port map to nbar? I want to add citrix metaframe to port 2598.

Do Cisco brting our updated nbar ports lists?

New Member

Re: nbar protocol discovery

Hi

You can make sure that NBAR isn't classifying the traffic by using the following command:

* show ip nbar unclassified-port-stats

Once verified you can manually add a custom port map with the following command:

* ip nbar port-map citrix tcp 2598

If you have CCO you can download the latest Custom Packet Description Language Module (PDLM) from Cisco software downloads to allow new protocol support for NBAR without the requirement of an IOS release upgrade and router reload.

Regards

Phillip

Re: nbar protocol discovery

HI, [PLS RATE if HELPS]

Most companies now use NBAR - Network-Based Application Recognition.

Download the PDLM from Cisco to your flash then configure.

ip nbar pdlm flash:bittorrent.pdlm

ip nbar pdlm flash:eDonkey.pdlm

ip nbar pdlm flash:gnutella.pdlm

ip nbar pdlm flash:kazaa2.pdlm

ip nbar pdlm flash:WinMX.pdlm

ip nbar pdlm flashrinter.pdlm

!

class-map match-any nbar-discovery

match protocol gnutella

match protocol kazaa2

match protocol napster

match protocol printer

match protocol http url "*cmd.exe*"

match protocol fasttrack

match protocol novadigm

match protocol edonkey

match protocol bittorrent

!

!

policy-map ip-prec-marked

class nbar-discovery

drop

!

Interface Serial0/1

ip nbar protocol-discovery

service-policy input ip-prec-marked

Hope I am INFORMATIVE.

PLS RATE if HELPS

Best Regards,

Guru Prasad R

New Member

Re: nbar protocol discovery

When I do a show flash, the PDLM is not in there does this mean I don't have the lastest and just the one in the IOS?

My interface is VLAN 1 I take it I'll use this instead of serial 0/1?

What does your config do?

New Member

Re: nbar protocol discovery

You can make sure that NBAR isn't classifying the traffic by using the following command:

* show ip nbar unclassified-port-stats

This is off

I've added ip nbar port-map citrix tcp 2598

I am using the latest IOS for that router do I still need to download the PDLM? My version is 12.4(15)T1?

Re: nbar protocol discovery

HI, [PLS RATE if HELPS]

CISCO has released several PDLM for P2P Applications.

You will need to download the PDLM that match your IOS Version and add the same to your FLASH of Router.

Later with the Configuration posted you should be able to BLOCK as per requirement.

PLS RATE if HELPS

Best Regards,

Guru Prasad R

New Member

Re: nbar protocol discovery

I don't want to block just monitor.

For the PDLM, there are loads of individual files like edonkey.pdlm, citrix.pdlm, do all these individual files need to be downloaded to the flash and does the router need to be rebooted after?

I'm not sure of the process.

Re: nbar protocol discovery

HI,

Yes for each application CISCO has PDLM availaible and you need to download to the flash to have them block.

I don't know whether it requires reboot / not.

For NBAR services the using of PDLM is the best way to Block.

You can check some cisco documents whether it requires reboot / not.

DO RATE ALL HELPFUL POSTS

Best Regards,

Guru Prasad R

New Member

Re: nbar protocol discovery

I can't find the PDLM for my Cisco 877 aren't the PDLM's for all routers the same??

I don't want to block these apps, just monitor via Netflow.

Re: nbar protocol discovery

HI,

I know PDLM is based on IOS Versions but i don't know whether this is router based.

DO RATE ALL HELPFUL POSTS.

Best Regards,

Guru Prasad R

Hall of Fame Super Bronze

Re: nbar protocol discovery

Andy,

Please post the output from executing sh ip nbar protocol-discovery on the router's CLI.

New Member

Re: nbar protocol discovery

sh ip nbar protocol-discovery produces so much info I'll add it to a txt.

Hall of Fame Super Bronze

Re: nbar protocol discovery

How many PCs you have in the location ?

If you can get to every single workstation, run netstat -a on the command line at those devices.

eDonkey protocol can run as a trojan and may not be visible as an application.

New Member

Re: nbar protocol discovery

Only one PC today. His pc was connected to Citrix on port 1214 (kazza)?

Do I need to update the PDLM? I need to monitor citrix metaframe on port 2598

Hall of Fame Super Bronze

Re: nbar protocol discovery

I see. You can update the PDLM or just change the port-map manually.

New Member

Re: nbar protocol discovery

Do you think I need to I'm on IOS 12.4.(15)T1 18 July.

Will the PDLM be much more up to date, I can't seem to find it to download...

New Member

Re: nbar protocol discovery

Thought I'd have a look at the PDLM's but the link fails, http://download-sj.cisco.com/swc/esd/02/268437924/contract/citrix.zip

Not sure if I need them though.

New Member

Re: nbar protocol discovery

I am having the same problem, same IOS version, although I have the problem at other sites using differing IOS.

12.4(15)T1 comes with citrix.pdlm version 10 as part of the IOS, the only one available for download is version 8, and it refuses to downgrade (Version 8<10 error)

It classifies Citrix Metframe XP traffic no problem, but connecting to a Citrix PS 4.0 no traffic is detected using NBAR, in fact even access-lists are ignored - it would seem in my case to be classifying the Citrix Traffic as SKYPE, which is being matched 1st by my modular QoS.

Citrix now uses this port

Does anyone know how to resolve this? Can I stop Skype matching only?

Thanks

netstat -a shows PC connecting to server on port 2598, wi=hich is due to session reliability.

http://support.citrix.com/article/CTX109913&searchID=-1

TCP abz-peter-home:1156 192.168.0.17:2598 ESTABLISHED

I have added the port to NBAR

#sh ip nbar port-map

port-map citrix udp 1604

port-map citrix tcp 1494 2598

but still no match!!

Any ideas? Why doesn't NBAR take the port-map?

Thanks

New Member

Re: nbar protocol discovery

Now 2 of us are having the issue I wonder if anyone else is, I use Citrix PS 4.0, and also see Skype traffic, no one is using Skype!

New Member

Re: nbar protocol discovery

I have a workaround, although it's not ideal. I just changed my Modular Qos *not* to match on protocol, but rather on access list.

!

no ip access-list extended citrix_traffic

!

ip access-list extended citrix_traffic

permit tcp any eq 1494 any

permit tcp any any eq 1494

permit tcp any eq 2598 any

permit tcp any any eq 2598

!

!

class-map match-any citrix

no match protocol citrix

match access-group name citrix_traffic

!

This is now marking citrix traffic as it should do, but it's extremely worrying that NBAR is not doing explicitly what it is told.

There are no port-maps for Skype listed & there seems no way to disable it... thing is I also *want* to be able to classify skype traffic, Cisco really need to pull their finger out here.

p.

New Member

Re: nbar protocol discovery

I'm also getting a lot of "unknown" traffic, shame it can't show the ports.

Super Bronze

Re: nbar protocol discovery

NBAR can show "unknown" port traffic, but you have to turn the feature on with debug.

New Member

Re: nbar protocol discovery

How do I do that, so I will be able to see the unknown traffic?

1771
Views
0
Helpful
26
Replies
CreatePlease to create content