Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NBAR questions

How I can check to find out for sure protocols are being dropped using NBAR?

Here's my NBAR config:

class-map match-all nbar-drop

match protocol sqlserver

match protocol h323

match protocol skinny

match protocol fasttrack

match protocol pptp

match protocol sqlnet

match protocol xwindows

match protocol icmp

match protocol novadigm

!

!

policy-map block

class nbar-drop

drop

interface FastEthernet1/0

service-policy input block

TX

12 REPLIES

Re: NBAR questions

try using

int fa1/0

ip nbar protocol-discovery

you'll be able to check which protocols are matching, using

show ip nbar protocol-discovery

vlad

New Member

Re: NBAR questions

Vlad, what you posted are the first steps to enable NBAR on the interface...I already done all of that.

Anyone else, know a command to actually see how many packets NBAR has dropped??

TX

Re: NBAR questions

I'll have to disagree with you.

You dont need that command to enable NBAR.

Router(config)# class-map sqlnettraffic

Router(config-cmap)# match protocol sqlnet

Router(config)# policy-map sqlsetipprec1

Router(config-pmap)# class sqlnettraffic

Router(config-pmap-c)# set ip precedence 4

Router(config)# interface fastethernet 0/1

Router(config-if)# service-policy output sqlsetipprec1

That is just optional.

"Usage Guidelines

Use the ip nbar protocol-discovery command to configure NBAR to keep traffic statistics for all protocols known to NBAR. Protocol Discovery provides an easy way to discover application protocols traversing an interface so that QoS policies can be developed and applied. The Protocol Discovery feature discovers any protocol traffic supported by NBAR. Protocol Discovery can be used to monitor both input and output traffic and may be applied with or without a service policy enabled. "

"? Enabling Protocol Discovery (optional)

? Configuring a Traffic Class (required)

? Configuring a Traffic Policy (required)

? Attaching a Traffic Policy to an Interface (required)

? Downloading PDLMs (optional)

"

vlad

Re: NBAR questions

if you are dropping all those protocols, just use the statistics from the show discovery, and there's the information you need, isnt it?

Vlad

New Member

Re: NBAR questions

I agree with valdra, here is sample config of NBAR dat will give more clarity.like if we want to give 80% traffic utilization for any HTTP based application.

class-map match-all QOS-HTTPS

match access-group name QOS-HTTPS

!

policy-map QoS-to-rtrname-OUT

class QOS-HTTPS

bandwidth percent 80

!

ip access-list extended QOS-HTTPS

permit tcp any any eq 443

permit tcp any eq 443 any

!

interface Serial1/0

service-policy output QoS-to-rtrname-OUT

Thanks...Mukesh

Re: NBAR questions

Hi Mukesh,

The above configuration is not using NBAR but just plain QoS.

NBAR recogonizes packet by protocol and your match statements should have commands like

match protocol ftp

match protocol telnet

match protocol smtp

I totally agree with VLAD that the discovery command is not required for configuring NBAR.

check the following links

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800c75d0.html#11135

http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/121limit/121e/121e6/dnbar.htm#xtocid504515

HTH, rate if it does

Narayan

New Member

Re: NBAR questions

Hi Narayan,

See in my sample config it shows that its matching the HTTPS traffic through access-list dats shows its a NBAR qos. but its look like a qos. this is the another way of configuring NBAR. I agree with you dat its basiclly matching the protocol so mine sample is also matching HTTP protocol. correct me if i m wrong.

Regds...Mukesh

Re: NBAR questions

Hi,

"show policy-map interface FastEthernet1/0" should give you the amount of packets matched and then dropped.

Regards, Martin

New Member

Re: NBAR questions

I get no drops...

sh policy-map interface

FastEthernet1/0

Service-policy input: block

Class-map: nbar-drop (match-all)

0 packets, 0 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: protocol sqlserver

Match: protocol h323

Match: protocol skinny

Match: protocol fasttrack

Match: protocol pptp

Match: protocol sqlnet

Match: protocol xwindows

Match: protocol icmp

drop

Class-map: class-default (match-any)

199705 packets, 222895713 bytes

5 minute offered rate 124000 bps, drop rate 0 bps

Match: any

New Member

Re: NBAR questions

check out the attachment, that's from "sh ip nbar protocol discovery interface fastethernet 1/0"

Re: NBAR questions

Hi,

there is only a little mistake. class-maps by default are match-ALL. In your case traffic, which is H323 and Skinny and ... at the same time would match ... so no traffic.

Just change your class-map to match-any and you should be fine:

Router#config t

Router(config)# class-map match-any nbar-drop

Hope this helps! Please rate all posts.

Regards, Martin

New Member

Re: NBAR questions

OK, I made the changes, now I can see the packet and bytes count...but no drop count.

I also enabled "service-policy output" on int fe1/0 and I added http to class-map. and it worked I did see the drop count increment.

However I don't see the drop count for input.

check out below:

FastEthernet1/0

Service-policy input: nbar

Class-map: block (match-any)

71 packets, 7897 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: protocol sqlserver

4 packets, 264 bytes

5 minute rate 0 bps

Match: protocol h323

1 packets, 60 bytes

5 minute rate 0 bps

Match: protocol skinny

5 packets, 300 bytes

5 minute rate 0 bps

Match: protocol fasttrack

2 packets, 120 bytes

5 minute rate 0 bps

Match: protocol pptp

0 packets, 0 bytes

5 minute rate 0 bps

Match: protocol sqlnet

0 packets, 0 bytes

5 minute rate 0 bps

Match: protocol xwindows

2 packets, 120 bytes

5 minute rate 0 bps

Match: protocol icmp

43 packets, 5962 bytes

5 minute rate 0 bps

Match: protocol novadigm

0 packets, 0 bytes

5 minute rate 0 bps

Match: protocol edonkey

0 packets, 0 bytes

5 minute rate 0 bps

Match: protocol winmx

0 packets, 0 bytes

5 minute rate 0 bps

drop

Class-map: class-default (match-any)

37104 packets, 18621469 bytes

5 minute offered rate 1000 bp

212
Views
5
Helpful
12
Replies
CreatePlease login to create content