RE: Is this NBAR? Is it not?

From: Church, Chuck (cchurch@wamnetgov.com)
Date: Wed Oct 08 2003 - 09:14:45 GMT-3

• Next message: Peter van Oene: "RE: MPLS question - CCIP"
• Previous message: k c: "RE: Is this NBAR? Is it not?"
• Maybe in reply to: Ken.Farrington@barclayscapital.com: "Is this NBAR? Is it not?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

KC,

    You'll see it use up a couple megs of RAM right off the bat. You may need
to either upgrade the memory or fine-tune the 'iomem' setting on platforms
that support it. It doesn't use much CPU as most packets are still fast/CEF
switched. The 'protocol-discovery' I did below was from a production router
with a full T1 to the internet. It's doing packet-marking and rate limiting,
along with Unicast RPF checking against bogons. Also doing priority queueing
outbound on the serial. Also has the protocol-discovery on the serial
interface. 'sh int stat' shows:

Serial0/0
          Switching path Pkts In Chars In Pkts Out Chars Out
             Processor 718735 44406652 612303 30369884
        Route cache 57726262 2896860702 52512809 2837717317
                   Total 58444997 2941267354 53125112 2868087201

As you can see, about 99% of packets are being fast switched. CPU spikes to
50% at time, but average is below 5%.

Chuck Church
CCIE #8776, MCNE, MCSE
Wam!Net Government Services
13665 Dulles Technology Dr. Ste 250
Herndon, VA 20171
Office: 703-480-2569
Cell: 703-819-3495
cchurch@wamnetgov.com
PGP key:
<http://pgp.mit.edu:11371/pks/lookup?op=index&search=cchurch%40wamnetgov.com>
http://pgp.mit.edu:11371/pks/lookup?op=index&search=cchurch%40wamnetgov.com

-----Original Message-----
From: k c [mailto:jwongccie@yahoo.com.hk]
Sent: Wednesday, October 08, 2003 7:38 AM
To: Church, Chuck; Ken.Farrington@barclayscapital.com; ccielab@groupstudy.com
Subject: RE: Is this NBAR? Is it not?

NBAR will read the packet payload and examine the content. Does anybody have
experience in production platform to use this feature and what is the cpu and
memories before and after turn-on the features?

"Church, Chuck" <cchurch@wamnetgov.com> wrote:

Ken,

The simple command: 'ip nbar protocol-discovery' on an IP interface will
cause the router to build a table of statistics, showing you protocol
distribution on that interface, such as:

border-router#sh ip nbar pro

Serial0/0.1
Input Output
Protocol Packet Count Packet Count
Byte Count Byte Count
5 minute bit rate (bps) 5 minute bit rate (bps)
------------------------ ------------------------ ------------------------
http 12332805 10324213
10994216698 1503535410
33000 1000
smtp 732724 629477
378882475 266019078
6000 0
icmp 10425341 10236304
998604432 981136476
1000 0
ipsec 12530494 10361257
3099004560 2927829620
0 0
netshow 1707909 1346165
1784257040 67899419
0 0
exchange 15351550 15190700
802691981 794318552
..........

It'll show all the protocols it supports. Still need ! CEF. Keep in mind that
some such as Kazaa2 were added later, thus requiring a newer version, such as
12.2.13T, I think. You're right though, it's pretty cool.

Chuck Church
CCIE #8776, MCNE, MCSE
Wam!Net Government Services
13665 Dulles Technology Dr. Ste 250
Herndon, VA 20171
Office: 703-480-2569
Cell: 703-819-3495
cchurch@wamnetgov.com
PGP key:
http://pgp.mit.edu:11371/pks/lookup?op=index&search=cchurch%40wamnetgov.com

-----Original Message-----
From: Ken.Farrington@barclayscapital.com
[mailto:Ken.Farrington@barclayscapital.com]
Sent: Tuesday, October 07, 2003 2:57 PM
To: ccielab@groupstudy.com
Subject: Is this NBAR? Is it not?

Guys, It's been a day of QoS so by now, I just wanna permit IP any any )

NBAR ? what is it? Is it just the fact that now you can use this command
(and others for MIME etc etc) under a class map?

match protocol http url "/exec/show/interface/*" and a shed load of other
protocols/commands under the class-map for further in-depth classification?

Is that the strength of it? Just added protocols under this command? so you
can look further into the packet?

YOU DONT NEED ANY NBAR COMMANDS do you? I know you need CEF running

Please could you be so kind to advise?

!
class-map match-all http_interface
match protocol http url "/exec/show/interface/*"
class-map match-all http_log
match protocol http url "/exec/show/log/*"
!
!
policy-map cisco
class http_interface
set ip precedence 5
class http_log
set ip precedence 1
!
interface Ethernet0/0
ip address 2.2.2.2 255.255.255.0
service-policy output cisco
!

------------------------------------------------------------------------
For more information about Barclays Capital, please
visit our web site at http://www.barcap.com.

Internet communications are not secure and therefore the Barclays
Group does not accept legal responsibility for the contents of this
message. Although the Barclays Group operates anti-virus programmes,
it does not accept responsibility for any damage whatsoever that is
caused by viruses being passed. Any views or opinions presented are
solely those of the author and do not necessarily represent those of the
Barclays Group. Replies to this email may be monitored by the Barclays
Group for operational or business reasons.

------------------------------------------------------------------------

***Get your CCIE and a FREE vacation: Shop.GroupStudy.com***

• Next message: Peter van Oene: "RE: MPLS question - CCIP"
• Previous message: k c: "RE: Is this NBAR? Is it not?"
• Maybe in reply to: Ken.Farrington@barclayscapital.com: "Is this NBAR? Is it not?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Nov 24 2003 - 07:52:58 GMT-3