RE: Question about NBAR.. not really related to CCIE lab

From: Edwards, Andrew M (andrew.m.edwards@boeing.com)
Date: Mon Oct 24 2005 - 13:55:35 GMT-3

You have to tell NBAR what ports the applications are using.

Ip nbar port-map <application> <transport protocol> <ports>

You can also use "custom" app matching with 12.3

HTH,

Andy

-----Original Message-----
From: The Great Ryan [mailto:pv.ryan@gmail.com]
Sent: Monday, October 24, 2005 5:28 AM
To: JP
Cc: Tim; Niche; ccielab@groupstudy.com
Subject: Re: Question about NBAR.. not really related to CCIE lab

Yes. I encounter the same problem when I tried to monitor HTTP protocol
under 12.2T version.

When I use router as web server and its default port 80, everything can
be monitored. It doesn't work when I can the web server port to 1025.
Never get hits. I have checked that NBAR support stateful inspection on
HTTP. Anyone get work in my case ?

Link:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft
/121t/121t5/dtnbar.htm#xtocid259510

Ryan

2005/10/24, JP <jenseike@start.no>:
> Hi all,
>
> NBAR for matching on filsharing protocols works very well from 12.3
> and up. With 12.2 NBAR has problem matching on those dynamic ports
> that are used. F.ex I tested kazaa 2 and 3 with 12.2T(15), and I did
> not have any hits on the policy. Then I upgraded to 12.3, and it
> worked very well.
>
> So you should try to use this on a newer IOS, and I think you will be
> happy.
>
> Jens P
>
> -----Opprinnelig melding-----
> Fra: nobody@groupstudy.com [mailto:nobody@groupstudy.com] Pe vegne av
> Tim
> Sendt: 24. oktober 2005 11:58
> Til: 'Niche'; ccielab@groupstudy.com
> Emne: RE: Question about NBAR.. not really related to CCIE lab
>
> Hi Jacky,
>
> NBAR does more than match static protocol and port assignments. For
> example, when nbar is used to match ftp traffic, it can determine
> which port is used for the dynamic data channel.
>
> I haven't used nbar to classify p2p file sharing programs so I can't
> comment on how well it works for that but I would expect it to work
> pretty well.
>
> Tim
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of Niche
> Sent: Monday, October 24, 2005 3:40 AM
> To: ccielab@groupstudy.com
> Subject: Question about NBAR.. not really related to CCIE lab
>
> Hi guys,
>
> Is NBAR truely using layer-7 application pattern to classify traffic
> for bandwidth control, security blocking, etc? Or it just use protocl
> type (tcp, udp) with port number still?
>
> We may need to consider to use it for controlling bandwidth usage to
> p2p file sharing traffic. So I am concerning about the effectiveness
> of NBAR to this issue (e.g. users can modify the usual port number to
> a new one of the application in order to avoid traditional port-number

> tracking method).
>
> Cheers~
> Jacky
>
> ______________________________________________________________________
> _
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> ______________________________________________________________________
> _
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> ______________________________________________________________________
> _
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

This archive was generated by hypermail 2.1.4 : Sun Nov 06 2005 - 22:00:52 GMT-3