I have seen mixed results when using code red http url *.exe* or other variants. But Sergey is correct, when you turn on NBAR recognition at the class-map level, the same process is called as when you enable ip nbar protocol-discovery on the interface and sets aside a small amount of memory (1 meg) and then adds more in small chunks as needed.
As soon as a class-map is defined to match on that protocol, the router will hang for a second as the built-in PDLMs are loaded into memory. It's probably good practice to have protocol-discovery enabled on your egress interface for a better view of your flows, but as mentioned already, not required.
I think a lot of the confusion comes from documents like this:
http://www.cisco.com/en/US/docs/ios/12_4t/qos/configuration/guide/qsnbar1.html
NBAR Configuration Processes
Configuring NBAR consists of the following processes:
b"Enabling Protocol Discovery (required)
When you configure NBAR, the first process is to enable Protocol Discovery.
b"Configuring NBAR using the MQC (required)
After you enable Protocol Discovery, the next process is to configure NBAR using the functionality of the MQC.
b"Adding application recognition modules (also known as Packet Description Language Modules [PDLMs]) (optional)
Adding PDLMs extends the functionality of NBAR by enabling NBAR to recognize additional protocols on your network.
b"Creating custom protocols (optional)
Custom protocols extend the capability of NBAR Protocol Discovery to classify and monitor additional static port applications and allow NBAR to classify nonsupported static port traffic.
-ryan
-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of David Prall
Sent: Friday, May 01, 2009 9:51 AM
To: 'Sergey Khalavchuk'
Cc: 'Mohamed Tandou'; ccielab_at_groupstudy.com
Subject: RE: MCQ
Sergey,
So when you do "match protocol http" without any additional information, protocol-discovery is not required?
The documentation isn't clear to me on this. I've always pinned match protocol to NBAR, my mistake.
http://www.cisco.com/en/US/docs/ios/12_2/qos/command/reference/qrfcmd5.html#wp1066747
match protocol http
To configure Network-Based Application Recognition (NBAR) to match Hypertext Transfer Protocol (HTTP) traffic by URL, HOST, or Multipurpose Internet Mail Extension (MIME)-type, use the match protocol http class-map configuration command. To disable NBAR from matching HTTP traffic by URL, HOST, or MIME-type, use the no form of this command.
match protocol http [url url-string | host hostname-string | mime MIME-type]
no match protocol http [url url-string | host hostname-string | mime MIME-type]
David
-- http://dcp.dcptech.com > -----Original Message----- > From: Sergey Khalavchuk [mailto:ratio+groupstudy_at_invalid.org.ua] > Sent: Friday, May 01, 2009 9:35 AM > To: David Prall > Cc: Mohamed Tandou; ccielab_at_groupstudy.com > Subject: Re: MCQ > > protocol discovery is not needed for NBAR operation. > it is useful only for watching statistics or nice graphics in SDM. > > On Fri, May 1, 2009 at 4:16 PM, David Prall <dcp_at_dcptech.com> wrote: > > The first requires that you configure NBAR and let it do protocol > discovery. > > > > David > > > > -- > > http://dcp.dcptech.com > > > > > >> -----Original Message----- > >> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf > Of > >> Mohamed Tandou > >> Sent: Friday, May 01, 2009 7:47 AM > >> To: ccielab_at_groupstudy.com > >> Subject: MCQ > >> > >> Hello GS, > >> is there any difference using the following or both will give the > same > >> result > >> > >> class-map WEB > >> match protocol http > >> > >> and > >> > >> access-list 101 permit tcp any any eq www > >> > >> class-map WEB > >> match access-group 101 > >> > >> Thanks > >> > >> Moh > >> > >> > >> Blogs and organic groups at http://www.ccie.net > >> > >> > _______________________________________________________________________ > >> Subscription information may be found at: > >> http://www.groupstudy.com/list/CCIELab.html > > > > > > Blogs and organic groups at http://www.ccie.net > > > > > _______________________________________________________________________ > > Subscription information may be found at: > > http://www.groupstudy.com/list/CCIELab.html Blogs and organic groups at http://www.ccie.netReceived on Fri May 01 2009 - 10:11:32 ART
This archive was generated by hypermail 2.2.0 : Mon Jun 01 2009 - 07:04:41 ART