cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3243
Views
0
Helpful
26
Replies

nbar protocol discovery

whiteford
Level 1
Level 1

hi, I have nbar protocol discovery running with netflow, it says users are using edonkey?? But I really think it's Citrix Metaframe, how can I check what ports nbar is using and can they be edited?

This is a Cisco 877 in VPN mode. Version 12.4(15) T1 Advanced Ip services.

26 Replies 26

bvsnarayana03
Level 5
Level 5

Ports numbers for peer-to-peer applications like kazaa, edonkey etc may use any port specified by the user. so its difficult to block them. U may want to try applying an acl with default port No. to block the traffic.

edonkey - tcp 4662

kazaa - tcp 2114

or use route-map to deny traffic matched by nbar as edonkey / kazaa.

Thing is none of them are using it or have it installed, so I don't understand why NetFlow is reporting it?

Joseph W. Doherty
Hall of Fame
Hall of Fame

NBAR, for some protocols, is just a pretty face on a port match. Applications can sometimes use ports normally used for other applications. So, eDonkey traffic may not be such.

See http://www.cisco.com/en/US/products/ps6616/products_qanda_item09186a00800a3ded.shtml for details on NBAR matching.

Unsure about an 877, but on larger routers you can see what ports NBAR is using by "show nbar port-map". The can be reassigned by using the "ip nbar port-map".

Edonkey seems to be on tcp port 4662, could a user dynamically mapped to this port for use with another application?

Also how do I add another port map to nbar? I want to add citrix metaframe to port 2598.

Do Cisco brting our updated nbar ports lists?

Hi

You can make sure that NBAR isn't classifying the traffic by using the following command:

* show ip nbar unclassified-port-stats

Once verified you can manually add a custom port map with the following command:

* ip nbar port-map citrix tcp 2598

If you have CCO you can download the latest Custom Packet Description Language Module (PDLM) from Cisco software downloads to allow new protocol support for NBAR without the requirement of an IOS release upgrade and router reload.

Regards

Phillip

HI, [PLS RATE if HELPS]

Most companies now use NBAR - Network-Based Application Recognition.

Download the PDLM from Cisco to your flash then configure.

ip nbar pdlm flash:bittorrent.pdlm

ip nbar pdlm flash:eDonkey.pdlm

ip nbar pdlm flash:gnutella.pdlm

ip nbar pdlm flash:kazaa2.pdlm

ip nbar pdlm flash:WinMX.pdlm

ip nbar pdlm flashrinter.pdlm

!

class-map match-any nbar-discovery

match protocol gnutella

match protocol kazaa2

match protocol napster

match protocol printer

match protocol http url "*cmd.exe*"

match protocol fasttrack

match protocol novadigm

match protocol edonkey

match protocol bittorrent

!

!

policy-map ip-prec-marked

class nbar-discovery

drop

!

Interface Serial0/1

ip nbar protocol-discovery

service-policy input ip-prec-marked

Hope I am INFORMATIVE.

PLS RATE if HELPS

Best Regards,

Guru Prasad R

When I do a show flash, the PDLM is not in there does this mean I don't have the lastest and just the one in the IOS?

My interface is VLAN 1 I take it I'll use this instead of serial 0/1?

What does your config do?

You can make sure that NBAR isn't classifying the traffic by using the following command:

* show ip nbar unclassified-port-stats

This is off

I've added ip nbar port-map citrix tcp 2598

I am using the latest IOS for that router do I still need to download the PDLM? My version is 12.4(15)T1?

HI, [PLS RATE if HELPS]

CISCO has released several PDLM for P2P Applications.

You will need to download the PDLM that match your IOS Version and add the same to your FLASH of Router.

Later with the Configuration posted you should be able to BLOCK as per requirement.

PLS RATE if HELPS

Best Regards,

Guru Prasad R

I don't want to block just monitor.

For the PDLM, there are loads of individual files like edonkey.pdlm, citrix.pdlm, do all these individual files need to be downloaded to the flash and does the router need to be rebooted after?

I'm not sure of the process.

HI,

Yes for each application CISCO has PDLM availaible and you need to download to the flash to have them block.

I don't know whether it requires reboot / not.

For NBAR services the using of PDLM is the best way to Block.

You can check some cisco documents whether it requires reboot / not.

DO RATE ALL HELPFUL POSTS

Best Regards,

Guru Prasad R

I can't find the PDLM for my Cisco 877 aren't the PDLM's for all routers the same??

I don't want to block these apps, just monitor via Netflow.

HI,

I know PDLM is based on IOS Versions but i don't know whether this is router based.

DO RATE ALL HELPFUL POSTS.

Best Regards,

Guru Prasad R

Edison Ortiz
Hall of Fame
Hall of Fame

Andy,

Please post the output from executing sh ip nbar protocol-discovery on the router's CLI.

Review Cisco Networking for a $25 gift card