nbar protocol

wasiimcisco · ‎05-04-2008

i have configured nbar protocol on my cisco 3825 router interface that is connected with internet just to check which type of traffic is going towards internet from my users.

I shows me different types of traffic which i never allowed in my firewall like FTP. it is showing me that FTP protocol is travelling towards internet.

though my firewall connected with intenet rotuer is allowing only http and https traffic nothing else.

Also nbar state showing me some unknow protocol.

ssh 0 0

streamwork 0 0

sunrpc 0 0

syslog 0 0

tftp 0 0

xwindows 0 0

unknown 409226 372043

Total 940394 1224664

ftp 230 214

It also showing me that Edonkey software is also allowed though i didnt allow in my firewall

edonkey 3 21

If i wana see the port number of that software via nbar how to check it.

Though I didnt allow them.

mheusing · ‎05-04-2008

Hi,

To check the ports for each protocol in NBAR please use the command "show ip nbar port-map". Command reference:

http://www.cisco.com/en/US/docs/ios/12_2/qos/command/reference/qrfcmd10.html#wp1122057

Also please be aware that based on those ports NBAR tries to discover the protocols of packets through an interface. Some applications will use random port numbers and thus it might happen to get a few matches in protocols like edonkey though no file sharing is performed. In your case 3 packets should not worry you, if a user would be able to use p2p then there would be a LOT more packets.

Last, the "unknown" traffic is everything not predefined as seen from the command "show ip nbar port-map". In case you know further protocols used you can define them with the command "ip nbar port-map" or add your own custom protocols; details can be seen from

http://www.cisco.com/en/US/docs/ios/qos/configuration/guide/nbar_cust_protcl_ps6441_TSD_Products_Configuration_Guide_Chapter.html

Hope this helps! Please use the rating system.

Regards, Martin