Vlad, what you posted are the first steps to enable NBAR on the interface...I already done all of that.

Anyone else, know a command to actually see how many packets NBAR has dropped??

TX

I'll have to disagree with you.

You dont need that command to enable NBAR.

Router(config)# class-map sqlnettraffic

Router(config-cmap)# match protocol sqlnet

Router(config)# policy-map sqlsetipprec1

Router(config-pmap)# class sqlnettraffic

Router(config-pmap-c)# set ip precedence 4

Router(config)# interface fastethernet 0/1

Router(config-if)# service-policy output sqlsetipprec1

That is just optional.

"Usage Guidelines

Use the ip nbar protocol-discovery command to configure NBAR to keep traffic statistics for all protocols known to NBAR. Protocol Discovery provides an easy way to discover application protocols traversing an interface so that QoS policies can be developed and applied. The Protocol Discovery feature discovers any protocol traffic supported by NBAR. Protocol Discovery can be used to monitor both input and output traffic and may be applied with or without a service policy enabled. "

"? Enabling Protocol Discovery (optional)

? Configuring a Traffic Class (required)

? Configuring a Traffic Policy (required)

? Attaching a Traffic Policy to an Interface (required)

? Downloading PDLMs (optional)

"

vlad

if you are dropping all those protocols, just use the statistics from the show discovery, and there's the information you need, isnt it?

Vlad

Hi Mukesh,

The above configuration is not using NBAR but just plain QoS.

NBAR recogonizes packet by protocol and your match statements should have commands like

match protocol ftp

match protocol telnet

match protocol smtp

I totally agree with VLAD that the discovery command is not required for configuring NBAR.

check the following links

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800c75d0.html#11135

http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/121limit/121e/121e6/dnbar.htm#xtocid504515

HTH, rate if it does

Narayan

Hi Narayan,

See in my sample config it shows that its matching the HTTPS traffic through access-list dats shows its a NBAR qos. but its look like a qos. this is the another way of configuring NBAR. I agree with you dat its basiclly matching the protocol so mine sample is also matching HTTP protocol. correct me if i m wrong.

Regds...Mukesh

I get no drops...

sh policy-map interface

FastEthernet1/0

Service-policy input: block

Class-map: nbar-drop (match-all)

0 packets, 0 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: protocol sqlserver

Match: protocol h323

Match: protocol skinny

Match: protocol fasttrack

Match: protocol pptp

Match: protocol sqlnet

Match: protocol xwindows

Match: protocol icmp

drop

Class-map: class-default (match-any)

199705 packets, 222895713 bytes

5 minute offered rate 124000 bps, drop rate 0 bps

Match: any

check out the attachment, that's from "sh ip nbar protocol discovery interface fastethernet 1/0"

Hi,

there is only a little mistake. class-maps by default are match-ALL. In your case traffic, which is H323 and Skinny and ... at the same time would match ... so no traffic.

Just change your class-map to match-any and you should be fine:

Router#config t

Router(config)# class-map match-any nbar-drop

Hope this helps! Please rate all posts.

Regards, Martin

OK, I made the changes, now I can see the packet and bytes count...but no drop count.

I also enabled "service-policy output" on int fe1/0 and I added http to class-map. and it worked I did see the drop count increment.

However I don't see the drop count for input.

check out below:

FastEthernet1/0

Service-policy input: nbar

Class-map: block (match-any)

71 packets, 7897 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: protocol sqlserver

4 packets, 264 bytes

5 minute rate 0 bps

Match: protocol h323

1 packets, 60 bytes

5 minute rate 0 bps

Match: protocol skinny

5 packets, 300 bytes

5 minute rate 0 bps

Match: protocol fasttrack

2 packets, 120 bytes

5 minute rate 0 bps

Match: protocol pptp

0 packets, 0 bytes

5 minute rate 0 bps

Match: protocol sqlnet

0 packets, 0 bytes

5 minute rate 0 bps

Match: protocol xwindows

2 packets, 120 bytes

5 minute rate 0 bps

Match: protocol icmp

43 packets, 5962 bytes

5 minute rate 0 bps

Match: protocol novadigm

0 packets, 0 bytes

5 minute rate 0 bps

Match: protocol edonkey

0 packets, 0 bytes

5 minute rate 0 bps

Match: protocol winmx

0 packets, 0 bytes

5 minute rate 0 bps

drop

Class-map: class-default (match-any)

37104 packets, 18621469 bytes

5 minute offered rate 1000 bp