Re: Catalyst 9300/9600 NBAR

MATTHIAS SCHAERER · ‎09-27-2021

What do I need to do to be able to use "match protocol attribute ...." on these two platforms? I use 17.3.3 with Network Advanced and DNA advanced licenses.

vrt-01(config-cmap)#match protocol ?
arp IP ARP
bridge Bridging
cdp Cisco Discovery Protocol
clns ISO CLNS
clns_es ISO CLNS End System
clns_is ISO CLNS Intermediate System
cmns ISO CMNS
compressedtcp Compressed TCP (VJ)
ip IP
ipv6 IPV6
pppoe-discovery PPPoE Discovery packets

vrt-01(config-cmap)#

rasmus.elmholt · ‎09-27-2021

Hi Matthias,

Have you verified that the license is active on the switch?

And followed the steps in this guide:

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/17-4/configuration_guide/sys_mgmt/b_174_sys_mgmt_9300_cg/application_visibility_and_control_in_a_wired_network.html#task_i5x_kwl_j1b

MATTHIAS SCHAERER · ‎09-27-2021

Hi, that's the output I get for the licenses. As I have not installed the device myself I'm not sure if it's ok or if I have to do something here:

sh license authorization
Overall status:
Active: PID:C9300-24UX,SN:FOC0000000
Status: NOT INSTALLED

Purchased Licenses:
C9300 24P DNA Advantage (C9300-24 DNA Advantage):
Description: C9300-24P DNA Advantage
Total reserved count: 1
Term information:
Active: PID:C9300-24UX,SN:FOC0000000
License type: TERM
Start Date: 2021-JUL-14 UTC
End Date: 2024-JUL-14 UTC
Term Count: 1
C9300 24P Network Advantage (C9300-24 Network Advantage):
Description: C9300-24P Network Advantage
Total reserved count: 1
Term information:
Active: PID:C9300-24UX,SN:FOC0000000
License type: PERPETUAL
Term Count: 1

To which part of the guide do you refer especially? In my opinion it's more a flow exporter config than QoS. But I have read through the whole QoS config as well with no clear hint showing me what needs to be enabled first to get the NBAR commands.

rasmus.elmholt · ‎09-27-2021

Hi,

I am refering to the part about using nbar for in QoS policies. they mention that ip nbar should be configured on the interfaces, but I have just tested it in my lab and it does not seems to be necessary.

CORE(config)#do show run | inc nbar
CORE(config)#conf t
                  ^
% Invalid input detected at '^' marker.

CORE(config)#clas
CORE(config)#class-map ?
  WORD       class-map name
  match-all  Logical-AND all matching statements under this classmap
  match-any  Logical-OR all matching statements under this classmap
  type       Configure CPL Class Map

CORE(config)#class-map ty
CORE(config)#class-map type ?
  access-control   access-control specific class-map
  control          Configure control policies
  multicast-flows  multicast class-maps
  stack            class-map for protocol header stack specification
  traffic          Configure a subscriber policy traffic classmap

CORE(config)#class-map cp-sip ?
  <cr>  <cr>

CORE(config)#class-map cp-sip 
CORE(config-cmap)#mat pro
CORE(config-cmap)#mat protocol ?
  3com-amp3                 3Com AMP3
  3com-tsmux                3Com TSMUX
  3pc                       Third Party Connect Protocol
  4chan                     4chan - Website that hosts found images and discussions on them.
  58-city                   58 City - Classified information about 58 cities in China.
  914c/g                    Texas Instruments 914 Terminal
  9pfs                      Plan 9 file service
  CAIlic                    Computer Associates Intl License Server
  Konspire2b                konspire2b p2p n
<output omitted>
CORE(config-cmap)#mat protocol sip ?
  <cr>  <cr>

CORE(config-cmap)#mat protocol sip 
CORE(config-cmap)#end
CORE#show inven
CORE#show inventory 
NAME: "c93xx Stack", DESCR: "c93xx Stack"
PID: C9300-24P         , VID: V02  , SN: FOC000000
CORE#show ver
Cisco IOS XE Software, Version 16.09.05
CORE#show license summary 
Smart Licensing is ENABLED

Registration:
  Status: UNREGISTERED
  Export-Controlled Functionality: NOT ALLOWED

License Authorization: 
  Status: EVAL EXPIRED

License Usage:
  License                 Entitlement tag               Count Status
  -----------------------------------------------------------------------------
                          (C9300-24 DNA Advantage)          1 EVAL EXPIRED
                          (C9300-24 Network Advan...)       1 EVAL EXPIRED

rasmus.elmholt · ‎09-27-2021

Hi again,

i have just tested this on version 17.3.4 with a 9300L and the commands are working.

DK-SJ2-FIAB#show license summary 
License Usage:
  License                 Entitlement Tag               Count Status
  -----------------------------------------------------------------------------
  network-advantage       (C9300L 24P Network Adv...)       1 IN USE
  dna-advantage           (C9300L 24P DNA Advantage)        1 IN USE


DK-SJ2-FIAB#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
DK-SJ2-FIAB(config)#class-map cp-sip
DK-SJ2-FIAB(config-cmap)#match protocol sip
DK-SJ2-FIAB(config-cmap)#end
DK-SJ2-FIAB#show class-map cp-sip
 Class Map match-all cp-sip (id 41)
   Match protocol sip

DK-SJ2-FIAB#show ver
Cisco IOS XE Software, Version 17.03.04

But this switch has netflow and NBAR configured as bart of our telemetry.

inter gi 1/0/1

ip nbar protocol-discovery

What does show ip nbar say?

DK-SJ2-FIAB#show ip nbar version 
NBAR software version:  40
NBAR minimum backward compatible version:  40
NBAR change ID:  BLD_NBAR_

Loaded Protocol Pack(s): 
  Name:                          Advanced Protocol Pack
  Version:                       50.0
  Publisher:                     Cisco Systems Inc.
  NBAR Engine Version:           40
  State:                         Active