Network Based Application Recognition
Network Based Application Recognition (NBAR) is another Cisco IOS software tool that can be used for monitoring and baselining network performance. NBAR is an intelligent classification engine in Cisco IOS software that can recognize a wide variety of applications. Once the applications are recognized, the network can invoke required services for that particular application by implementing QoS policies to support the application requirements. NBAR provides two primary functions – identifying applications and protocols and allowing for the dynamic discovery of protocols on the network.
NBAR can classify applications that use statically assigned TCP and UDP port numbers, as well as those that use dynamically assigned or negotiated TCP and UDP port numbers. NBAR can also recognize and classify applications based on non-UDP and non-TCP IP protocols. In addition, NBAR can also perform sub-port classification including the classification of HTTP URLs, mime or hostnames. NBAR also supports and can be used for Citrix traffic classification, as well as for Real-Time Transport Protocol (RTP) which is used by IP voice and video.
The NBAR Protocol Discovery (PD) feature can also be used to collect application and protocol statistics, such as packet counts, byte counts and bit rates, on a per-interface basis. This information can then be retrieved by polling SNMP statistics from the NBAR PD Management Information Base (MIB). NBAR uses Packet Description Language Modules (PDLMs) for protocol and application recognition. In the event that a specific protocol or application is not recognized, an external PDLM can be loaded at any time into the router Flash memory to extend the NBAR list of recognized protocols. PDLMs can also be used to enhance an existing protocol recognition capability. The use of PDLMs allows NBAR to recognize additional protocols and applications without having to upgrade or replace the current version of software on the router, providing additional flexibility for network administrators.
Like NetFlow, NBAR Protocol Discovery is enabled on a per-interface basis using the ip nbar protocol-discovery interface configuration command. Prior to configuring NBAR, you must enable Cisco Express Forwarding (CEF) on the router using the ip cef global configuration command. CEF is described in detail in both the ROUTE and SWITCH guides that are available online. CEF troubleshooting will be described later in this guide. The following configuration example illustrates how to enable NBAR on a router interface. Note that Cisco Express Forwarding (CEF) is enabled prior to the NBAR PD configuration:
| R2(config)#ip cef R2(config)#interface fastethernet 0/0 R2(config-if)#ip nbar protocol-discovery R2(config-if)#exit |
Following this configuration, NBAR PD statistics can be viewed by issuing the show ip nbar protocol-discovery command. Keep in mind that the recognized applications or protocols printed in the output of this command will vary depending on your current IOS version and the PDLMs that have been integrated into that version of code, or loaded into router Flash memory:
| R2#show ip nbar protocol-discoveryFastEthernet0/0 Input Output —– —— Protocol Packet Count Packet Count Byte Count Byte Count 5min Bit Rate (bps) 5min Bit Rate (bps) 5min Max Bit Rate (bps) 5min Max Bit Rate (bps) ———————— ———————— ———————— netbios 832 0 76544 0 3000 0 3000 0 snmp 24 12 3172 1655 0 0 1000 0 icmp 222 221 16428 16342 0 0 0 0 eigrp 0 10 0 740 0 0 0 0 ospf 0 3 0 270 0 0 0 0 syslog 0 2 0 254 0 0 0 0 [Truncated Output] |
When using NBAR, it is important to remember that NBAR PD is based on the standard port numbers for the different applications. For example, NBAR will recognize an application as HTTP if the application is using TCP port 80. Likewise, NBAR will recognize SMTP based on the standard TCP port number of 25. This presents a potential problem in the event that protocols or applications are not using well-known port numbers. For example, it is common practice that some Web applications use TCP port 8080 in addition to the standard port 80.
In such case, you can use the ip nbar port-map [application or protocol] [tcp | udp] [port number 1] [port number 2]…[port number 16] global configuration command to specify up to sixteen (16) additional port numbers used by the protocol. The following configuration example illustrates how to configure NBAR to search for a protocol or protocol name using a port number other than the well-known port as follows:
- For Email (SMTP) traffic, NBAR should search for TCP ports 25 and 2525
- For Telnet traffic, NBAR should search for TCP ports 23 and 3023
- For Web (HTTP) traffic, NBAR should search for TCP ports 80 and 8080
This configuration would be implemented as follows on the local router:
| R2#configure terminal Enter configuration commands, one per line. End with CNTL/Z. R2(config)#ip cef R2(config)#ip nbar port-map smtp tcp 25 2525 R2(config)#ip nbar port-map telnet tcp 23 3023 R2(config)#ip nbar port-map http tcp 80 8080 R2(config)#interface fastethernet 0/0 R2(config-if)#description ‘Connected To Corporate LAN’ R2(config-if)#ip nbar protocol-discovery R2(config-if)#exit |
Following this configuration, you can then use the show ip nbar port-map [protocol]command to see the ports that NBAR is recognizing for either specific applications or protocols or for all applications and protocols. For example, to see the ports that NBAR is recognizes for the Telnet application, you would issue the following command on the router:
| R2#show ip nbar port-map telnet port-map telnet tcp 23 3023 |
If the [protocol] is not specified at the end of the command, NBAR shows default as well as customized port information for all supported protocols and applications as follows:
| R2#show ip nbar port-map port-map bgp udp 179 port-map bgp tcp 179 port-map citrix udp 1604 port-map citrix tcp 1494 port-map cuseeme udp 7648 7649 24032 port-map cuseeme tcp 7648 7649 port-map dhcp udp 67 68 port-map dns udp 53 port-map dns tcp 53[Truncated Output] |
As previously stated, NBAR uses PDLMs for protocol and application recognition. In the event that the PDLM file on the router does not recognize a specific protocol or application, you can download a PDLM file for the application (if one exists) from the Cisco website. Once the download is complete, copy the file to the router Flash memory and then use the ip nbar pdlm [flash://filename.pdlm] global configuration command to reference the file. For example, to load a PDLM for Bit Torrent application recognition, you would download the PDLM from the Cisco website and then implement the following configuration on the router:
| R2#configure terminal Enter configuration commands, one per line. End with CNTL/Z. R2(config)#ip cef R2(config)#ip nbar pdlm flash://bittorrent.pdlm R2(config)#interface fastethernet 0/0 R2(config-if)#description ‘Connected To Corporate LAN’ R2(config-if)#ip nbar protocol-discovery R2(config-if)#exit |
As previously stated, PDLMs are available for most well-known applications and protocols, but this does not include proprietary applications. If, for example, you have a custom application that uses TCP port numbers 1111, 2222, and 3333, you can use the ip nbar custom [custom name] [tcp | udp] [port number 1]…[port number x] global configuration command to configure NBAR to classify and monitor the additional static port application as illustrated in the following configuration example:
| R2(config)#ip cef R2(config)#ip nbar custom h2n_custom_app tcp 1111 2222 3333 R2(config)#interface fastethernet 0/0 R2(config-if)#description ‘Connected To Corporate LAN’ R2(config-if)#ip nbar protocol-discovery R2(config-if)#exit |
Following your configuration, you can then use the show ip nbar port-map [protocol]command to see the ports that NBAR is recognizing for the specific application as follows:
| R2#show ip nbar port-map h2n_custom_app port-map h2n_custom_app tcp 1111 2222 3333 |
Additionally, you can also use the show ip nbar protocol discovery command to view statistics for the custom application as shown in the following output which has been filtered to include only the previously configured custom application statistics:
| R2#show ip nbar protocol-discovery | section h2n_custom_app h2n_custom_app 21 21 1358 1134 0 0 0 0 |
Given the options available with and the flexibility afforded by NBAR, it is easy to see why this is a popular network monitoring tool. However, one significant drawback to NBAR is that it is very resource intensive and consumes a lot of CPU and memory resources. It is important to ensure that you do not implement NBAR on a router whose resources are already taxed. After NBAR has been enabled, you can use the show ip nbar resources command to view how much memory it is consuming.
| R2#show ip nbar resources NBAR memory usage for tracking Stateful sessions Max-age : 120 secs Initial memory : 1383 KBytes Max initial memory : 4611 KBytes Memory expansion : 68 KBytes Max memory expansion : 68 KBytes Memory in use : 1383 KBytes Max memory allowed : 9223 KBytes Active links : 0 Total links : 20346 |
You can monitor the CPU utilization on the router using the show processes cpu command. This is a core troubleshooting command that will be described in detail later in this guide.
Configuration Management
In this next section of Cisco IOS network maintenance and monitoring tools, we are going to be looking at some of the tools available in Cisco IOS software for configuration management. As we learned earlier in this chapter, configuration management, including backing up configurations, scheduling backups, and restoring from backups, is a core maintenance task. This section describes the toolkit available in Cisco IOS software to assist with these tasks.
One of the most commonly used configuration management commands in Cisco IOS software is the copy running-config command. This command can be used to save the device configuration locally or to a remote destination, such as a Trivial File Transfer Protocol (TFTP) or a File Transfer Protocol (FTP) server. Supported options are shown below:
| R2#copy running-config ? archive: Copy to archive: file system flash: Copy to flash: file system ftp: Copy to ftp: file system http: Copy to http: file system https: Copy to https: file system ips-sdf Update (merge with) IPS signature configuration null: Copy to null: file system nvram: Copy to nvram: file system pram: Copy to pram: file system rcp: Copy to rcp: file system running-config Update (merge with) current system configuration scp: Copy to scp: file system startup-config Copy to startup configuration syslog: Copy to syslog: file system system: Copy to system: file system tftp: Copy to tftp: file system |
NOTE: The options displayed above will vary depending on the IOS version on the device.
The following configuration example illustrates how to copy the router running configuration to a TFTP server with the IP address 150.1.1.254:
| R2#copy running-config tftp: Address or name of remote host []? 150.1.1.254 Destination filename [r2-confg]? !! 2732 bytes copied in 2.296 secs (1190 bytes/sec) |
The same action can also be performed on a single line as follows:
| R2#copy running-config tftp://150.1.1.254 Address or name of remote host [150.1.1.254]? Destination filename [r2-confg]? !! 2732 bytes copied in 2.288 secs (1194 bytes/sec) |
Unlike TFTP, file transfers to FTP servers typically require a username and password, which in turn allows for greater security than that which is provided by TFTP. When copy configuration files to an FTP server requiring and username and password pair for login, you have two options for specifying the username and password pair that the local device will use. The first option is to globally configure the FTP username and password on the device using the ip ftp username <name> and ip ftp password <secret> global configuration commands.
Following this, you can then use the copy running-config ftp: command. The example below illustrates how to configure a global FTP username and password pair and copy the configuration of the local router to an FTP server with the IP address 150.1.1.254. This example assumes that the FTP server has been appropriately configured:
| R2(config)#ip ftp username netadmin R2(config)#ip ftp password tshoot R2(config)#end R2#copy running-config ftp: Address or name of remote host []? 150.1.1.254 Destination filename [r2-confg]? Writing r2-confg ! 2780 bytes copied in 4.932 secs (564 bytes/sec) |
NOTE: Referencing the FTP configuration above, it is important to keep in mind that the FTP password will be stored in plain text on the device until the service password-encryptionglobal configuration command is issued. Following that, the password will be displayed in a hashed format.
If the FTP username and password pair is not configured globally on the router, you can still specify these parameters when using the copy command as follows:
| R2#copy running-config ftp://netadmin:tshoot@150.1.1.254 Address or name of remote host [150.1.1.254]? Destination filename [r2-confg]? Writing r2-confg ! 2738 bytes copied in 7.180 secs (381 bytes/sec) |
In addition to basic copy commands, Cisco IOS software also supports configuration archive, configuration replace and configuration rollback tools for configuration management functionality. The configuration archive provides a mechanism to store, organize, and manage an archive of configuration files. This functionality is intended to enhance the configuration rollback capability that is also supported in Cisco IOS software.
The configuration archive feature allows you to save configurations in the configuration archive using a standard location and filename prefix that is automatically appended with an incremental version number, and optional timestamp, as each consecutive file is saved. This functionality provides a means for consistent identification of saved configuration files. You can specify how many versions of the running configuration are kept in the archive. After the maximum number of files specified has been reached in the archive, the oldest file will then be automatically deleted when the next, most recent file is saved. The Cisco IOS configuration archive, in which the configuration files are stored, can be located on the following file systems:
- If your platform has disk0—disk0:, disk1:, ftp:, pram:, rcp:, slavedisk0:, slavedisk1:, tftp:
- If your platform does not have disk0—ftp:, http:, pram:, rcp:, tftp:
Implementing the configuration archive feature is a four step process performed as follows:
- After entering global configuration mode, issue the archive command to enter archive configuration mode
- When in archive configuration mode, next specify the location and filename prefix for the files in the Cisco IOS configuration archive using the path <url> archive configuration mode command. The <url> argument is one of the valid locations specified in the previous section, e.g. tftp:, ftp: disk0:, etc. The available options will depend on the platform that this command is implemented on
- Optionally specify the maximum number of files to save using the maximum <number>archive configuration command. By default, 10 (ten) files will be saved; however, up to 14 (fourteen) files can be saved in the archive. When the specified maximum value has been reached, the oldest file will be overwritten and replaced by the most recent file. An important point to remember is that this command cannot be used or is not supported when backup up the configuration to a network location such as a TFTP of FTP server
- And finally, optionally specify the time increment for automatically saving an archive file of the current running configuration in the configuration archive using the time-period <minutes> archive configuration command. This command has no default
When configuration the archive feature, the write-memory archive configuration command is typically included in the configuration to allow the router to automatically save the configuration to the specified location each time the running configuration is saved to NVRAM, i.e. the startup configuration (which typically indicates some type of configuration change).
The following configuration example illustrates how to configure the local router to back up the configuration to an FTP server, using the specified FTP username and password pair, every week, which is 168 hours or 10080 minutes. The running configuration file will be saved to the server using the name R2-Archive-Config. In addition to the weekly scheduled backup, the router is also configured to archive the configuration every time the running configuration file is saved to NVRAM, i.e. the startup configuration:
| R2(config)#ip ftp username netadmin R2(config)#ip ftp password tshoot R2(config)#archive R2(config-archive)#path ftp://150.1.1.254/R2-Archive-Config R2(config-archive)#write-memory R2(config-archive)#time-period 10080 R2(config-archive)#exit |
Following this configuration, you can use the show archive command to view the archived configuration files. Following is a sample output printed by this command:
| R2#show archive The next archive file will be named ftp://150.1.1.254/R2-Archive-Config-6 Archive # Name 0 1 ftp://150.1.1.254/R2-Archive-Config-1 2 ftp://150.1.1.254/R2-Archive-Config-2 3 ftp://150.1.1.254/R2-Archive-Config-3 4 ftp://150.1.1.254/R2-Archive-Config-4 5 ftp://150.1.1.254/R2-Archive-Config-5 <- Most Recent 6 7 8 9 10 11 12 13 14 |
Because the write-memory archive configuration command has been included in the archive configuration, the local router will save the configuration to the FTP server if either the write memory or copy running-config startup-config commands are issued:
| R2#copy running-config startup-config Destination filename [startup-config]? Building configuration… [OK] Writing R2-Archive-Config-1 ! R2#write memory Building configuration… [OK] Writing R2-Archive-Config-2 ! R2# |
The configuration replace and configuration rollback allows you to restore previously archived configurations using the configure replace <target-url> [nolock] [list] [force] [ignorecase] [revert trigger [error | timer <minutes>] | time <minutes>] privileged exec command. The <target-url> is used to specify the location of the saved configuration file that is to replace the current running configuration.
The optional [nolock] keyword is used to disable the locking of the running configuration file. This is used to prevent other users from changing the running configuration during a configuration replace operation. The optional [list] keyword is used to display a list of the command lines applied by the Cisco IOS software parser during each pass of the configuration replace operation. When this keyword is used, the total number of passes performed is also displayed. The [force] keyword is yet another optional keyword that can be used to replace the current running configuration file with the specified saved Cisco IOS configuration file without prompting for confirmation.
The [ignorecase] keyword is an optional keyword that is used to instruct the configuration to ignore the case of the configuration confirmation. The [revert trigger [error | timer <minutes>] keywords set the triggers for reverting to the original configuration. If the [error]keyword is included, then the router will revert back to the original configuration is an error is detected. If the timer <minutes>] keywords is included, then the router will revert back to the original configuration file if the specified time period elapses.
And finally, the optional time <minutes> keyword can be used to specify the time in which theconfigure confirm command must be issued to confirm the replacement of the current running configuration file. If the configure confirm command is not issued within the specified time limit, the configuration replace operation is automatically reversed by the router.
The following example illustrates how to replace the existing running configuration with the archived configuration file named R2-Archive-Config-5 stored on FTP server 150.1.1.254:
| R2#configure replace ftp://150.1.1.254/R2-Archive-Config-5 This will apply all necessary additions and deletions to replace the current running configuration with the contents of the specified configuration file, which is assumed to be a complete configuration, not a partial configuration. Enter Y if you are sure you want to proceed. ? [no]: y Loading R2-Archive-Config-5 ! [OK – 2959/4096 bytes]Total number of passes: 0 Rollback Done |
The following example illustrates how to replace the existing running configuration with the archived configuration file named R2-Archive-Config-5 stored on FTP server 150.1.1.254 and specify that the change should be confirmed in 10 (ten) minutes, and if not, the router should reverse this operation automatically:
| R2#configure replace ftp://150.1.1.254/R2-Archive-Config-5 time 10 Writing R2-Archive-Config-6 !Timed Rollback: Backing up to ftp://150.1.1.254/R2-Archive-Config-6This will apply all necessary additions and deletions to replace the current running configuration with the contents of the specified configuration file, which is assumed to be a complete configuration, not a partial configuration. Enter Y if you are sure you want to proceed. ? [no]: y Loading R2-Archive-Config-5 ! [OK – 2959/4096 bytes] Total number of passes: 0 R2#configure confirm |
NOTE: Referencing the output above, if the configure confirm command is not issued, then the changes will be reversed in 10 (ten) minutes. This option is applicable only when a time for the change confirmation has been specified when using the configure replace command. Because a time limit was not imposed in the first example, this command need not be issued.
Cisco IOS Command Scheduler
The final Cisco IOS maintenance tool that we are going to discuss in this section is the Cisco IOS Command Scheduler (KRON). The Command Scheduler allows you to run exec commands on a regular basis on a router. For simplicity, consider it as an automation tool for running exec commands on a router at specified or configured intervals. The IOS Command Scheduler has 2 (two) processes, which are policy lists and the scheduler.
Policy lists contain the exec commands that you want executed on the router. When configuring policy lists, it is important to remember that KRON does not support interactive commands. Therefore, if you want to create a policy list that saves the device configuration, you should use the write memory command instead of the copy running-config startup-config command which requires confirmation of this action. This is one of the main limitations of the KRON feature and one of the reasons it is not implemented as much as the other features.
KRON policy lists are configured using the kron policy-list <name> global configuration command. Following this, in policy list configuration mode, the cli <exec command> KRON policy list configuration command is used to specify the exec command that the configured policy list run. This command can be used to specify multiple commands that will run at the same time or during the same interval.
Following the configuration of the policy list, the next step or task is to configure the Command Scheduler occurrences using the kron occurrence <occurrence-name> [user <name>] [in [[days:]hours:]min | at hours:min [[month] day-of-month] [day-of-week][ [oneshot | recurring] global configuration command. Next, within Command Scheduler configuration mode, specify the policy list that this schedule applies to using the policy-list <name>Command Scheduler configuration mode command.
NOTE: You are not expected to implement any Command Scheduler (KRON) configuration in the current TSHOOT certification exam. However, ensure that you are familiar with basic KRON configuration and functionality.
The following configuration example illustrates how to configure a KRON policy that will be used to automatically save the router configuration every day (1440 minutes):
| R2#configure terminal Enter configuration commands, one per line. End with CNTL/Z. R2(config)#kron policy-list SaveRouterConfiguration R2(config-kron-policy)#cli write memory R2(config-kron-policy)#exit R2(config)#kron occurrence SaveRouterConfigurationSchedule in 1440 recurring R2(config-kron-occurrence)#policy-list SaveRouterConfiguration R2(config-kron-occurrence)#exit |
Following the Configuration Scheduler configuration on the router, you can then use the show kron schedule command to display information about the status and schedule of all configured Command Scheduler occurrences as is illustrated in the following router output:
| R2#show kron scheduleKron Occurrence Schedule SaveRouterConfigurationSchedule inactive, will run again in 0 days 23:58:23 |
While the example used in the previous example is a simple one, KRON can be used for other tasks such as saving device configurations to remote servers, e.g. TFTP servers, making it yet another useful maintenance tool that is available and at your disposal in Cisco IOS software.