In response to the new network requirements posed by the rapidly changing and unifying network service requirements, Cisco has expanded their network service and QoS offerings to include Content Networking classification and differentia- tion. Cisco Content Networking is an intelligent networking architecture that uses active classification and identification of complex and critical application streams and applying defined QoS parameters to these streams to ensure timely and economical delivery of the requested services. This architecture is composed of three key components:
■ The ability to use intelligent network classification and network services utilizing IOS software features.
■ Intelligent network devices that integrate applications with network services.
■ Intelligent policy management for configuration, accounting, and monitoring.
Networks have become increasingly complex and are carrying more and more data types. In the past, it was sufficient to allow priority to or from a partic- ular address or for a particular protocol, but this is no longer sufficient.The ubiq- uity of IP and client server applications has rendered such a model sorely
inadequate. A single user using IP may at the same time be sending Voice over IP, be obtaining an application served by an application service provider, be running a thin client session while getting their email and surfing the Web, all from a single IP address using a single protocol. Clearly each of these tasks does not have the same importance.Voice requires a premium service to be of acceptable near toll quality, the client may be paying for the application served by the ASP and, as
load capacity. The best question for QoS in ATM is one of design. If the network is properly dimensioned to handle burst loads, QoS will be inherent within an ATM network with no further IP controls being needed. Thus, as ATM has an inherent QoS, we must address the role of capacity engineering. Give a big enough pipe for the expected streams and your data will be jitter free and prioritized. This is very similar to what was said of Intserv.
such, wants the greatest return on their investment, while Web traffic may not be productive at all. Content Networking, by looking at the application level inside the data stream allows us to differentiate the application requirements and assign appropriate levels of service for each. Classification has developed from a fairly coarse network based differentiation to a fine application layer classification and service.
Application Aware Classification: Cisco NBAR
A key to content enabled networks is the ability to classify traffic based on more detailed information than static port numbers or addresses. Cisco addresses this requirement by the development of a new classification engine called Network Based Application Recognition or NBAR. NBAR is a new classification engine that looks within a packet and performs a stateful analysis of the information con- tained within the packet.While NBAR can classify static port protocols, its useful- ness is far greater in recognizing applications that use dynamically assigned port numbers, detailed classification of HTTP traffic, and classification of Citrix ICA traffic by published applications. Before we proceed, it must be noted that there are two significant issues with NBAR classification. First, NBAR only functions with IP traffic; therefore, if you have any SNA or legacy traffic other classification and queuing schemes must be used.The second issue is that NBAR will only function with traffic that can be switched via Cisco Express forwarding (CEF).
HTTP Classification
NBAR can classify HTTP traffic not just on address or port number but can classify on any detailed information within the URL up to a depth of 400 bytes.
The code is actually written such that NBAR will look at a total of 512 bytes;
however, once you deduct the L2 Header, L3 Header, L4 Header, and HTTP Header, 400 bytes is a safe estimate of how much URL you can actually match on. HTTP subport classification is really the only subport classficiation mecha- nism with NBAR today that is pushing the potential to go this deep into the packet.
NBAR can classify all HTTP traffic by the mime type, or get request destina- tion packets.The limitations of NBAR with regards to Web traffic are that there can be no more than 24 concurrent URL host or mime type matches classified by NBAR. Pipeline persistent HTTP requests cannot be classified nor can any classification by url/host or mime type if the traffic is protected by secure HTTP.
Citrix Classification
With the advent of thin client services led by Citrix winframe and metaframe NBAR provides the ability to classify certain types of Citrix Independent Computing Architecture Traffic. If the Citrix client uses published application requests to a Citrix Master browser, NBAR can differentiate between the appli- cation types and allow application of QoS features. NBAR cannot distinguish among Citrix applications in Published Desktop mode or for Seamless mode clients that operate in session sharing mode. In either of these cases only a single TCP stream is used for data communication and as such differentiation is impos- sible. For NBAR to be utilized on Citrix flows traffic must be in published appli- cation mode or for clients in Seamless non-sharing mode. In these cases, each client has a unique TCP stream for each request and as such these streams can be differentiated by NBAR.
Supported Protocols
NBAR is capable of classifying a TCP and UDP protocols that use fixed port numbers as well as Non-UDP and Non-TCP protocols.Tables 4.6, 4.7, and 4.8
Normally we would not think of a classification tool as a form of secu- rity. In fact, security is probably a bad term, bandwidth abuse might be a better one. The ability of NBAR to look up to 400 bytes into a URL header and the ability to classify on mime types can make NBAR a pow- erful tool to prevent network abuse. High utilization of network capacity can occur in a number of cases, but very few are as deleterious as large .mp3 files or .mov and .mpeg files being transferred between users. We could filter on the Napster protocol, but that would not prevent users from simply trading these files on your local private LAN or expensive WAN circuits directly. It is rare to have firewalls on private WAN circuits to act as controls for such traffic. This is exactly where NBAR’s applica- tion classification can come in handy. We can filter on recognized mime types to classify any traffic that may involve mp3’s or other form of unauthorized multimedia files. Once these packets are classified they can then be assigned to a very low priority queue or provisioned to be dropped altogether. In this manner, we prevent these recreational uses of our network from being propagated past our router boundaries.
Using NBAR and Policing to Protect Scarce Bandwidth
list some of the supported protocols, as well as their associated port numbers, that may be classified by NBAR.
Table 4.6NBAR Supported Non-TCP, Non-UDP Protocols
Protocol Type Port Description Command Number
EGP IP 8 Exterior Gateway Protocol egp
GRE IP 47 Generic Routing Encapsulation gre ICMP IP 1 Internet Control Message Protocol icmp
IPINIP IP 4 IP in IP ipinip
IPSec IP 50, 51 IP Encapsulating Security Payload/ ipsec Authentication Header
EIGRP IP 88 Enhanced Interior Gateway eigrp Routing Protocol
Table 4.7NBAR Supported Static TCP UDP Protocols
Protocol Type Port Description Command Number
BGP TCP/UDP 179 Border Gateway Protocol bgp CU-SeeMe TCP/UDP 7648, Desktop Videoconferencing cuseeme
7649
CU-SeeMe UDP 24032 Desktop Videoconferencing cuseeme DHCP/ UDP 67, 68 Dynamic Host Configuration dhcp
BOOTP Protocol/ Bootstrap Protocol
DNS TCP/UDP 53 Domain Name System dns
Finger TCP 79 Finger User Information finger Protocol
Gopher TCP/UDP 70 Internet Gopher Protocol gopher HTTP TCP 80 Hypertext Transfer Protocol http
HTTPS TCP 443 Secured HTTP secure-http
IMAP TCP/UDP 143, Internet Message Access imap 220 Protocol
IRC TCP/UDP 194 Internet Relay Chat irc
Kerberos TCP/UDP 88, Kerberos Network kerberos 749 Authentication Service
Continued
L2TP UDP 1701 L2F/L2TP Tunnel l2tp LDAP TCP/UDP 389 Lightweight Directory Access ldap
Protocol
MS-PPTP TCP 1723 Microsoft Point-to-Point pptp Tunneling Protocol for VPN
MS- TCP 1433 Microsoft SQL Server Desktop sqlserver
SQLServer Videoconferencing
NetBIOS TCP 137, NetBIOS over IP netbios
139 (MS Windows)
NetBIOS UDP 137, NetBIOS over IP netbios
138 (MS Windows)
NFS TCP/UDP 2049 Network File System nfs NNTP TCP/UDP 119 Network News Transfer nntp
Protocol
Notes TCP/UDP 1352 Lotus Notes notes
Novadigm TCP/UDP 3460- Novadigm Enterprise Desktop novadigm 3465 Manager (EDM)
NTP TCP/UDP 123 Network Time Protocol ntp
PCAnywhere TCP 5631, Symantec PCAnywhere pcanywhere 65301
PCAnywhere UDP 22, Symantec PCAnywhere pcanywhere 5632
POP3 TCP/UDP 110 Post Office Protocol pop3
Printer TCP/UDP 515 Printer printer
RIP UDP 520 Routing Information Protocol rip RSVP UDP 1698, Resource Reservation Protocol rsvp
1699
SFTP TCP 990 Secure FTP secure-ftp
SHTTP TCP 443 Secure HTTP secure-http
SIMAP TCP/UDP 585, 993 Secure IMAP secure-imap
SIRC TCP/UDP 994 Secure IRC secure-irc
SLDAP TCP/UDP 636 Secure LDAP secure-ldap
SNNTP TCP/UDP 563 Secure NNTP secure-nntp
Table 4.7Continued
Protocol Type Port Description Command
Number
Continued
SMTP TCP 25 Simple Mail Transfer Protocol smtp SNMP TCP/UDP 161, Simple Network Management snmp
162 Protocol
SOCKS TCP 1080 Firewall security protocol socks
SPOP3 TCP/UDP 995 Secure POP3 secure-
pop3
SSH TCP 22 Secured Shell ssh
STELNET TCP 992 Secure Telnet secure-
telnet Syslog UDP 514 System Logging Utility syslog
Telnet TCP 23 Telnet Protocol telnet
X Windows TCP 6000- X11, X Windows xwindows
6003
Table 4.8NBAR Supported TCP UDP Dynamic Protocols
Protocol Type Description Command
FTP TCP File Transfer Protocol ftp
Exchange TCP MS-RPC for Exchange exchange
HTTP TCP HTTP with URL, MIME, or Host http Classification
Netshow TCP/UDP Microsoft Netshow netshow
Realaudio TCP/UDP RealAudio Streaming Protocol realaudio
r-commands TCP rsh, rlogin, rexec rcmd
StreamWorks UDP Xing Technology Stream Works streamwork Audio and Video
SQL*NET TCP/UDP SQL*NET for Oracle sqlnet SunRPC TCP/UDP Sun Remote Procedure Call sunrpc TFTP UDP Trivial File Transfer Protocol tftp VDOLive TCP/UDP VDOLive Streaming Video Vdolive Table 4.7Continued
Protocol Type Port Description Command
Number