Network Based Application Recognition (NBAR) is a Cisco IOS technology that does deep packet inspection on network traffic to find the applications involved. NBAR can be used for Layer 7 traffic analytics as it goes through the whole packet including header and some payload to classify an application and at the same time can work along with QoS (Quality of Service) by helping the network to provide differentiated services to each application. Call it traffic monitoring and management in one.
Now, how does NBAR classify its applications? Enter PDLM. Protocol Description Language Module contains the rules by which NBAR technology recognizes an application during its packet inspection. NBAR analyzes the packets and compares them to a set of rules in the PDLM. If the rules mentioned in the PDLM are met, NBAR recognizes and classifies the application. Complete payload inspection gives NBAR its greatest advantage: the ability to recognize a large number of applications including those which uses random port numbers as well as those using well known port numbers.
To see the list of IOS and platforms which supports NBAR, check the Q & A section on NBAR from the below link:
For details on specific IOS which supports each NBAR protocol, check the below link:
I also suggest using the Cisco feature navigator’s ‘Search By Feature’ option to know more on NBAR supported platforms:
Cisco has included default PDLMs to identify a large set of commonly used business critical and non critical applications. The default PDLM’s can recognize peer to peer applications, VoIP protocols, TCP and UDP stateful and static port protocols as well as non-TCP/UDP protocols. Newer PDLMs introduced are made available in the subsequent IOS releases but can also be added to a device without an IOS upgrade ensuring lesser downtime.
To add a newly released PDLM to a Cisco IOS, download the PDLM and follow as below:
1. Locate and download the NBAR PDLM from the Software Download page ( registered customers only) by downloading the custom.pdlm file.
2. Load the PDLM onto a flash memory device and use the command below from global config mode with the location of the PDLM file:
Cisco2800(config)# ip nbar pdlm flash://Netshow.pdlm
3. Verify the loaded PDLM using the below command from the privileged mode:
Cisco2800# show ip nbar pdlm
For information on how to download a PDLM, check the below link:
It is not always that the default provided PDLMs will meet one’s requirements. You may want to add support for a network specific protocol which needs to be classified for QoS markings or such custom monitoring purposes. This is answered with the custom PDLM. The process iof adding a custom PDLM or adding support for new protocol involved downloading a custom PDLM file called custom.pdlm which then had to be loaded and then modified as per the custom protocol requirements. But ! A search for this custom file called custom.pdlm will not yield any results. So where do we go next?
The later IOSs has something called the custom feature built in. Around IOS version 12.X or so, Cisco has introduced the ‘custom feature’ where, by using the ‘ip nbar custom NAME [parameters]’ command, you can define your custom protocols. For those of you who wants to know on how the custom.pdlm worked or was loaded, check the below link:
We will explain more on the NBAR custom feature and how to add new protocol support to NBAR in our next blog. Meanwhile, try the fully featured trial of NetFlow Analyzer to see how useful NetFlow and NBAR data can be. We even have a live online demo running for those who do not want to spend 5 minutes installing NetFlow Analyzer.
Don Thomas Jacob