Auto Traffic Analysis and Protocol Generation



Similar documents
Cisco DNS-AS Troubleshooting

Table of Contents. Cisco Using the Cisco IOS Firewall to Allow Java Applets From Known Sites while Denying Others

Table of Contents. Cisco Blocking Peer to Peer File Sharing Programs with the PIX Firewall

Sample Configuration Using the ip nat outside source static

MiaRec. Cisco Built-in-Bridge Recording Interface Configuration Guide. Revision 1.1 ( )

Configuring Static and Dynamic NAT Simultaneously

Easy Performance Monitor

Connecting your Virtual Machine to the Internet. BT Cloud Compute. The power to build your own cloud solutions to serve your specific business needs

Configuring NetFlow Secure Event Logging (NSEL)

Lab Analyzing Network Traffic

Easy Performance Monitor

Easy Performance Monitor

Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding

Cisco Configuring Commonly Used IP ACLs

Sample Configuration Using the ip nat outside source list C

Configuring the Cisco Secure PIX Firewall with a Single Intern

Biznet GIO Cloud Connecting VM via Windows Remote Desktop

Securing Networks with PIX and ASA

Upgrading Software Using the Online Installer

- Advanced IOS Functions -

Configuring NetFlow Secure Event Logging (NSEL)

1 Basic Configuration of Cisco 2600 Router. Basic Configuration Cisco 2600 Router

Flow Monitor for WhatsUp Gold v16.2 User Guide

Table of Contents. Cisco Configuring IPSec Cisco Secure VPN Client to Central Router Controlling Access

IP Filter/Firewall Setup

Tue Apr 19 11:03:19 PDT 2005 by Andrew Gristina thanks to Luca Deri and the ntop team

Configuration Guide. BES12 Cloud

Cisco - Configure the 1721 Router for VLANs Using a Switch Module (WIC-4ESW)

Digi Connect WAN Application Helper NAT, GRE, ESP and TCP/UPD Forwarding and IP Filtering

Application Note. Onsight Connect Network Requirements V6.1

How To Configure A Vyatta As A Ds Internet Connection Router/Gateway With A Web Server On A Dspv.Net (Dspv) On A Network With A D

Flow Monitor for WhatsUp Gold v16.1 User Guide

Connecting to the Firewall Services Module and Managing the Configuration

Configuring DNS on Cisco Routers

Smart Tips. Enabling WAN Load Balancing. Key Features. Network Diagram. Overview. Featured Products. WAN Failover. Enabling WAN Load Balancing Page 1

I N S T A L L A T I O N M A N U A L

Network Load Balancing

Chapter 10 Troubleshooting

Configuring the PIX Firewall with PDM

Cisco SPA Phones User Guide Bicom Systems

PIX/ASA 7.x with Syslog Configuration Example

Firewall Load Balancing

Using Link Layer Discovery Protocol in Multivendor Networks

Quick Network Setup Guide

Quick Note 026. Using the firewall of a Digi TransPort to redirect HTTP Traffic to a proxy server. Digi International Technical Support December 2011

Cisco Secure PIX Firewall with Two Routers Configuration Example

PIX/ASA 7.x and above: Mail (SMTP) Server Access on the DMZ Configuration Example

Configuring the CSS and Cache Engine for Reverse Proxy Caching

Lab - Observing DNS Resolution

isco Connecting Routers Back to Back Through the AUX P

DSL-G604T Install Guides

FortiWeb 5.0, Web Application Firewall Course #251

Lab Developing ACLs to Implement Firewall Rule Sets

Firewall Stateful Inspection of ICMP

Cisco IOS Flexible NetFlow Command Reference

Configuring IP to Serial with Auto Answer and Serial to IP

How To Configure Apple ipad for Cyberoam L2TP

REQUIREMENTS AND INSTALLATION OF THE NEFSIS DEDICATED SERVER

Application Note. Firewall Requirements for the Onsight Mobile Collaboration System and Hosted Librestream SIP Service v5.0

ASA 8.3 and Later: Enable FTP/TFTP Services Configuration Example

Note: This case study utilizes Packet Tracer. Please see the Chapter 5 Packet Tracer file located in Supplemental Materials.

H3C Firewall and UTM Devices DNS and NAT Configuration Examples (Comware V5)

Comtrend 1 Port Router Installation Guide CT-5072T

Enabling NAT and Routing in DGW v2.0 June 6, 2012

Securing Local Area Network with OpenFlow

IOS NAT Load Balancing for Two ISP Connections

Monitoring Traffic Interception

User Manual. Onsight Management Suite Version 5.1. Another Innovation by Librestream

- QoS Classification and Marking -

Catalyst 6500/6000 Switches NetFlow Configuration and Troubleshooting

IP Routing Between VLANs

Networking Guide Redwood Manager 3.0 August 2013

Chapter 4 Rate Limiting

Fortinet Network Security NSE4 test questions and answers:

MiaRec. Cisco Built-in-Bridge Recording Interface Configuration Guide. Revision 1.2 ( )

Configuration Guide. BlackBerry Enterprise Service 12. Version 12.0

Network/Floating License Installation Instructions

P and FTP Proxy caching Using a Cisco Cache Engine 550 an

Cisco ASA and NetFlow Using ASA NetFlow with LiveAction Flow Software

Cisco Expressway Basic Configuration

Emerald. Network Collector Version 4.0. Emerald Management Suite IEA Software, Inc.

Network Configuration Settings

How to Configure an Initial Installation of the VMware ESXi Hypervisor

Configuring Server Load Balancing

There are numerous ways to access monitors:

1:1 NAT in ZeroShell. Requirements. Overview. Network Setup

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Darstellung Unterschied ZyNOS Firmware Version 4.02 => 4.03

Telematics. 14th Tutorial - Proxies, Firewalls, P2P

emerge 50P emerge 5000P

Prerequisites. Creating Profiles

Application Note. Onsight TeamLink And Firewall Detect v6.3

IP Power Stone 4000 User Manual

Polycom. RealPresence Ready Firewall Traversal Tips

Recommended QoS Configuration Settings for Rosewill RNX-AC750RT Wireless Router

F-SECURE MESSAGING SECURITY GATEWAY

How To Set Up Mybpx Security Configuration Guide V1.2.2 (V1.3.2) On A Pc Or Mac)

Using IPM to Measure Network Performance

Load Balancing Clearswift Secure Web Gateway

Transcription:

NBAR includes an auto-learn feature that analyzes generic and unknown network traffic to determine the most frequently used hosts and ports. Using this data, the auto-custom feature can automatically generate NBAR protocols provisionally to improve identification of traffic Prerequisites for auto-custom, page 1 Limitations of auto-custom, page 1 Background: Auto Traffic Analysis Using auto-learn, page 2 Auto Generation of Custom Protocols Using auto-custom, page 2 Enabling and Disabling auto-custom, page 3 Configuring the Maximum Number of Auto-generated NBAR Protocols to Create, page 4 Configuring the Time Interval for Re-generating the auto-custom Protocols, page 5 Clearing auto-custom Data, page 6 Displaying Auto-generated NBAR Protocols Created by auto-custom, page 7 Displaying NBAR Protocol Discovery Information for auto-custom Protocols, page 7 Prerequisites for auto-custom The auto-custom feature requires auto-learn to be active. See NBAR Customized Assistance Based on SSL or HTTP. Limitations of auto-custom Default The auto-custom feature is disabled by default. 1

Background: Auto Traffic Analysis Using auto-learn Environments Supported The auto-custom feature supports environments with: A single router with a single collector or A single router with no collector The feature does not support environments with multiple routers operating with a single collector. Background: Auto Traffic Analysis Using auto-learn As background for working with the auto-custom feature, it is important to understand something about the data that it uses, which is collected by the auto-learn feature. The auto-learn feature analyzes network traffic to compile two lists: "Top" hosts: For generic traffic, a list of the hosts with the highest traffic volume. Top ports: For unknown traffic, a list of the TCP/UDP server-side ports with the highest traffic volume. Both lists are arranged in order of traffic volume; hosts or ports with the highest traffic volume are at the top of the list. For more information about auto-learn, see NBAR Customization Assistance Based on SSL or HTTP. Use of auto-learn Data You can display the lists created by auto-learn to view what type of network traffic is escaping detailed classification by NBAR. The results produced by auto-learn are used by the auto-custom feature to automatically create NBAR protocols that improve classification of this traffic in an effort to improve application visibility for this difficult-to-classify traffic. Auto Generation of Custom Protocols Using auto-custom The auto-custom feature uses the results of auto-learn to improve NBAR classification of generic and unknown network traffic, automatically generating custom NBAR protocols. Format for Reporting of Traffic Classified by Auto-generated NBAR Protocols Auto-generated NBAR protocols report traffic according to hostname or port number: For generic traffic, protocols are generated for the most frequently occurring hosts, and are named according to the hostname. For traffic that contains only a host address and not a hostname, where possible, NBAR uses DNS lookup to provide the corresponding hostname. Examples: abcd.com, efgh.net 2

Enabling and Disabling auto-custom For unknown traffic, protocols are generated for the most frequently occurring ports, and are named according to the port number or socket (server-side IP + port), and the traffic type: TCP or UDP. Examples for port: Port_80_TCP, Port_443_UDP Example for socket: 72.163.4.162:256_TCP Auto-generation Is Based on Sampling of Traffic Flows The auto-learn mechanism collects data about generic and unknown traffic by sampling traffic flows for analysis. Not every flow is analyzed. Using sampling rather than analyzing each flow is necessary due to the constraints of hardware resources. The availability of hardware resources for auto-learn analysis depends mostly on the network traffic volume that a device is handling. For generic traffic, the sampling rate is dynamic, adjusting automatically according to system load. For unknown traffic, the default sampling rate is 128, meaning that the mechanism samples 1 flow for every 128 of unknown traffic. This value can be configured manually. Because the auto-custom feature relies on data collected by auto-learn, the flow sampling performed by auto-learn can influence the automatic generation of protocols by auto-custom. In most use cases, however, sampling accurately reflects the makeup of network traffic. Use of Auto-generated NBAR Protocols By Other Features The NBAR application protocols auto-generated by auto-custom improve network traffic reporting, improving application visibility. However, the auto-generated protocols present at any given time are determined by the makeup of recent network traffic, making them inherently dynamic and impermanent. Because of this dynamic nature, auto-custom protocols are applicable to some features, but not to others. In general, auto-custom protocols improve application visibility, but do not affect security (firewall) or QoS policies. Features affected by auto-custom protocols: NBAR protocol discovery Application visibility (FNF, performance-monitor, ezpm, MACE,...) Features not affected by auto-custom protocols: MQC/QoS WAAS Performance Routing (PfR) NAT Enabling and Disabling auto-custom Enables or disables one or both of the auto-custom modes: top-hosts top-ports 3

Configuring the Maximum Number of Auto-generated NBAR Protocols to Create 1. configure terminal 2. [no] ip nbar auto-custom {top-ports top-hosts} 3. exit configure terminal Enters global configuration mode. Step 2 Step 3 Device# configure terminal [no] ip nbar auto-custom {top-ports top-hosts} Device(config)# ip nbar auto-custom top-hosts exit Enables or disables auto-custom. The top-ports and top-hosts options apply the command to those respective modes of auto-custom. Exits global configuration mode. Device(config)# exit Configuring the Maximum Number of Auto-generated NBAR Protocols to Create Configures the maximum number of protocols automatically generated by auto-custom. The auto-generated protocols present at any given time are determined by the makeup of recent network traffic, making them inherently dynamic and impermanent. 1. configure terminal 2. ip nbar auto-custom {top-hosts top-ports} max-protocols number 3. exit 4

Configuring the Time Interval for Re-generating the auto-custom Protocols configure terminal Enters global configuration mode. Step 2 Step 3 Device# configure terminal ip nbar auto-custom {top-hosts top-ports} max-protocols number ip nbar auto-custom top-hosts max-protocols 30 exit Configures the maximum number of auto-custom protocols to generate from the lists of top-hosts or top-ports collected by the auto-learn mechanism. top-hosts default: 10 top-ports default: 10 Exits global configuration mode. Device(config)# exit Configuring the Time Interval for Re-generating the auto-custom Protocols Configures the time interval at which auto-custom reloads the lists of "top-hosts" for generic traffic and "top-ports" for unknown data. The lists are provided by the auto-learn mechanism. After reloading the lists, the auto-custom mechanism generates a new set of custom protocols based on the data, which reflects the most recent network traffic. Because of this mechanism, the list of auto-custom protocols is dynamic, changing with the makeup of generic and unknown network traffic. 1. configure terminal 2. ip nbar auto-custom {top-hosts top-ports} time-interval minutes 3. exit configure terminal Enters global configuration mode. Device# configure terminal 5

Clearing auto-custom Data Step 2 Step 3 ip nbar auto-custom {top-hosts top-ports} time-interval minutes ip nbar auto-custom top-hosts time-interval 10 exit Configures the time interval at which auto-custom reloads the lists of "top-hosts" for generic traffic and "top-ports" for unknown data. Default: 30 minutes Exits global configuration mode. Device(config)# exit Clearing auto-custom Data 1. configure terminal 2. clear ip nbar auto-custom {top-hosts top-ports} {stats restart} 3. exit configure terminal Enters global configuration mode. Step 2 Device# configure terminal clear ip nbar auto-custom {top-hosts top-ports} {stats restart} Clears auto-custom data. clear ip nbar auto-custom top-ports restart stats: Clears only counters The top-ports and top-hosts options apply the command to those respective modes of auto-custom. restart: Clears counters and removes all current auto-custom protocols. Step 3 exit Exits global configuration mode. Device(config)# exit 6

Displaying Auto-generated NBAR Protocols Created by auto-custom Displaying Auto-generated NBAR Protocols Created by auto-custom 1. show ip nbar auto-custom [top-hosts top-ports] show ip nbar auto-custom [top-hosts top-ports] show ip nbar auto-custom Displays the auto-generated NBAR protocols created by the auto-custom mechanism. Optionally, can specify only protocols for top-hosts or top-ports. The first part of the output shows the protocols based on hostnames, from generic traffic. The second part of the output shows the protocols based on port numbers + traffic type (TCP or UDP), from unknown traffic. # show ip nbar auto-custom Top-hosts: Max number of protocols :10 Interval (min) :30 ---------------------------------------------------------------------------------------------------- Id Protocol name Underlying Auto-learn value Age (min) Status protocol ---------------------------------------------------------------------------------------------------- 1 m.abc-demo.com http m.abc-demo.com 80 Dynamic 2 hwcdn.def-demo.com http hwcdn.def-demo.com 80 Dynamic 3 ec.def-demo.com http ec.def-demo.com 80 Dynamic 4 payroll.demo.com ssl payroll.demo.com 80 Dynamic 5 ec-media.demo.com http ec-media.demo.com 50 Dynamic 6 TrustedSourceServer_IMQ ssl TrustedSourceServer_IMQA01 20 Dynamic 7 go.microsoft.com http go.microsoft.com 20 Dynamic 8 ping.chartbeat.net http ping.chartbeat.net 20 Dynamic ---------------------------------------------------------------------------------------------------- Top-ports: Max number of protocols :40 Interval (min) :1 -------------------------------------------------------------------------------------------------------- Id Protocol name Auto-learn value Age (min) Status -------------------------------------------------------------------------------------------------------- 1 Port_256_TCP Port_256_TCP 0 Dynamic 2 72.163.4.162:256_TCP 72.163.4.162:256_TCP 0 Dynamic -------------------------------------------------------------------------------------------------------- Displaying NBAR Protocol Discovery Information for auto-custom Protocols 1. show ip nbar protocol-discovery stat auto-custom 7

Displaying NBAR Protocol Discovery Information for auto-custom Protocols show ip nbar protocol-discovery stat auto-custom show ip nbar protocol-discovery stats auto-custom Displays the auto-custom protocol discovery statistics. # show ip nbar protocol-discovery stats auto-custom Ethernet0/0 Last clearing of "show ip nbar protocol-discovery" counters 1d05h Input Output ----- ------ ------------------------ ------------------------ ------------------------ www.abcdef-demo.com 152 0 Total 152 0 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information