I need help please.

I am reading ONT NBAR tool.

Here is my problem, IS NBAR SUPPORTED ON TUNNEL OR ENCRYPTED INTERFACES?
According to all the reference I have read, it is not supported, which is also supported in Cisco Self Study guide lines but with some confusion.

Here's the detail information from the book:
NBAR is not supported on these logical interfaces:
Fast EtherChannel Interfaces configured to use tunneling or encryption NBAR does not support the following: More than 24 concurrent URLs, hosts, or MIME-type matches Matching beyond the first 400 bytes in a packet payload Multicast and switching modes other than Cisco Express Forwarding (CEF) Fragmented packets URL, host, or MIME classification with secure HTTP Packets originating from or destined to the router running NBAR

NBAR cannot be used to classify output traffic on a WAN link where tunneling or encryption is used. Therefore, NBAR should be configured on other interfaces on the router (such as a LAN link) to perform input classification before the traffic is switched to the WAN link for output.

However, NBAR Protocol Discovery is supported on interfaces where tunneling or encryption is used. You can enable NBAR Protocol Discovery directly on the tunnel or on the interface where encryption is performed to gather key statistics on the various applications that are traversing the interface. The input statistics also show the total number of encrypted or tunneled packets received in addition to the per-protocol breakdowns. NBAR introduces powerful application classification features into the network at a small-to-medium CPU overhead cost. The CPU utilization will vary based on factors such as the router processor speed and type and the traffic rate.

So after done reading the 1st book, I tried to answer the module question.

Can NBAR be used to detect and classify traffic flows on tunnel or encrypted interfaces? (Source: Using NBAR for Classification) ?

A) Yes, but special MQC configuration commands are needed.

Yes, it can be enabled directly on the input tunnel or encrypted interface, and no special MQC commands needed.
C) Yes, it can be enabled, but with limited functionality.
D) Yes, but it works only on output WAN interfaces.

The answer is B according to the book.

I read and search many times like this link http://blogs.techrepublic.com.com/networking/?p=399

mentioning that I cannot use nbar in the configured tunnel or encrypted interface.

Sorry guys for the question just to make sure before exam, and I am not good in tunneling since I focus more on the LAN part not in VPN part

Thank you

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

mikej412

Common questions and answers regarding Cisco® Network-Based Application Recognition (NBAR) follow.

Q. What are some of the benefits of using NBAR?
A. The benefits include the following:

.......

Improve VPN Performance: VPNs often reduce networking costs while providing increased flexibility. Unfortunately, the service quality in a VPN is often difficult to guarantee. Running NBAR and VPN concurrently in the same router solves this problem by identifying mission-critical traffic before it is encrypted, allowing the network to apply the appropriate QoS controls. By running both VPN and NBAR concurrently, we help ensure that the packets are processed in the correct order to achieve both maximum security and the appropriate QoS. NBAR can also mark the tunnel packet so that the service provider can provide differentiated service to different applications on the service provider's WAN.

MACattack

Okay I read that it can be Pre-classifybefore encapsulating and encrypting the packet and send it to the hardware que.

MACattack

Mike thanks for the clear picture.

SO I cannot use ip nbar protocol discovery command on WAN link where interface is configured for tunneling and encrption BUT I can use NBAR to classify on the LAN and MARK the traffic
BEFORE sending it to hardware que.

SO maybe I got confuse on the command ip nbar protocol discovery.

I read that I can still mark the packet and send it to the tunnel interface... using pre classify for pre-tunneling.

Like If my WAN uses MPLS the orginal Tos byte is copied to the external IP header. but the original IP header is encapsulated. I use pre classify if i am classifying other than TOS byte.