Prime 1.4 NBAR protocol pack

Similar Messages

• NBAR2 Protocol Pack

  Hi all,
  i'm trying to upgrade NBAR protocol pack on my cisco 1941 router, so i downloaded new NABR protocol pack  (version 4.0.0) and transferred it into router flash via tftp.
  When i try to apply new protocol pack with command :
  ip nbar protocol-pack flash:[protocol-pack-name]
  i got this error :
  % NBAR Error : Advanced Protocol Pack can not be loaded on top of Standard Protocol Pack
  The router is running IPBASE IOS with Security License, IOS image is c1900-universalk9-mz.SPA.153-1.T.bin
  Any Suggestion? Does NBAR2 packages works on IO BASE images?
  Thankyou in advance.
  Regards

  Hi,
  there's a lot of information in "NBAR2 (Next Generation NBAR) Protocol Pack FAQ" :
  http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6558/ps6616/qa_C67-723689.html
  "Q. Does a user need a license of any kind to access NBAR protocol packs?"
  "A. NBAR users having a AVC (Application Visibility and Control) feature license can load and use protocol packs on routers. Please refer to the protocol pack licensing section in this document for more details."
  "Q. Can a user load a protocol pack on any Cisco IOS/IOS-XE image?"
  "A. The minimum IOS version required to load a NBAR protocol pack on a ISR-G2 platforms is Cisco IOS Software Release15.2(4) M.
  Loading a protocol pack can be done if the engine version on the platform is the same or higher than the version required by the protocol pack.
  To view the NBAR engine version on the device, use:
  Router#sh ip nbar version | include software
  It is strongly recommended to use the protocol pack that is the exact match for the engine, and also recommended to use the latest protocol pack for the base image."
  Hope that helps,
  Best regards
  Rolf
  Supplement:
  Found in BRKNMS-3135 (Cisco Live 365):
  Standard Protocol Pack
  ‒ Available (as Default Protocol pack) in IP Base image
  Advanced Protocol Pack
  ‒ Available  (as Default protocol pack) in DATA image
  Added: BRKNMS-3135 info

• Is there a script to automate NBAR Protocal pack download from CCO

  is there a script to automate NBAR Protocal pack download from CCO ?

  I do not know of one.  It may be challenging to build one, too.  While there is an HTTP API built into EEM Tcl, it supports HTTP only.  I believe accessing the NBAR protocol packs would require HTTPS?  If it can be done with a clear text protocol like HTTP or FTP, we could build a script to automate the process.

• Protocol Pack for SCE 1010

  Hi,
  I made download of Protocol Pack, but inside of ZIP files there isn't folder for SCE 1000, only for SCE 2000 and 8000.
  Does any body know tell me if Protocol Pack for SCE 2000 is the same for SCE 1000?
  I made download of three files and the situation is the same.
  thanks !

  The file for SCE1010 and SCE2020 is the same. Please use the same file. This is the suggestion we received from the business unit. (And it works :D )

• (AVC) Is there Any way to prioritize traffic from wireless client (laptop in my case) to AP

  Is there any way to prioritize traffic from wireless client (laptop in my case) to AP …. if i explain the issue in a broad way there is no congestion going on in wired network. When multiple users connect to real presence and all share the same AP. they get real-time output over the call BUT if someone start file-transfer over the same AP the real presence call voice/video get stuck.
  I applied the AVC feature on WLC but as i tested, i think prioritization from my laptop to AP will not happen and the situation remains same.
  Please share if there is any way to prioritize traffic from wireless client (Laptop) to AP only ?

  Hi Vinod,
  Here is the AVC & QoS interaction for upstream & downstream traffic. For downstream it is important you have configured your WLAN with correct QoS profile & 802.1p values as that play a role even though you marking traffic using AVC.
  Upstream1. Packet comes with or without inner DSCP from wireless side (wireless client).2. AP will add DSCP in the CAPWAP header that is configured on WLAN (QoS based config).3. WLC will remove CAPWAP header.4. AVC module on the controller will overwrite the DSCP to the configured marked value in the AVC profile and send it out.Downstream 1. Packet comes from switch with or without inner DSCP wired side value.2. AVC module will overwrite the inner DSCP value.3. Controller will compare WLAN QoS configuration (as per 802.1p value that is actually 802.11e) with inner DSCP value that NBAR had overwritten. WLC will choose the lesser value and put it into CAPWAP header for DSCP.4. WLC will send out the packet to AP with QoS WLAN setting on the outer CAPWAP and AVC inner DSCP setting.5. AP strips the CAPWAP header and sends the packet on air with AVC DSCP setting; if AVC was not applied to an application then that application will adopt the QoS setting of the WLAN.
  I am not sure which controller software version you are running. From AVC perspective, it is good if you could install latest NBAR protocol pack (4.1 for WLC 7.5.x code or 6.3 for WLC 7.6.x code) on your controller.
  Here is the 7.5.x AVC deployment guide which should help you on this
  http://www.cisco.com/en/US/docs/wireless/controller/technotes/7.5/AVC_dg7point5.html
  Like others mentioned, it is very little you can do with respect to upstream direction as AVC kicks in only when traffic hits WLC & not at the AP level.
  HTH
  Rasika
  **** Pls rate all useful responses  ****

• Cisco website software download disappeared

  Does anyone know if there is a known problem with the Cisco software download website? I was looking to download the NBAR protocol pack for the WiSM2 but it's no longer listed as an option (WiSM is there but obviously of no use to me). I can get it for my 5508 controllers but not the WiSM2...
  I assume that I am searching correctly as I downloaded the 7.6.120.0 software only last week.

  It's just not showing up under the WISM2 page. If you go under the 5508 downloads page the latest NBAR2 Protocol Pack is listed there:
       "NBAR2 Advanced Protocol Pack 6.4.0 for AireOS 7.6: NBAR2 Engine 13  (pp-AIR-7.6-13-6.4.0.pack)"
  If you click on the Release notes for that pack, they indicate:
  NBAR2 Protocol Pack 6.4.0 is supported on the following Cisco Wireless LAN Controller platforms:
   Cisco 5508 Wireless Controller
   Cisco Flex 7500 Series Wireless Controllers
   Cisco 8510 Wireless Controller
   Cisco Wireless Services Module 2 (WiSM2)

• Prime 1.4 AVC Not displaying ms-lync

  Hello guys
  When browsing the AVC statistics on the WLC, I can see that ms-lync is among the top applications, however on the application dashboard of Prime 1.4, it is not in the list. There is alot of unclassified, and also some UndefinedXXXXXX categories.
  Is the latest Prime 1.4 not able to handle all the protocols from WLC version 7.6?
  Ms-lync is not something that is added in the recent nbar packs, so in my opinion it should be there.
  Any ideas before I open a TAC case?
  Greetings
  Steven

  Hi Steven,
  Here is what release note says about PI 1.4 (update 1). As you can see it clearly said, it is not supported any new features of WLC 7.6.100.0. So If 7.6 updated any protocol packs it may not reflect correctly in PI 1.4
  http://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/infrastructure/1-4/release/notes/cpi_rn_141.html#wp121143
  This is a patch release for Cisco Prime Infrastructure1.4 (1.4.0.45). This patch must be installed on top of your existing Prime Infrastructure 1.4. This release supports two new AP platforms - Cisco 3700 and Cisco 1530 series access points (supported by WLC 7.6.100.0). This release also delivers a number of critical bug fixes. The update 1 for Prime Infrastructure 1.4 enables you to manage Cisco WLC 7.6.100.0 with the features of Cisco WLC 7.5.102.0 and earlier releases. This release does not support any new features of Cisco WLC 7.6.100.0.
  Even recently released PI 2.1 comes with the same disclosure,which mean you may not get a resolution soon. But give it a try through TAC avenue & you may get some better results.
  Here is PI 2.1 Release notes for your reference.
  http://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/infrastructure/2-1/release/notes/cpi_rn.html
  HTH
  Rasika
  **** Pls rate all useful responses **** 

• Prime Infrastructure 2.2- problems: Wired Detailed Device Inventory report not running / Cisco 5500 WLCs no listed in subgroup

  New installation of Prime Infrastructure 2.2.0 (PI-VA-2.2.0.0.158.ova)
  installed fixes/software/device packs:
  PI 2.2.1 Poodle Fix (installed)
  PI 2.2.1 Maintenance Release (installed,ncs stopped,rebooted)
  Prime Infrastrucutre 2.2 Device Pack 3 (installed,ncs stopped,rebooted)
  Licences installed (ncs stopped,rebooted)
  Added all devices via Bulk Import (Inventory>Device Management>Network Devices)
  Problem 1:
  The Cisco 5500 WLCs are not listed in Inventory>Device Management>Network Devices (see screen shot) but listed under "All Devices"!
  The Cisco 4400 WLCs and the 8500 WLCs are listed within their subgroup.
  Devices are in "Managed State"
  Problem 2: fixed! (Browser issue)
  Problem 3:
  Unable to run "Wired Detailed Device Inventory" report because I get the error message: Failed to run report: Unable to retrieve data for: Chassis Information (if Chassis Information is selected, if System Information is selected I get the error message with ...retrieve data for:System Information)
  All devices do have an "Admin Status = Managed" and the Last Inventory Collections Status = Completed.
  Has anyone the same issues or a tip for me?
  Another topic, the "User Defined Fileds" are not exported when with running a "Device Export" (Inventory > Device Management > Network Devices). ;-(
  BR
  Bastian

  Hallo Bastian,
  I think you still have browser issue, Using IE is still the best with Prime.
  I have exactly same prime 2.2 and installed fixes/software/device packs.
  I have no problem I can see all views. I use now IE 11, with Chrome 42.0.2311.90 and firefox 37.01 I have problems too with lots of views. You have not tell what browser + version you have.
  Since you have same prime 2.2 as me. I have other problems, can you check yours?
  Can you see a functional CLI template page at Configuration > Templates > Features & Technologies:
  https://supportforums.cisco.com/discussion/12481691/can-cisco-prime-22-still-do-simple-ad-hoc-deployment-job-cli-over-all-switches
  Do you have SNMP Connectivity Failed while Verify Credentials  has no errors all green and checked. 
  https://supportforums.cisco.com/discussion/12494786/snmp-request-exceeds-internal-data-buffer-512-bytes-prime-22-asa-5545

• WCS to Prime 1.2 licensing

  Hi
  I am doing a migration from WCS 7.x to Prime 1.2
  There is a WCS 7 to Prime 1.2 migration license pack that we have obtained. 
  However, as I understand it, we need to install NCS 1.1.1.24 first, import the WCS database and then carry on to do the NCS to Prime upgrade.  So we have the licenses for the final Prime 1.2 deployment.
  When we get to NCS 1.1.1.24 we cannot migrate off of the main login page until we apply an appropriate NCS license.  We were told by Cisco Sales that a temporary license can be generated for NCS 1.1.1.24 by sending licensing the license XML file taken from WCS along with the VUDI and our license order info.  We have followed this path successfully once.  We sent the XML file to Cisco along with some other info and they returned a license we could use on NCS.  We then moved to Prime 1.2.  However on this occasion Cisco insist we need an NCS license.
  I have moved from NCS 1.x to Prime 1.2 before and all the licenses have been retained.
  So are Cisco telling me that to migrate from WCS 7 to Prime 1.2 I should license the NCS server and simply upgrade it to Prime 1.2 with no further licensing needing purchased ?   If so why is there a WCS to Prime 1.2 license pack ?
  Or are Cisco saying we need the NCS license AND the Prime 1.2 licenses ?
  Thanks for any input, St.

  Thanks for this too Scott.
  I see that you could license NCS 1.1.1.24 then move to Prime 1.2 without applying further licenses.  I have done this in a NCS to Prime upgrade.  Prime maintains the NCS licenses.  However there is a WCS to Prime 1.2 License SKU which we have ordered because we are starting from WCS on this occasion.  The licenses generated from these PAKs do not work on NCS 1.1.1.24
  So it would seem that the WCS to Prime migration SKU does not include the necessary license to allow us to pass through NCS 1.1.1.24 during the migration.
  I think if we had ordered a WCS to NCS migration SKU we would have got the necessary NCS license.  We could then install that and carry on to Prime 1.2 with no further license requirements.  If that is the case why is there a WCS to Prime 1.2 migration SKU ?
  We did resolve this issue before by following the advice of Cisco Sales.  We logged a call with licensing, supplied the exported WCS license XML file and the NCS VUDI and they gave us an NCS license.  However, on this occasion licensing are not so forthcoming.  They suggest we need a NCS 1.x licence. 
  So either they are implying we need a NCS 1.x AND a Prime 1.2 license.  Or we should have bought a WCS to NCS migration license and the NCS to Prime migration license is useless because it does not allow us to pass through NCS as part of the migration process.
  Thanks for any help on this, St.

• Cisco Prime Infra 2.1 fails to import an image from file

  We have a standard Cisco Prime Infrastructure 2.1 install. The software repository has been built up by importing the IOS images from the discovered network devices. To implement netflow capabilities on some 3750X switches we need to upgrade the IOS on the chassis and the NM card C3KX-SM10G. I was able to download from Cisco Support the 3750X IOS .tar file and import it from my machines local file system. However, the modules tar file c3kx-sm10g-tar.150-2.SE6.tar fails on the upload from my local file system. When I look at the import rob results they are as follows:
    Image collection from source     SUCCESS
    Copying Image to Staging Location     SUCCESS
    Copying Image to Repository     FAILURE
  I've tried to import just the .bin file but this also fails at the same stage as above.
  I've also tried to scp the file directly into the backend file structure with no success into the folder /opt/CSCOlumos/conf/ifm/swim/jobs with the other images (oddly noticed the above .tar file for the 3750X isn't listed with the other .bin files - although is available through the webGUI).
  I need to distribute the NM .tar file across multiple switches and I'd prefer to use Cisco Prime for the job. Any help would be gratefully received.
  Thanks.

  I had (still have?) the same problem with it not copying the image over. I put in a ticket and they told me to upgrade to Prime Infrastructure 2.1-Device Pack 4  pi_2.1device_packs_4-40.ubf which helped but it still fails sometimes.
  I had read a post from another thread about going through software image management to distribute and that seems to work a little better, but still fails sometimes. 
  So I think that there are still quite a few issues in Prime that need worked out.
  We have over many switches that need software upgrades and I was hoping to do it quickly through Prime but I don't want to send out more then one image at a time to switch because I don't want it to fail. So it's a drawback right now, just doing one at a time to make sure it takes.

• Using NBAR to Prioritize Citrix Traffic

  Hi can anyone help, I am trying to set up NBAR to prioritize Citrix traffic using the ICA tags in the Citrix frame header. But I cannot get it to work.
  We are using version 6 PDLM, IOS 12.3(4)T on a 7206 when we check the policy map stats there are no matches, we have also sniffed the citrix traffic to check that it is being marked. The configuration is as follows (the gig0/3 interface is the main interface of a 802.1q VLAN trunk i.e. the traffic we want to mark is coming in over the sub interfaces)
  class-map match-all Citrix-medium
  match protocol citrix ica-tag "1"
  class-map match-all Citrix-high
  match protocol citrix ica-tag "0"
  class-map match-all Citrix-background
  match protocol citrix ica-tag "3"
  class-map match-all Citrix-low
  match protocol citrix ica-tag "2"
  policy-map ABCCITRIX
  class Citrix-high
  set dscp ef
  class Citrix-medium
  set dscp 11
  class Citrix-low
  set dscp 11
  class Citrix-background
  set dscp 11
  class test
  set dscp af43
  interface GigabitEthernet0/3
  no ip address
  ip nbar protocol-discovery
  service-policy input ABCCITRIX
  duplex auto
  speed auto
  media-type rj45
  no negotiation auto

  Have you tried assigning your service-policy input to the subinterface where traffic is received rather than to the main interface?

• NBAR & BGP

  I'm trying to use "match protocol bgp" command in a class-map in order to classify all BGP routing traffic, but it doesn't match.
  When I try to do the same using an ACL matching tcp 179 in the same class-map configuration it works.
  Any suggestion?
  Regards
  Fabio

  ip cef
  class-map match-any SILVER
  match protocol bgp
  policy-map LLQ
  class SILVER
  bandwidth 150
  interface ATM0/0.1 point-to-point
  ip nbar protocol-discovery
  pvc 8/35
  service-policy output LLQ
  As you can see in the configuration extract above the commands you suggested are applied.
  The outputs below show that bgp packets have no match:
  TEST-2651XM-ADSL#sh policy-map int atm 0/0.1
  Class-map: SILVER (match-any)
  0 packets, 0 bytes
  30 second offered rate 0 bps, drop rate 0 bps
  Match: protocol bgp
  0 packets, 0 bytes
  30 second rate 0 bps
  TEST-2651XM-ADSL#sh ip nbar protocol-discovery int atm 0/0.1
  ATM0/0.1
  Input Output
  Protocol Packet Count Packet Count
  Byte Count Byte Count
  30 second bit rate (bps) 30 second bit rate (bps)
  snmp 229270 12936
  19069945 1528680
  3000 0
  telnet 2316 3
  122848 162
  1000 0
  icmp 4395 313
  421864 29488
  0 0
  bgp 0 0
  0 0
  0 0
  I'm using the IOS release:
  (C2600-IS-M), ver.12.2(15)T12

• Prime Infrastrucutre 2.2.1 MR

  I've already installed MR1 file pi221_20150210_01.ubf, but I see a new MR that came out 25-FEB-2015 and is called pi221_20150131-27.ubf.  Should I install this update as well?

  This is a snip of the email TAC and I shared.
  Regarding the pi221_20150131-27.ubf patch you see on PI, below is the information:
  This is specific to the situation where Prime Infrastructure 2.2 - Device Pack 1 was installed first on Prime Infrastructure 2.2, and then the patch for Prime Infrastructure 2.2.1 MR (released on 02/18/2015) was applied, which resulted in the UI for Software Image Management being broken. Installing the PI 2.2.1 MR first and the device pack second does not cause this issue. 
  The latest update you see is for the PI 2.2.1 ubf patch version 27, and the one which is already installed is version 26. When you will try to install the patch you will get error, but you can still get the features available in the version 27 by installing a point patch (this is not mandatory, and is an optional feature). The file name for the point patch is "pi221_CSCut07018_CSCut03269_20150225_01-1.ubf". If you want, I will go ahead and publish the file for you. (The file will be available for download for 3 days starting from the date of its publishing)
  When installing the patch, you may see a warning, saying "The update is attempting to modify the files that have already been changed by update "pi221_2015031_01". Its strongly recommended to contact the author to make sure the installation of this update is safe." Please advise customer to click "Yes" and continue with the installation. 

• NBAR Problem - packet marking

  Hi everyone
  I am using NBAR on my 7206VXR box to mark RTP stream to DSCP EF and SIP to CS3. Marking of SIP to CS3 works fine, but I got problem with RTP marking. Sometimes output packet are NOT marked, altough the output of policy-map applied on the interface says something different:
  Service-policy output: QoS-LAN-OUT
  Class-map: RTP-NBAR (match-any)
  7039646 packets, 2379635593 bytes
  5 minute offered rate 87000 bps, drop rate 0 bps
  Match: protocol rtp
  7039646 packets, 2379635593 bytes
  5 minute rate 87000 bps
  QoS Set
  dscp ef
  Packets marked 7039646
  Queueing
  Strict Priority
  Output Queue: Conversation 264
  Bandwidth 1000 (kbps) Burst 25000 (Bytes)
  (pkts matched/bytes matched) 1002/344274
  (total drops/bytes drops) 0/0
  I use wireshark analyzer on output interface of router to verify this. I cann't find anything, what could explain why it is working sometimes, and sometimes not. Could it be IOS bug? Using 12.4(5a) right now.
  Config of class and policy map is as simple as that (suppose the problem is not in configuration):
  class-map match-any RTP-NBAR
  match protocol rtp
  policy-map QoS-LAN-OUT
  class RTP-NBAR
  set ip dscp ef
  Any suggestions?
  Best regards,
  Martin

  Hello Martin,
  From my experience i think you should tag that traffic as it's coming in the interface.
  I attached a *.pdf file with net diagram and configuration. hope it helps.
  You can also use these commands to troubleshoot NBAR.
  sh ip nbar protocol-discovery interface stats bit-rate top-n 10
  debug ip nbar unclassified-port-stats
  sh ip nbar unclassified-port-stats 5
  Regards,
  Bruno Rodrigues

• Unable to set ip nabar protocol-discovery

  I am working with a 7206, and when I attempt to apply ip nbar protocol-discovery to FastEthernet0/0, I get an error stating that CEF is in enabled.
  I thought that CEF wa enabled by default. What am I missing?

  I have the same problem. Is there a command to enable NBAR ?? CEF is enabled on my router interfaces but 'show ip nbar .. ' return blanks. Why ??
  r#sho ip nbar protocol-discovery stat bit
  r#sho ip nbar protocol-discovery top-n
  r#sho ip int fa0/0
  FastEthernet0/0 is up, line protocol is up
  Address determined by non-volatile memory
  MTU is 1500 bytes
  Helper address is not set
  Directed broadcast forwarding is disabled
  Multicast reserved groups joined: 224.0.0.10
  Outgoing access list is not set
  Inbound access list is not set
  Proxy ARP is enabled
  Security level is default
  Split horizon is enabled
  ICMP redirects are never sent
  ICMP unreachables are always sent
  ICMP mask replies are never sent
  IP fast switching is enabled
  IP fast switching on the same interface is disabled
  IP Flow switching is disabled
  IP CEF switching is enabled
  IP Feature Fast switching turbo vector
  IP Feature CEF switching turbo vector
  IP multicast fast switching is disabled
  IP multicast distributed fast switching is disabled
  IP route-cache flags are Fast, CEF
  Router Discovery is disabled
  IP output packet accounting is disabled
  IP access violation accounting is disabled
  TCP/IP header compression is disabled
  RTP/IP header compression is disabled
  Probe proxy name replies are disabled
  Policy routing is disabled
  Network address translation is disabled
  WCCP Redirect outbound is disabled
  WCCP Redirect inbound is disabled
  WCCP Redirect exclude is disabled
  BGP Policy Mapping is disabled
  IP multicast multilayer switching is disabled
  r-ing-toronto21#sho ip nbar protocol-discovery
  r-ing-toronto21#sho ip nbar protocol-discovery int fa0/0