Prime 1.4 NBAR protocol pack
So I have installed the nbar protocol pack on my wlc that are running 7.5 code. Everything is working fine. I have them configured to netflow for the aggregating of all the avc data into PI. Its all working except I have some unclassified or unknown traffic showing up in PI when I look at the app data. I don't see this when I look at the app data directly on the controller. I found this from this link...
http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps6504/ps6528/ps12239/solution_overview_c22-728972.html#wp9000606
Applying Protocol Pack on Cisco Prime Infrastructure
Once the device is updated with the new Protocol Pack, the next step is to update Cisco Prime Infrastructure with it. Browse to Administration à Software Update à Upload Update File. Now click the browse button to locate the protocol pack ubf file and upload. You will then have to restart the Cisco Prime Infrastructure server by logging into the server as "admin" and performing the following: "ncs stop" followed by "ncs start"."
I can't seem to find any protocol pack file that is a ubf that I can load into Prime. Is there a special pack just for PI or is it sufficient to just load the protocol pack on the wlc themselves. I have tried the file that I used on the wlc but it just errors in PI
It says this in your link
When you upgrade an NBAR protocol pack on the device, a corresponding Prime Infrastructure update should be performed to update Prime Infrastructure with the supported protocols/applications on the devices.
To achieve that there is a periodic Prime Infrastructure software update (UBF file) issues when new protocol packs are released. Once you upgrade the NBAR protocol pack on the device, you should use Prime Infrastructure software upgrade to make sure Prime is also updated with the latest protocols.
Similar Messages
-
Hi all,
i'm trying to upgrade NBAR protocol pack on my cisco 1941 router, so i downloaded new NABR protocol pack (version 4.0.0) and transferred it into router flash via tftp.
When i try to apply new protocol pack with command :
ip nbar protocol-pack flash:[protocol-pack-name]
i got this error :
% NBAR Error : Advanced Protocol Pack can not be loaded on top of Standard Protocol Pack
The router is running IPBASE IOS with Security License, IOS image is c1900-universalk9-mz.SPA.153-1.T.bin
Any Suggestion? Does NBAR2 packages works on IO BASE images?
Thankyou in advance.
RegardsHi,
there's a lot of information in "NBAR2 (Next Generation NBAR) Protocol Pack FAQ" :
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6558/ps6616/qa_C67-723689.html
"Q. Does a user need a license of any kind to access NBAR protocol packs?"
"A. NBAR users having a AVC (Application Visibility and Control) feature license can load and use protocol packs on routers. Please refer to the protocol pack licensing section in this document for more details."
"Q. Can a user load a protocol pack on any Cisco IOS/IOS-XE image?"
"A. The minimum IOS version required to load a NBAR protocol pack on a ISR-G2 platforms is Cisco IOS Software Release15.2(4) M.
Loading a protocol pack can be done if the engine version on the platform is the same or higher than the version required by the protocol pack.
To view the NBAR engine version on the device, use:
Router#sh ip nbar version | include software
It is strongly recommended to use the protocol pack that is the exact match for the engine, and also recommended to use the latest protocol pack for the base image."
Hope that helps,
Best regards
Rolf
Supplement:
Found in BRKNMS-3135 (Cisco Live 365):
Standard Protocol Pack
‒ Available (as Default Protocol pack) in IP Base image
Advanced Protocol Pack
‒ Available (as Default protocol pack) in DATA image
Added: BRKNMS-3135 info -
Is there a script to automate NBAR Protocal pack download from CCO
is there a script to automate NBAR Protocal pack download from CCO ?
I do not know of one. It may be challenging to build one, too. While there is an HTTP API built into EEM Tcl, it supports HTTP only. I believe accessing the NBAR protocol packs would require HTTPS? If it can be done with a clear text protocol like HTTP or FTP, we could build a script to automate the process.
-
Hi,
I made download of Protocol Pack, but inside of ZIP files there isn't folder for SCE 1000, only for SCE 2000 and 8000.
Does any body know tell me if Protocol Pack for SCE 2000 is the same for SCE 1000?
I made download of three files and the situation is the same.
thanks !The file for SCE1010 and SCE2020 is the same. Please use the same file. This is the suggestion we received from the business unit. (And it works :D )
-
Is there any way to prioritize traffic from wireless client (laptop in my case) to AP …. if i explain the issue in a broad way there is no congestion going on in wired network. When multiple users connect to real presence and all share the same AP. they get real-time output over the call BUT if someone start file-transfer over the same AP the real presence call voice/video get stuck.
I applied the AVC feature on WLC but as i tested, i think prioritization from my laptop to AP will not happen and the situation remains same.
Please share if there is any way to prioritize traffic from wireless client (Laptop) to AP only ?Hi Vinod,
Here is the AVC & QoS interaction for upstream & downstream traffic. For downstream it is important you have configured your WLAN with correct QoS profile & 802.1p values as that play a role even though you marking traffic using AVC.
Upstream1. Packet comes with or without inner DSCP from wireless side (wireless client).2. AP will add DSCP in the CAPWAP header that is configured on WLAN (QoS based config).3. WLC will remove CAPWAP header.4. AVC module on the controller will overwrite the DSCP to the configured marked value in the AVC profile and send it out.Downstream 1. Packet comes from switch with or without inner DSCP wired side value.2. AVC module will overwrite the inner DSCP value.3. Controller will compare WLAN QoS configuration (as per 802.1p value that is actually 802.11e) with inner DSCP value that NBAR had overwritten. WLC will choose the lesser value and put it into CAPWAP header for DSCP.4. WLC will send out the packet to AP with QoS WLAN setting on the outer CAPWAP and AVC inner DSCP setting.5. AP strips the CAPWAP header and sends the packet on air with AVC DSCP setting; if AVC was not applied to an application then that application will adopt the QoS setting of the WLAN.
I am not sure which controller software version you are running. From AVC perspective, it is good if you could install latest NBAR protocol pack (4.1 for WLC 7.5.x code or 6.3 for WLC 7.6.x code) on your controller.
Here is the 7.5.x AVC deployment guide which should help you on this
http://www.cisco.com/en/US/docs/wireless/controller/technotes/7.5/AVC_dg7point5.html
Like others mentioned, it is very little you can do with respect to upstream direction as AVC kicks in only when traffic hits WLC & not at the AP level.
HTH
Rasika
**** Pls rate all useful responses **** -
Cisco website software download disappeared
Does anyone know if there is a known problem with the Cisco software download website? I was looking to download the NBAR protocol pack for the WiSM2 but it's no longer listed as an option (WiSM is there but obviously of no use to me). I can get it for my 5508 controllers but not the WiSM2...
I assume that I am searching correctly as I downloaded the 7.6.120.0 software only last week.It's just not showing up under the WISM2 page. If you go under the 5508 downloads page the latest NBAR2 Protocol Pack is listed there:
"NBAR2 Advanced Protocol Pack 6.4.0 for AireOS 7.6: NBAR2 Engine 13 (pp-AIR-7.6-13-6.4.0.pack)"
If you click on the Release notes for that pack, they indicate:
NBAR2 Protocol Pack 6.4.0 is supported on the following Cisco Wireless LAN Controller platforms:
Cisco 5508 Wireless Controller
Cisco Flex 7500 Series Wireless Controllers
Cisco 8510 Wireless Controller
Cisco Wireless Services Module 2 (WiSM2) -
Prime 1.4 AVC Not displaying ms-lync
Hello guys
When browsing the AVC statistics on the WLC, I can see that ms-lync is among the top applications, however on the application dashboard of Prime 1.4, it is not in the list. There is alot of unclassified, and also some UndefinedXXXXXX categories.
Is the latest Prime 1.4 not able to handle all the protocols from WLC version 7.6?
Ms-lync is not something that is added in the recent nbar packs, so in my opinion it should be there.
Any ideas before I open a TAC case?
Greetings
StevenHi Steven,
Here is what release note says about PI 1.4 (update 1). As you can see it clearly said, it is not supported any new features of WLC 7.6.100.0. So If 7.6 updated any protocol packs it may not reflect correctly in PI 1.4
http://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/infrastructure/1-4/release/notes/cpi_rn_141.html#wp121143
This is a patch release for Cisco Prime Infrastructure1.4 (1.4.0.45). This patch must be installed on top of your existing Prime Infrastructure 1.4. This release supports two new AP platforms - Cisco 3700 and Cisco 1530 series access points (supported by WLC 7.6.100.0). This release also delivers a number of critical bug fixes. The update 1 for Prime Infrastructure 1.4 enables you to manage Cisco WLC 7.6.100.0 with the features of Cisco WLC 7.5.102.0 and earlier releases. This release does not support any new features of Cisco WLC 7.6.100.0.
Even recently released PI 2.1 comes with the same disclosure,which mean you may not get a resolution soon. But give it a try through TAC avenue & you may get some better results.
Here is PI 2.1 Release notes for your reference.
http://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/infrastructure/2-1/release/notes/cpi_rn.html
HTH
Rasika
**** Pls rate all useful responses **** -
New installation of Prime Infrastructure 2.2.0 (PI-VA-2.2.0.0.158.ova)
installed fixes/software/device packs:
PI 2.2.1 Poodle Fix (installed)
PI 2.2.1 Maintenance Release (installed,ncs stopped,rebooted)
Prime Infrastrucutre 2.2 Device Pack 3 (installed,ncs stopped,rebooted)
Licences installed (ncs stopped,rebooted)
Added all devices via Bulk Import (Inventory>Device Management>Network Devices)
Problem 1:
The Cisco 5500 WLCs are not listed in Inventory>Device Management>Network Devices (see screen shot) but listed under "All Devices"!
The Cisco 4400 WLCs and the 8500 WLCs are listed within their subgroup.
Devices are in "Managed State"
Problem 2: fixed! (Browser issue)
Problem 3:
Unable to run "Wired Detailed Device Inventory" report because I get the error message: Failed to run report: Unable to retrieve data for: Chassis Information (if Chassis Information is selected, if System Information is selected I get the error message with ...retrieve data for:System Information)
All devices do have an "Admin Status = Managed" and the Last Inventory Collections Status = Completed.
Has anyone the same issues or a tip for me?
Another topic, the "User Defined Fileds" are not exported when with running a "Device Export" (Inventory > Device Management > Network Devices). ;-(
BR
BastianHallo Bastian,
I think you still have browser issue, Using IE is still the best with Prime.
I have exactly same prime 2.2 and installed fixes/software/device packs.
I have no problem I can see all views. I use now IE 11, with Chrome 42.0.2311.90 and firefox 37.01 I have problems too with lots of views. You have not tell what browser + version you have.
Since you have same prime 2.2 as me. I have other problems, can you check yours?
Can you see a functional CLI template page at Configuration > Templates > Features & Technologies:
https://supportforums.cisco.com/discussion/12481691/can-cisco-prime-22-still-do-simple-ad-hoc-deployment-job-cli-over-all-switches
Do you have SNMP Connectivity Failed while Verify Credentials has no errors all green and checked.
https://supportforums.cisco.com/discussion/12494786/snmp-request-exceeds-internal-data-buffer-512-bytes-prime-22-asa-5545 -
WCS to Prime 1.2 licensing
Hi
I am doing a migration from WCS 7.x to Prime 1.2
There is a WCS 7 to Prime 1.2 migration license pack that we have obtained.
However, as I understand it, we need to install NCS 1.1.1.24 first, import the WCS database and then carry on to do the NCS to Prime upgrade. So we have the licenses for the final Prime 1.2 deployment.
When we get to NCS 1.1.1.24 we cannot migrate off of the main login page until we apply an appropriate NCS license. We were told by Cisco Sales that a temporary license can be generated for NCS 1.1.1.24 by sending licensing the license XML file taken from WCS along with the VUDI and our license order info. We have followed this path successfully once. We sent the XML file to Cisco along with some other info and they returned a license we could use on NCS. We then moved to Prime 1.2. However on this occasion Cisco insist we need an NCS license.
I have moved from NCS 1.x to Prime 1.2 before and all the licenses have been retained.
So are Cisco telling me that to migrate from WCS 7 to Prime 1.2 I should license the NCS server and simply upgrade it to Prime 1.2 with no further licensing needing purchased ? If so why is there a WCS to Prime 1.2 license pack ?
Or are Cisco saying we need the NCS license AND the Prime 1.2 licenses ?
Thanks for any input, St.Thanks for this too Scott.
I see that you could license NCS 1.1.1.24 then move to Prime 1.2 without applying further licenses. I have done this in a NCS to Prime upgrade. Prime maintains the NCS licenses. However there is a WCS to Prime 1.2 License SKU which we have ordered because we are starting from WCS on this occasion. The licenses generated from these PAKs do not work on NCS 1.1.1.24
So it would seem that the WCS to Prime migration SKU does not include the necessary license to allow us to pass through NCS 1.1.1.24 during the migration.
I think if we had ordered a WCS to NCS migration SKU we would have got the necessary NCS license. We could then install that and carry on to Prime 1.2 with no further license requirements. If that is the case why is there a WCS to Prime 1.2 migration SKU ?
We did resolve this issue before by following the advice of Cisco Sales. We logged a call with licensing, supplied the exported WCS license XML file and the NCS VUDI and they gave us an NCS license. However, on this occasion licensing are not so forthcoming. They suggest we need a NCS 1.x licence.
So either they are implying we need a NCS 1.x AND a Prime 1.2 license. Or we should have bought a WCS to NCS migration license and the NCS to Prime migration license is useless because it does not allow us to pass through NCS as part of the migration process.
Thanks for any help on this, St. -
Cisco Prime Infra 2.1 fails to import an image from file
We have a standard Cisco Prime Infrastructure 2.1 install. The software repository has been built up by importing the IOS images from the discovered network devices. To implement netflow capabilities on some 3750X switches we need to upgrade the IOS on the chassis and the NM card C3KX-SM10G. I was able to download from Cisco Support the 3750X IOS .tar file and import it from my machines local file system. However, the modules tar file c3kx-sm10g-tar.150-2.SE6.tar fails on the upload from my local file system. When I look at the import rob results they are as follows:
Image collection from source SUCCESS
Copying Image to Staging Location SUCCESS
Copying Image to Repository FAILURE
I've tried to import just the .bin file but this also fails at the same stage as above.
I've also tried to scp the file directly into the backend file structure with no success into the folder /opt/CSCOlumos/conf/ifm/swim/jobs with the other images (oddly noticed the above .tar file for the 3750X isn't listed with the other .bin files - although is available through the webGUI).
I need to distribute the NM .tar file across multiple switches and I'd prefer to use Cisco Prime for the job. Any help would be gratefully received.
Thanks.I had (still have?) the same problem with it not copying the image over. I put in a ticket and they told me to upgrade to Prime Infrastructure 2.1-Device Pack 4 pi_2.1device_packs_4-40.ubf which helped but it still fails sometimes.
I had read a post from another thread about going through software image management to distribute and that seems to work a little better, but still fails sometimes.
So I think that there are still quite a few issues in Prime that need worked out.
We have over many switches that need software upgrades and I was hoping to do it quickly through Prime but I don't want to send out more then one image at a time to switch because I don't want it to fail. So it's a drawback right now, just doing one at a time to make sure it takes. -
Using NBAR to Prioritize Citrix Traffic
Hi can anyone help, I am trying to set up NBAR to prioritize Citrix traffic using the ICA tags in the Citrix frame header. But I cannot get it to work.
We are using version 6 PDLM, IOS 12.3(4)T on a 7206 when we check the policy map stats there are no matches, we have also sniffed the citrix traffic to check that it is being marked. The configuration is as follows (the gig0/3 interface is the main interface of a 802.1q VLAN trunk i.e. the traffic we want to mark is coming in over the sub interfaces)
class-map match-all Citrix-medium
match protocol citrix ica-tag "1"
class-map match-all Citrix-high
match protocol citrix ica-tag "0"
class-map match-all Citrix-background
match protocol citrix ica-tag "3"
class-map match-all Citrix-low
match protocol citrix ica-tag "2"
policy-map ABCCITRIX
class Citrix-high
set dscp ef
class Citrix-medium
set dscp 11
class Citrix-low
set dscp 11
class Citrix-background
set dscp 11
class test
set dscp af43
interface GigabitEthernet0/3
no ip address
ip nbar protocol-discovery
service-policy input ABCCITRIX
duplex auto
speed auto
media-type rj45
no negotiation autoHave you tried assigning your service-policy input to the subinterface where traffic is received rather than to the main interface?
-
I'm trying to use "match protocol bgp" command in a class-map in order to classify all BGP routing traffic, but it doesn't match.
When I try to do the same using an ACL matching tcp 179 in the same class-map configuration it works.
Any suggestion?
Regards
Fabioip cef
class-map match-any SILVER
match protocol bgp
policy-map LLQ
class SILVER
bandwidth 150
interface ATM0/0.1 point-to-point
ip nbar protocol-discovery
pvc 8/35
service-policy output LLQ
As you can see in the configuration extract above the commands you suggested are applied.
The outputs below show that bgp packets have no match:
TEST-2651XM-ADSL#sh policy-map int atm 0/0.1
Class-map: SILVER (match-any)
0 packets, 0 bytes
30 second offered rate 0 bps, drop rate 0 bps
Match: protocol bgp
0 packets, 0 bytes
30 second rate 0 bps
TEST-2651XM-ADSL#sh ip nbar protocol-discovery int atm 0/0.1
ATM0/0.1
Input Output
Protocol Packet Count Packet Count
Byte Count Byte Count
30 second bit rate (bps) 30 second bit rate (bps)
snmp 229270 12936
19069945 1528680
3000 0
telnet 2316 3
122848 162
1000 0
icmp 4395 313
421864 29488
0 0
bgp 0 0
0 0
0 0
I'm using the IOS release:
(C2600-IS-M), ver.12.2(15)T12 -
Prime Infrastrucutre 2.2.1 MR
I've already installed MR1 file pi221_20150210_01.ubf, but I see a new MR that came out 25-FEB-2015 and is called pi221_20150131-27.ubf. Should I install this update as well?
This is a snip of the email TAC and I shared.
Regarding the pi221_20150131-27.ubf patch you see on PI, below is the information:
This is specific to the situation where Prime Infrastructure 2.2 - Device Pack 1 was installed first on Prime Infrastructure 2.2, and then the patch for Prime Infrastructure 2.2.1 MR (released on 02/18/2015) was applied, which resulted in the UI for Software Image Management being broken. Installing the PI 2.2.1 MR first and the device pack second does not cause this issue.
The latest update you see is for the PI 2.2.1 ubf patch version 27, and the one which is already installed is version 26. When you will try to install the patch you will get error, but you can still get the features available in the version 27 by installing a point patch (this is not mandatory, and is an optional feature). The file name for the point patch is "pi221_CSCut07018_CSCut03269_20150225_01-1.ubf". If you want, I will go ahead and publish the file for you. (The file will be available for download for 3 days starting from the date of its publishing)
When installing the patch, you may see a warning, saying "The update is attempting to modify the files that have already been changed by update "pi221_2015031_01". Its strongly recommended to contact the author to make sure the installation of this update is safe." Please advise customer to click "Yes" and continue with the installation. -
Hi everyone
I am using NBAR on my 7206VXR box to mark RTP stream to DSCP EF and SIP to CS3. Marking of SIP to CS3 works fine, but I got problem with RTP marking. Sometimes output packet are NOT marked, altough the output of policy-map applied on the interface says something different:
Service-policy output: QoS-LAN-OUT
Class-map: RTP-NBAR (match-any)
7039646 packets, 2379635593 bytes
5 minute offered rate 87000 bps, drop rate 0 bps
Match: protocol rtp
7039646 packets, 2379635593 bytes
5 minute rate 87000 bps
QoS Set
dscp ef
Packets marked 7039646
Queueing
Strict Priority
Output Queue: Conversation 264
Bandwidth 1000 (kbps) Burst 25000 (Bytes)
(pkts matched/bytes matched) 1002/344274
(total drops/bytes drops) 0/0
I use wireshark analyzer on output interface of router to verify this. I cann't find anything, what could explain why it is working sometimes, and sometimes not. Could it be IOS bug? Using 12.4(5a) right now.
Config of class and policy map is as simple as that (suppose the problem is not in configuration):
class-map match-any RTP-NBAR
match protocol rtp
policy-map QoS-LAN-OUT
class RTP-NBAR
set ip dscp ef
Any suggestions?
Best regards,
MartinHello Martin,
From my experience i think you should tag that traffic as it's coming in the interface.
I attached a *.pdf file with net diagram and configuration. hope it helps.
You can also use these commands to troubleshoot NBAR.
sh ip nbar protocol-discovery interface stats bit-rate top-n 10
debug ip nbar unclassified-port-stats
sh ip nbar unclassified-port-stats 5
Regards,
Bruno Rodrigues -
Unable to set ip nabar protocol-discovery
I am working with a 7206, and when I attempt to apply ip nbar protocol-discovery to FastEthernet0/0, I get an error stating that CEF is in enabled.
I thought that CEF wa enabled by default. What am I missing?I have the same problem. Is there a command to enable NBAR ?? CEF is enabled on my router interfaces but 'show ip nbar .. ' return blanks. Why ??
r#sho ip nbar protocol-discovery stat bit
r#sho ip nbar protocol-discovery top-n
r#sho ip int fa0/0
FastEthernet0/0 is up, line protocol is up
Address determined by non-volatile memory
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Multicast reserved groups joined: 224.0.0.10
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Security level is default
Split horizon is enabled
ICMP redirects are never sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP CEF switching is enabled
IP Feature Fast switching turbo vector
IP Feature CEF switching turbo vector
IP multicast fast switching is disabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Probe proxy name replies are disabled
Policy routing is disabled
Network address translation is disabled
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled
WCCP Redirect exclude is disabled
BGP Policy Mapping is disabled
IP multicast multilayer switching is disabled
r-ing-toronto21#sho ip nbar protocol-discovery
r-ing-toronto21#sho ip nbar protocol-discovery int fa0/0
Maybe you are looking for
-
IPhone use as USB drive- shipping both back if it doesn't work
How do I unlock this feature? I'm a geek, I don't want to carry around 2 devices (USB Drive & Phone) Who in their right mind would make this completely disabled? It is within FCC regulations as a mass storage device? If it involves further cost I'll
-
Great new resources on OTN: best practices and OPM project polishing tips
Two great new resources are now available on OTN. Oracle Policy Modeling Best Practice Guide A clearly laid out paper that walks through a series of valuable recommendations. It will help you to design and model rules that maximize the advantages of
-
I am having a tough time getting the local host to work. I am using dw 8.0 firefox 2.0 is my primary IE 7.0 is secondary. everytime I attempt it I get a connect error. it has http://localhost/sitename.com/TMP8vew5uykvv.php the .php name is not correc
-
Need to use the results of one query as an input to another query
Hi, I have one sql query in my XML file, that returns more than one values for a column. and i want to use this output one by one as an input to the second query to retrive the data from the second query. Could please someone tell me if its possible
-
Canon Eos 5D, Lightroom and RAW images
After a series of tests I carried out with my Canon camera, do you agree with these conclusions on the raw format? Following an import in Lightroom of RAW pictures: Loss of image styles (portrait, landscape, B&W...) Loss of image style changes (+/- s