Release Notes for NBAR2 Protocol Pack 40.0.0 for Cisco Wireless Controllers

Overview

The NBAR2 Protocol Pack 40.0.0 release includes:

  • New protocols

  • Improvements to classification of protocols

  • Deprecated protocols

Supported Platforms

NBAR2 Protocol Pack 40.0.0 is supported on the following platforms:

  • Cisco 3504 Wireless Controller

  • Cisco 5520 Wireless Controller

  • Cisco 8540 Wireless Controller

  • Cisco Virtual Wireless Controller (vWLC) on the following platforms

    • VMware vSphere Hypervisor (ESXi) Version 5.x and 6.x

    • Hyper-V on Microsoft Servers 2012 and later versions (Support introduced in Release 8.4)

    • Kernel-based virtual machine (KVM) (Support introduced in Release 8.1. After KVM is deployed, we recommend that you do not downgrade to a Cisco Wireless release that is earlier than Release 8.1.)

  • Cisco Wireless Controllers for High Availability for Cisco 3504 controller, Cisco 5520 controller, and Cisco 8540 controller.

  • Cisco Mobility Express Solution

New Protocols in NBAR2 Protocol Pack 40.0.0

The following protocols were added in NBAR2 Protocol Pack 40.0.0 (since 37.0.0):

Protocol Name

Common Name

Long Description

amazon-cloudfront

Amazon CloudFront

Amazon CloudFront is a content delivery network offered by Amazon Web Services. Content delivery networks provide a globally-distributed network of proxy servers which cache content.

amazon-ec2

Amazon EC2

Amazon Elastic Compute Cloud (Amazon EC2) is a web service that provides secure, resizable compute capacity in the cloud. It is designed to make web-scale cloud computing easier for developers.

amazon-s3

Amazon S3

Amazon S3 provides object storage through web services interfaces (REST, SOAP, and BitTorrent).

apple-location-services

Apple Location Services

Apple Location Services allows Apple and third-party apps and websites to gather and use information based on the current location of your iPhone or Apple Watch to provide a variety of location-based services. This traffic was previously classified as “apple-services”. This change might require policy changes. The “apple-group” group can be used for aggregation.

cisco-cta

Cisco Cognitive Threat Analytics

Cisco Cognitive Threat Analytics pinpoints attacks before they can extract sensitive data. It analyzes web traffic, endpoint data from Cisco AMP for Endpoints, and network data from Cisco Stealthwatch Enterprise. It then uses machine learning to identify malicious activity.

cisco-meraki

Cisco Meraki

Cisco Meraki is a cloud managed solution that includes wireless, switching, security, EMM, communications, and security cameras, all centrally managed from the web.

cisco-stealthwatch

Cisco Stealthwatch

Cisco Stealthwatch provides continuous real-time monitoring and pervasive views into network traffic.

coap

COAP

The Constrained Application Protocol (CoAP) is a specialized web transfer protocol for use with constrained nodes and constrained (for example, low-power, lossy) networks.

ebay

eBay

eBay is a multinational e-commerce corporation that facilitates consumer-to-consumer and business-to-consumer sales through its website.

imgur

Imgur

Imgur is an online image sharing community and image host.

iperf

iPerf

iPerf is a widely used tool for network performance measurement and tuning. Support for releases 2.x and later.

lifesize

Lifesize

Lifesize is a video and audio telecommunications company providing high definition videoconferencing endpoints and accessories, touchscreen conference room phones, and a cloud-based video collaboration platform.

llmnr

Link-Local Multicast Name Resolution

The Link-Local Multicast Name Resolution (LLMNR) is a protocol based on the Domain Name System (DNS) packet format that allows both IPv4 and IPv6 hosts to perform name resolution for hosts on the same local link.

mdns

mDNS

The multicast DNS (mDNS) protocol resolves host names to IP addresses within small networks that do not include a local name server.

mindtouch

MindTouch

MindTouch enables a team to create, publish, and edit content, and then structure the content within a responsive user interface.

mqtt

MQTT

MQTT (Message Queuing Telemetry Transport) is a lightweight broker-based publish/subscribe messaging protocol. It is designed for constrained devices and low-bandwidth, high-latency or unreliable networks.

slack

Slack

Slack is a cloud-based set of proprietary team collaboration tools and services.

slack-media

Slack Media

Slack media streaming services.

snapchat

Snapchat

Snapchat is a multimedia messaging app.

tumblr

tumblr

Tumblr is a microblogging and social networking website.

Updated Protocols in NBAR2 Protocol Pack 40.0.0

The following protocols have been updated to improve accuracy in NBAR2 Protocol Pack 40.0.0 (since 37.0.0):

  • bittorrent
  • cisco-umbrella
  • dns
  • gree
  • htc-services
  • icloud
  • iPerf
  • kerberos
  • ldap
  • linkedin
  • mDNS
  • ms-lync
  • ms-office-365
  • ms-teams
  • ms-update
  • netflix
  • outlook-web-services
  • QQ-Services
  • salesforce
  • samsung
  • share-point
  • skype
  • skype
  • SNMP
  • statistical-p2p
  • the-pirate-bay
  • vmware-vsphere
  • WeChat
  • windows-azure
  • workday
  • youtube

Deprecated Protocols in NBAR2 Protocol Pack 40.0.0

The following protocols have been deprecated in NBAR2 Protocol Pack 40.0.0 (since 37.0.0):

Application

Description

NBAR2 Protocols Deprecated

AOL Messenger

AOL Instant Messenger allows users to communicate either through AIM contacts or Facebook/Google-talk contacts and share photos.

aol-messenger

Babelgum

Babelgum is an internet TV website based on streaming TV shows and music videos. Also supporting Apple mobile devices, including the iPhone, iPod Touch and iPad.

babelgum

Vine

Vine - Mobile App for sharing photos and videos clips.

vine

Caveats in NBAR2 Protocol Pack 40.0.0


Note

If you have an account on Cisco.com, you can view information on select caveats, using the Bug Search Tool (https://bst.cloudapps.cisco.com/bugsearch/).


Resolved Caveats in NBAR2 Protocol Pack 40.0.0

The following table lists the caveats resolved in NBAR2 Protocol Pack 40.0.0 (since 37.0.0):

Caveat

Description

CSCvi90495

Certain vendor Wi-Fi calling is not detected as Wi-Fi-calling

Downloading NBAR2 Protocol Pack 40.0.0

NBAR2 Protocol Packs are available for download on the Cisco.com software download page (http://www.cisco.com/cisco/software/navigator.html). On the download page, specify a platform model to display software available for download. One software option will be NBAR2 Protocol Packs.

Example

To display protocol packs available for the Cisco Wireless Controllers platform, the navigation path is:

Download Software > Enter the Controller model > NBAR2 Protocol Pack.

Special Notes and Limitations

Protocol Name

Special Note or Limitation

apple-app-store

Login and a few encrypted sessions are classified as iTunes.

bittorrent

HTTP traffic generated by the bitcomet bittorrent client might be classified as HTTP.

capwap-data

For capwap-data to be classified correctly, capwap-control must also be enabled.

ftp

During configuring QoS class-map with ftp-data, the FTP protocol must be selected. As an alternative, the FTP application group can be selected.

hulu

Encrypted video streaming generated by hulu may be classified as its underlying protocol rtmpe.

logmein

Traffic generated by the logmein android app may be classified incorrectly as ssl.

ms-lync

Login and chat traffic generated by the ms-lync client may be classified incorrectly as ssl.

pcanywhere

Traffic generated by pcanywhere for mac may be classified as unknown.

perfect-dark

Some perfect-dark sessions may be classified as unknown.

qq-accounts

Login to QQ applications which is not via the internet may not be classified as qq-accounts.

ssl

The Sub Classification (SC) mechanism was modified to include search for wildcard.

Note 

The SC rule for the part of the Server Name Indication (SNI) or the common name (CN) can now include a wildcard. If a wildcard is not used, the complete SNI or the CN is required.

For example, you can either use, "*.pqr.com" or "abc.pqr.com" to classify abc.pqr.com.