UNITED STATES PATENT AND TRADEMARK OFFICE
`____________
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`____________
`
`VMware, Inc. and Dell Technologies, Inc.,
`Petitioner,
`
`v.
`
`Proven Networks, LLC,
`Patent Owner.
`____________
`
`Case No. IPR 2021-00194
`Patent 8,165,024
`____________
`
`DECLARATION OF SYLVIA D. HALL-ELLIS, PH.D.
`
`VMWARE 1012
`
`

`

`U.S. Patent 8,165,024
`
`I.
`
`INTRODUCTION
`1. My name is Sylvia D. Hall-Ellis. I have been retained as an expert by
`
`VMware, Inc. and Dell Technologies, Inc. (referred to herein as “Petitioner”).
`
`2.
`
`I have written this declaration at the request of Petitioner to provide
`
`my expert opinion regarding the authenticity and public availability of a
`
`publication. My report sets forth my opinions in detail and provides the bases for
`
`my opinions regarding the public availability of this publication.
`
`3.
`
`I reserve the right to supplement or amend my opinions, and bases for
`
`them, in response any additional evidence, testimony, discovery, argument, and/or
`
`other additional information that may be provided to or obtained by me after the
`
`date of this declaration.
`
`4.
`
`As of the preparation and signing of this declaration, libraries across
`
`the nation are closed pursuant to an order of the federal and state governments due
`
`to the COVID-19 virus. However, were the libraries open, I would expect to be
`
`able to obtain paper copies of the documents in this declaration. Additionally, it is
`
`my typical practice to obtain a paper copy of each publication to further confirm
`
`my opinions that the documents were available prior to the alleged availability date.
`
`I reserve the right to supplement my declaration when the libraries reopen to
`
`provide such information.
`
`
`
`1
`
`

`

`U.S. Patent 5,806,062
`
`5.
`
`I am being compensated for my time spent working on this matter at
`
`my normal consulting rate of $300 per hour, plus reimbursement for any additional
`
`reasonable expenses. My compensation is not in any way tied to the content of this
`
`Declaration, the substance of my opinions, or the outcome of this dispute. I have
`
`no other interests in this proceeding or with any of the parties.
`
`6.
`
`All of the materials that I considered are discussed explicitly in this
`
`Declaration.
`
`II. QUALIFICATIONS
`7.
`I am currently an Adjunct Professor in the School of Information at
`
`San José State University. I obtained a Master of Library Science from the
`
`University of North Texas in 1972 and a Ph.D. in Library Science from the
`
`University of Pittsburgh in 1985. Over the last forty-five years, I have held various
`
`positions in the field of library and information resources. I was first employed as
`
`a librarian in 1966 and have been involved in the field of library sciences since,
`
`holding numerous positions.
`
`8.
`
`I am a member of the American Library Association (“ALA”) and its
`
`Association for Library Collections & Technical Services (“ALCTS”) Division,
`
`and I served on the Committee on Cataloging: Resource and Description (which
`
`wrote the new cataloging rules) and as the founding chair of the Committee for
`
`
`
`2
`
`

`

`U.S. Patent 5,806,062
`
`Education and Training of Catalogers and the Competencies and Education for a
`
`Career in Cataloging Interest Group. I also served as the Founding Chair of the
`
`ALCTS Division’s Task Force on Competencies and Education for a Career in
`
`Cataloging. Additionally, I served as the Chair for the ALA Office of Diversity’s
`
`Committee on Diversity, a member of the REFORMA National Board of
`
`Directors, and a member of the Editorial Board for the ALCTS premier cataloging
`
`journal, Library Resources and Technical Services. Currently I serve as a Co-
`
`Chair for the Library Research Round Table of the American Library Association.
`
`9.
`
`I have also given over one-hundred presentations in the field,
`
`including several on library cataloging systems and Machine-Readable Cataloging
`
`(“MARC”) standards. My current research interests include library cataloging
`
`systems, metadata, and organization of electronic resources.
`
`10.
`
`I have been deposed fifteen times.
`
`11. My full curriculum vitae is attached hereto as Appendix A.
`
`III. PRELIMINARIES
`A.
`Scope of This Declaration
`12.
`I am not an attorney and will not offer opinions on the law. I am,
`
`however, rendering my expert opinion on the authenticity of the documents
`
`referenced herein and on when and how each of these documents was disseminated
`
`or otherwise made available to the extent that persons interested and ordinarily
`3
`
`
`
`

`

`U.S. Patent 5,806,062
`
`skilled in the subject matter or art, exercising reasonable diligence, could have
`
`located the documents.
`
`13.
`
`I am informed by counsel that an item is considered authentic if there
`
`is sufficient evidence to support a finding that the item is what it is claimed to be. I
`
`am also informed that authenticity can be established based on the contents of the
`
`documents themselves, such as the appearance, contents, substance, internal
`
`patterns, or other distinctive characteristics of the item, taken together with all of
`
`the circumstances. I am further informed that an item is considered authentic if it
`
`is at least 20 years old, in a condition that creates no suspicion of its authenticity,
`
`and in a place where, if authentic, it would likely be. Lastly, I have been informed
`
`that a document’s authenticity can be established by comparison with an authentic
`
`specimen.
`
`14.
`
`I am informed by counsel that a printed publication qualifies as
`
`publicly accessible as of the date it was disseminated or otherwise made available
`
`such that a person interested in and ordinarily skilled in the relevant subject matter
`
`could locate it through the exercise of ordinary diligence.
`
`15. While I understand that the determination of public accessibility under
`
`the foregoing standard rests on a case-by-case analysis of the facts particular to an
`
`individual publication, I also understand that a printed publication is rendered
`
`
`
`4
`
`

`

`U.S. Patent 5,806,062
`
`“publicly accessible” if it is cataloged and indexed by a library such that a person
`
`interested in the relevant subject matter could locate it. That is, I understand that
`
`cataloging and indexing by a library is sufficient, although there are other ways
`
`that a printed publication may qualify as publicly-accessible. One manner of
`
`sufficient indexing is indexing according to subject matter category. I understand
`
`that the cataloging and indexing by a single library of a single instance of a
`
`particular printed publication is sufficient, even if the single library is in a foreign
`
`country. I understand that, even if access to a library is restricted, a printed
`
`publication that has been cataloged and indexed therein is publicly-accessible so
`
`long as a presumption is raised that the portion of the public concerned with the
`
`relevant subject matter would know of the printed publication. I also understand
`
`that the cataloging and indexing of information that would guide a person
`
`interested in the relevant subject matter to the printed publication, such as the
`
`cataloging and indexing of an abstract for the printed publication, is sufficient to
`
`render the printed publication publicly-accessible.
`
`16.
`
`I understand that routine business practices, such as general library
`
`cataloging and indexing practices, can be used to establish an approximate date on
`
`which a printed publication became publicly accessible. I also understand that the
`
`indicia on the face of a reference, such as printed dates and stamps, are considered
`
`
`
`5
`
`

`

`U.S. Patent 5,806,062
`
`as part of the totality of the evidence.
`
`B.
`17.
`
`Persons of Ordinary Skill in the Art
`I am told by counsel that the subject matter of this proceeding relates
`
`generally to analysis of network data for classification and management of network
`
`traffic.
`
`18.
`
`I have been informed by counsel that a “person of ordinary skill in the
`
`art at the time of the inventions” is a hypothetical person who is presumed to be
`
`familiar with the relevant field and its literature at the time of the inventions. This
`
`hypothetical person is also a person of ordinary creativity, capable of
`
`understanding the scientific principles applicable to the pertinent field.
`
`19.
`
`I am told by counsel that persons of ordinary skill in this subject
`
`matter or art would have had at least the equivalent of a Bachelor’s degree in
`
`electrical engineering and four or more years of experience in networking devices
`
`and traffic management design. Less work experience may be compensated by a
`
`higher level of education, such as a Master’s Degree, and vice versa.
`
`20.
`
`It is my opinion that such a person would have been engaged in
`
`research, learning through study, and practice in the field and possibly through
`
`formal instruction the bibliographic resources relevant to his or her research. By
`
`not later than the mid-1980s such a person would have had access to a vast array of
`
`
`
`6
`
`

`

`U.S. Patent 5,806,062
`
`long-established print resources in the field, as well as to a rich set of online
`
`resources providing indexing information, abstracts, and full text services for
`
`publications relevant to the field of this dispute.
`
`C. Authoritative Databases
`21.
`In preparing this report, I used authoritative databases, such as the
`
`OCLC WorldCat, the Library of Congress Online Catalog, and the Internet
`
`Archive digital repository to confirm citation details of the various publications
`
`discussed.
`
`22. OCLC WorldCat Database. The OCLC was created “to establish,
`
`maintain and operate a computerized library network and to promote the evolution
`
`of library use, of libraries themselves, and of librarianship, and to provide
`
`processes and products for the benefit of library users and libraries, including such
`
`objectives as increasing availability of library resources to individual library
`
`patrons and reducing the rate of rise of library per-unit costs, all for the
`
`fundamental public purpose of furthering ease of access to and use of the ever-
`
`expanding body of worldwide scientific, literary and educational knowledge and
`
`
`
`7
`
`

`

`U.S. Patent 5,806,062
`
`information.”1 Among other services, OCLC and its members are responsible for
`
`maintaining the WorldCat database,2 used by independent and institutional libraries
`
`throughout the world.
`
`Internet Archive. The Internet Archive is a non-profit digital library founded in
`
`1996. The Internet Archive maintains an archive of webpages collected from the
`
`Internet using software called a crawler. Crawlers automatically create a snapshot
`
`of webpages as they existed at a certain point in time. The WayBack Machine is
`
`an application using a crawler created by the Internet Archive to search its archive
`
`of Web page URLs and to represent, graphically, the date of each crawler capture.
`
`The Internet Archive captures data that is publicly available. Some sites are “not
`
`archived because they were password protected, blocked by robots.txt, or
`
`otherwise inaccessible to our automated systems. Site owners might have also
`
`requested that their sites be excluded from the WayBack Machine.” Many Internet
`
`Archive captures made by the WayBack Machine have a banner at the top with the
`
`
`
`1 Third Article, Amended Articles of Incorporation of OCLC Online Computer
`
`Library Center, Incorporated (available at
`
`https://www.oclc.org/content/dam/oclc/membership/articles-of-incorporation.pdf)
`
`2 http://www.worldcat.org/
`
`8
`
`
`
`

`

`U.S. Patent 5,806,062
`
`capture date prominently displayed. Other dates when captures of the same URL
`
`have been made are indicated to the right and left of the date provided in the
`
`banner. Some captures may lack this banner. In any case, the URL for the capture
`
`begins with
`
`the
`
`identification of
`
`the
`
`Internet Archive page
`
`(e.g.,
`
`http://web.archive.org/web/) followed by information that dates and time stamps
`
`the capture as follows: year in yyyy, month in mm, day in dd, time code in
`
`hh:mm:ss (e.g., 20071120082013, or November 20, 2007 at 8:20:13 a.m.). These
`
`elements are then followed by the URL of the original capture site. When links are
`
`active, the WayBack Machine is programed to produce the archived file with the
`
`closest available date (not the closest available prior date) to the page upon which
`
`the link appeared and was clicked. I and other librarian professionals are familiar
`
`with the Internet Archive and the Wayback Machine.3
`
`D.
`Indexing
`23. A researcher may discover material relevant to his or her topic in a
`
`variety of ways. One common means of discovery is to search for relevant
`
`information in an index of periodical and other publications. Having found
`
`
`
`3 For more information about the Internet Archive see the WayBack Machine
`
`FAQ, https://archive.org/about/faqs.php#The_Wayback_Machine.
`
`
`
`9
`
`

`

`U.S. Patent 5,806,062
`
`relevant material, the researcher will then normally obtain it online, look for it in
`
`libraries, or purchase it from the publisher, a bookstore, a document delivery
`
`service, or other provider. Sometimes, the date of a document’s public
`
`accessibility will involve both indexing and library date information. However,
`
`date information for indexing entries is often unavailable. This is especially true
`
`for online indices.
`
`24.
`
`Indexing services use a wide variety of controlled vocabularies to
`
`provide subject access and other means of discovering the content of documents.
`
`The formats in which these access terms are presented vary from service to service.
`
`25. Before the widespread development of online databases to index
`
`articles in journals, magazines, conference papers, and technical reports, libraries
`
`purchased printed volumes of indices. Graduate library school education mandated
`
`that students learn about the bibliographic control of disciplines, the prominent
`
`indexing volumes, and searching strategies required to use them effectively and
`
`efficiently. Half of the courses that I studied in library school were focused on the
`
`bibliography and resources in academic disciplines.
`
`26. Librarians consulted with information seekers to verify citations,
`
`check availability in union catalogs, printed books catalogs, and the OCLC
`
`database, and make formal requests for materials, e.g., books, conference
`
`
`
`10
`
`

`

`U.S. Patent 5,806,062
`
`proceedings, journal articles. Requests were transmitted using Telex machines,
`
`rudimentary email systems, and the United States Postal Service. During my
`
`career, I have performed and supervised staff who handled these resource sharing
`
`tasks.
`
`27. A major firm known for the breadth of subjects and comprehensive
`
`treatment in the preparation of index volumes, the H. W. Wilson Company offered
`
`these reference resources since the firm was founded in 1898. The Reader’s Guide
`
`to Periodical Literature is one of the best-known titles available from H. W.
`
`Wilson. Each volume includes a comprehensive index for 300 of the most popular
`
`and important periodicals published in the United States and Canada. Information
`
`seekers have subject access expressed in plain language terminology, author
`
`access, and cross references to find the desired results from their searches. The
`
`family of index titles included Science & Technology Index, Business Periodicals,
`
`Applied Science & Technology Index, Humanities Index, Biological & Agricultural
`
`Index, and Industrial Arts Index. These printed indices have been superseded by
`
`digital database offerings available to information seekers through Ebsco.
`
`28. Online indexing services commonly provide bibliographic
`
`information, abstracts, and full-text copies of the indexed publications, along with
`
`a list of the documents cited in the indexed publication. These services also often
`
`11
`
`

`

`U.S. Patent 5,806,062
`
`provide lists of publications that cite a given document. A citation of a document
`
`is evidence that the document was publicly available and in use no later than the
`
`publication date of the citing document.
`
`IV. PUBLICATION
`A. Classifying Network Traffic Using NBAR documentation
`29. Exhibit 1008 is a true and correct copy of the technical documentation
`
`titled Classifying Network Traffic Using NBAR (hereafter “NBAR”), a module
`
`prepared by Cisco Systems, Incorporated and first issued on April 4, 2006 and
`
`updated on May 7, 2007 (see first page of the document).
`
`30. The Wayback Machine indicates that the document titled Classifying
`
`Network Traffic Using NBAR is a chapter in the Cisco IOS Quality of Service
`
`Solutions Configuration Guide, Release 12.4T and has been available online since
`
`January 17, 2007 (see Attachment 1a). The NBAR document is available on the
`
`Internet from the Cisco Systems website (see Attachment 1b). The website
`
`indicates that it was last updated on April 3, 2006.4 I obtained the document filed
`
`as Exhibit 1008 from the Cisco Systems website by clicking on the “download”
`
`button in the right side of the screen and made the copies which comprise Exhibit
`
`
`
`4
`https://www.cisco.com/c/en/us/td/docs/ios/12_4t/qos/configuration/guide/qsnbar1.
`html
`
`12
`
`
`
`

`

`U.S. Patent 5,806,062
`
`1008. Specifically, the text of the document titled Classifying Network Traffic
`
`Using NBAR is complete; no pages are missing, and the text on each page appears
`
`to flow seamlessly from one page to the next; further, there are no visible
`
`alterations to the document. Exhibit 1008 was found within the custody of the
`
`issuing agency – a place where, if authentic, a copy of this document would likely
`
`be. Exhibit 1008 is a true and correct copy in a condition that creates no suspicion
`
`about its authenticity. Based on the date recorded on the document, it is my
`
`opinion that Classifying Network Traffic Using NBAR was available to the public
`
`on April 3, 2006, or shortly thereafter.
`
`V.
`
`SUMMARY OF OPINIONS
`31.
`In view of the foregoing, it is my opinion that the publications
`
`described above were publicly available no later than the corresponding date listed
`
`in the table below:
`
`Doc.
`
`Publication
`
`Ex. 1008 Classifying Network Traffic Using NBAR. San
`José, CA: Cisco Systems, Inc., 2006.
`
`Publicly
`Available No
`Later Than
`April 3, 2006
`
`13
`
`

`

`U.S. Patent 8,165,024
`
`32.
`
`In signing this Declaration, I recognize that the Declaration will be
`
`filed as evidence in a case before the Patent Trial and Appeal Board of the United
`
`States Patent and Trademark Office.
`
`I also recognize that I may be subject to
`
`cross-examination in the case and that cross-examination will take place within the
`
`United States. If cross-examination is required of me, I will appear for cross—
`
`examination within the United States during the time allotted for cross-
`
`examination.
`
`33.
`
`I hereby declare that all statements made herein of my own
`
`knowledge are true and that all statements made on information and belief are
`
`believed to be true, and further that these statements were made with the
`
`knowledge that Willfill false statements and the like so made are punishable by fine
`
`or imprisonment, or both, under Section 1001 of Title 18 of the United States
`
`Code.
`
`November i, 2020
`
` M
`
`_
`lvia D. Hall-Ellis,,Pfi.D.
`
`14
`
`

`

`(cid:34)(cid:53)(cid:53)(cid:34)(cid:36)(cid:41)(cid:46)(cid:38)(cid:47)(cid:53)(cid:1)(cid:18)(cid:34)
`
`ATTACHMENT 1A
`
`15
`15
`
`

`

`11/4/2020
`
`http://www.cisco.com/en/US/products/ps6441/products_configuration_guide_chapter09186a008064fb35.html
`
`Cisco IOS Quality of Service Solutions Configuration Guide, Release 12.4T - Classifying Network Traffic Using NBAR [Cisco IOS Softwa…
`Go DEC JAN FEB
`(cid:66) ⍰ ❎
`17
`
`
`f (cid:64)
`2006 2007 2008
`▾ About this capture
`
`3 captures
`17 Jan 2007 - 28 Jan 2007
`
`Cisco IOS Quality of Service
`Solutions Configuration Guide,
`Release 12.4T
`Quality of Service Overview
`Part 1: Classification
`Classification Overview
`Classifying Network Traffic
`Classifying Network Traffic
`Using NBAR Features
`Roadmap
`Classifying Network
`Traffic Using NBAR
`Enabling Protocol Discovery
`Configuring NBAR Using the
`MQC
`Adding Application
`Recognition Modules
`Creating a Custom Protocol
`Part 6: Link Efficiency
`Mechanisms
`
`
`
`Cisco IOS Quality of Service Solutions Configuration Guide, Release 12.4TCisco IOS Quality of Service Solutions Configuration Guide Release 12 4T
`
`Classifying Network Traffic Using NBAR
`
`Table Of Contents
`Classifying Network Traffic Using NBAR
`Contents
`Prerequisites for Using NBAR
`Restrictions for Using NBAR
`Information About Using NBAR
`NBAR Functionality
`NBAR Benefits
`NBAR and Classification of HTTP Traffic
`NBAR and Classification of Citrix ICA Traffic
`NBAR and RTP Payload Type Classification
`NBAR and Classification of Custom Protocols and Applications
`NBAR and Classification of Peer-to-Peer File-Sharing Applications
`NBAR and Classification of Streaming Protocols
`NBAR and AutoQoS
`NBAR-Supported Protocols
`NBAR Memory Management
`NBAR Protocol Discovery
`NBAR Protocol Discovery MIB
`NBAR Configuration Processes
`Where to Go Next
`Additional References
`Related Documents
`Standards
`MIBs
`RFCs
`Technical Assistance
`Glossary
`
`Download this chapter
`Classifying Network Traffic
`Using NBAR
`
`Classifying Network Traffic Using NBAR
`First Published: April 4, 2006
`Last Updated: April 4, 2006
`Network-Based Application Recognition (NBAR) is a classification engine that recognizes and classifies a
`wide variety of protocols and applications. When NBAR recognizes and classifies a protocol or application,
`the network can be configured to apply the appropriate quality of service (QoS) for that application or traffic
`with that protocol.
`This module contains overview information about classifying network traffic using NBAR. The processes for
`configuring NBAR are documented in separate modules.
`
`Note This module includes information for both NBAR and Distributed Network-Based Application
`Recognition (dNBAR). dNBAR is NBAR used on the Cisco 7500 router with a Versatile Interface
`Processor (VIP) and the Catalyst 6000 family of switches with a FlexWAN module. The implementation of
`NBAR and dNBAR is identical. Therefore, unless otherwise noted, the term NBAR is used throughout this
`module to describe both NBAR and dNBAR. The term dNBAR is used only when applicable.
`
`Contents
` Prerequisites for Using NBAR
`•
` Restrictions for Using NBAR
`•
` Information About Using NBAR
`•
` Where to Go Next
`•
` Additional References
`•
` Glossary
`•
`
`Prerequisites for Using NBAR
`CEF
`Before you configure NBAR, you must enable Cisco Express Forwarding (CEF). For more information on
`CEF, see the Cisco IOS IP Switching Configuration Guide, Release 12.4.
`Stateful Switchover Support
`NBAR is currently not supported with Stateful Switchover (SSO). This restriction applies to the Catalyst 6500
`switches, and to the Cisco 7500 and Cisco 7600 series routers.
`Memory Requirements for dNBAR
`To use dNBAR on a Cisco 7500 series router, you must be using a slot controller (or VIP processor) that has
`64 MB of DRAM or more. Therefore, before configuring dNBAR on your Cisco 7500 series router, review the
`DRAM specifications for your particular slot controller or VIP processor.
`
`Restrictions for Using NBAR
`16
`https://web.archive.org/web/20070117042317/www.cisco.com/en/US/products/ps6441/products_configuration_guide_chapter09186a008064fb35.html
`
`1/16
`
`

`

`11/4/2020
`
`3 captures
`17 Jan 2007 - 28 Jan 2007
`
`Cisco IOS Quality of Service Solutions Configuration Guide, Release 12.4T - Classifying Network Traffic Using NBAR [Cisco IOS Softwa…
`NBAR does not support the following:
`Go DEC JAN FEB
`(cid:66) ⍰ ❎
`http://www.cisco.com/en/US/products/ps6441/products_configuration_guide_chapter09186a008064fb35.html
`17
`
`
`• More than 24 concurrent URLs, hosts, or Multipurpose Internet Mail Extension (MIME) type matches.
`f (cid:64)
`• Matching beyond the first 400 bytes in a packet payload in Cisco IOS releases before Cisco IOS
`2006 2007 2008
`▾ About this capture
`( )( )
`(( ) ,)
`,
`Release 12.3(7)T. In Cisco IOS Release 12.3(7)T, this restriction was removed, and NBAR now
`t
`
`
`ff
`llll
`ll
`dd ii
`iti
`ThTh
`ll
`iti
`ii
`thh t NBNBARAR
`ii
`t
`t
`t
`ll t
`
`ff
`fffififf
`supports full payload inspection. The only exception is that NBAR can inspect custom protocol traffic for
`only 255 bytes into the payload.
`Non-IP traffic.
`•
`• Multiprotocol Label Switching (MPLS)-labelled packets. NBAR classifies IP packets only. You can,
`however, use NBAR to classify IP traffic before the traffic is handed over to MPLS. Use the Modular
`Quality of Service (QoS) Command-Line Interface (CLI) (MQC) to set the IP differentiated services code
`point (DSCP) field on the NBAR-classified packets and make MPLS map the DSCP setting to the MPLS
`experimental (EXP) setting inside the MPLS header.
`• Multicast and other non-CEF switching modes.
`Fragmented packets.
`•
`Pipelined persistent HTTP requests.
`•
`URL/host/MIME classification with secure HTTP.
`•
`Asymmetric flows with stateful protocols.
`•
`Packets that originate from or that are destined to the router running NBAR.
`•
`NBAR is not supported on the following logical interfaces:
`Fast EtherChannel
`•
`Dialer interfaces until Cisco IOS Release 12.2(4)T
`•
`Interfaces where tunneling or encryption is used
`•
`
`Note You cannot use NBAR to classify output traffic on a WAN link where tunneling or encryption is used.
`Therefore, you should configure NBAR on other interfaces of the router (such as a LAN link) to perform input
`classification before the traffic is switched to the WAN link.
`
`Information About Using NBAR
`Before classifying network traffic using NBAR, you should understand the following concepts:
` NBAR Functionality
`•
` NBAR Benefits
`•
` NBAR and Classification of HTTP Traffic
`•
` NBAR and Classification of Citrix ICA Traffic
`•
` NBAR and RTP Payload Type Classification
`•
` NBAR and Classification of Custom Protocols and Applications
`•
` NBAR and Classification of Peer-to-Peer File-Sharing Applications
`•
` NBAR and Classification of Streaming Protocols
`•
` NBAR and AutoQoS
`•
` NBAR-Supported Protocols
`•
` NBAR Memory Management
`•
` NBAR Protocol Discovery
`•
` NBAR Protocol Discovery MIB
`•
` NBAR Configuration Processes
`•
`
`NBAR Functionality
`NBAR is a classification engine that recognizes and classifies a wide variety of protocols and applications,
`including web-based and other difficult-to-classify applications and protocols that use dynamic TCP/UDP
`port assignments.
`When NBAR recognizes and classifies a protocol or application, the network can be configured to apply the
`appropriate QoS for that application or traffic with that protocol. The QoS is applied using the Modular
`Quality of Service Command-Line Interface (MQC).
`
`Note For more information about NBAR and its relationship with the MQC, see the "Configuring NBAR Using the
`MQC" module.
`Examples of the QoS features that can be applied to the network traffic (using the MQC) after NBAR has
`recognized and classified the application or protocol include the following:
`Class-Based Marking
`•
`Class-Based Weighted Fair Queuing (CBWFQ)
`•
`Low Latency Queuing (LLQ)
`•
`Traffic Policing
`•
`Traffic Shaping
`•
`
`Note For more information about the QoS features, see the Cisco IOS Quality of Service Solutions Configuration
`Guide, Release 12.4T.
`NBAR introduces several classification features that identify applications and protocols from Layer 4 through
`Layer 7. These classification features include the following:
`
`
`Statically assigned TCP and UDP port numbers.yy gg pp
`
`
`
`
`•
`17
`https://web.archive.org/web/20070117042317/www.cisco.com/en/US/products/ps6441/products_configuration_guide_chapter09186a008064fb35.html
`
`2/16
`
`

`

`11/4/2020
`
`3 captures
`17 Jan 2007 - 28 Jan 2007
`
`Cisco IOS Quality of Service Solutions Configuration Guide, Release 12.4T - Classifying Network Traffic Using NBAR [Cisco IOS Softwa…
`•
`Non-TCP and non-UDP IP protocols.
`Go DEC JAN FEB
`(cid:66) ⍰ ❎
`http://www.cisco.com/en/US/products/ps6441/products_configuration_guide_chapter09186a008064fb35.html
`17
`
`
`Dynamically assigned TCP and UDP port numbers.
`•
`f (cid:64)
`This kind of classification requires stateful inspection; that is, the ability to inspect a protocol across
`2006 2007 2008
`▾ About this capture
`multipple pacp kets during g pacp ket classification.
`multiple packets during packet classification.
`Subport classification or classification based on deep-packet inspection.
`Deep-packet classification is classification performed at a finer level of granularity. For instance, if a
`packet is already classified as HTTP traffic, it may be further classified by HTTP traffic with a specific
`URL.
`
`•
`
`Note Access control lists (ACLs) can also be used for classifying static port protocols. However, NBAR is easier
`to configure, and NBAR can provide classification statistics that are not available when ACLs are used.
`NBAR includes a Protocol Discovery feature that provides an easy way to discover application protocols that
`are operating on an interface. For more information about Protocol Discovery, see the "Enabling Protocol
`Discovery" module.
`
`Note NBAR classifies network traffic by application or protocol. Network traffic can be classified without using
`NBAR. For information about classifying network traffic without using NBAR, see the " Classifying Network
`Traffic" module of the Cisco IOS Quality of Service Solutions Configuration Guide, Release 12.4.
`
`NBAR Benefits
`Improved Network Management
`Identifying and classifying network traffic is an important first step in implementing QoS. A network
`administrator can more effectively implement QoS in a networking environment after identifying the amount
`and the variety of applications and protocols that are running on a network.
`NBAR gives network administrators the ability to see the variety of protocols and the amount of traffic
`generated by each protocol. After gathering this information, NBAR allows users to organize traffic into
`classes. These classes can then be used to provide different levels of service for network traffic, thereby
`allowing better network management by providing the right level of network resources for network traffic.
`
`NBAR and Classification of HTTP Traffic
`This section includes information about the following topics:
` Classification of HTTP Traffic by URL, Host, or MIME
`•
` Classification of HTTP Traffic Using the HTTP Header Fields
`•
` Combining Classification of HTTP Headers and URL, Host, or MIME Type to Identify HTTP Traffic
`•
`
`Classification of HTTP Traffic by URL, Host, or MIME
`NBAR can classify application traffic by looking beyond the TCP/UDP port numbers of a packet. This is
`subport classification. NBAR looks into the TCP/UDP payload itself and classifies packets based on content
`within the payload such as that transaction identifier, message type, or other similar data.
`Classification of HTTP traffic by URL, host, or Multipurpose Internet Mail Extension (MIME) type is an
`example of subport classification. NBAR classifies HTTP traffic by text within the URL or host fields of a
`request using regular expression matching. HTTP URL matching in NBAR supports most HTTP request
`methods such as GET, PUT, HEAD, POST, DELETE, and TRACE. The NBAR engine then converts the
`specified match string into a regular expression.
`NBAR recognizes HTTP packets that contain the URL and classifies all packets that are sent to the source
`of the HTTP request. Figure 1 illustrates a network topology with NBAR in which Router Y is the NBAR-
`enabled router.
`
`Figure 1 Network Topology with NBAR
`
`When specifying a URL for classification, include only the portion of the URL that follows the
`www.hostname.domain in the match statement. For example, for the URL
`www.cisco.com/latest/whatsnew.html, include only /latest/whatsnew.html.
`Host specification is identical to URL specification. NBAR performs a regular expression match on the host
`field contents inside an HTTP packet and classifies all packets from that host. For example, for the URL
`www.cisco.com/latest/whatsnew.html, include only www.cisco.com.
`For MIME type matching, the MIME type can contain any user-specified text string. A list of the Internet
`Assigned Numbers Authority (IANA)-supported MIME types can be found at the following URL:
`ftp://ftp.isi.edu/in-notes/iana/assignments/media-types/media-types
`In MIME type matching, NBAR classifies the packet that contains the MIME type and all subsequent
`packets, which are sent to the source of the HTTP request.
`NBAR supports URL and host classification in the presence of persistent HTTP. NBAR does not classify
`packets that are part of a pipelined request. With pipelined requests, multiple requests are pipelined to the
`server before previou