NBAR Reporting
What is NBAR?
NBAR (Network Based Application Recognition) is an intelligent classification
engine in Cisco IOS Software that can recognize a wide variety of applications
like Web-based and client/server applications. It can analyze & classify
application traffic in real time. NBAR is supported in most Cisco switches
and routers and this information is available via SNMP. Click here
to view the list of protocols that are recognized by NBAR.
Why do I need NBAR?
NBAR, by adding intelligent network classification to your infrastructure,
helps in ensuring that the network bandwidth is used efficiently by working
with QoS(Quality Of Service ) feature. With NBAR, network-traffic classification
becomes possible and by this we can know how much of say , HTTP traffic
is going on. By knowing this, QoS standards can be set. Unlike NetFlow,
which relies on port & protocol for application categorization, NBAR
performs a deep-packet inspection and allows you to recognize applications
that use dynamic ports. Also, the NBAR approach is useful in dealing with
malicious software using known ports to fake being "priority traffic",
as well as non-standard applications using non-determinaly ports.
How do I enable NBAR?
You will first have to check whether your router supports NBAR. Please
visit here to know about
the Platforms & IOS that support NBAR. NBAR can be enabled only on
those interfaces which are identified by NetFlow Analyzer.
If your router supports NBAR, then you will have to enable NBAR on each
of the interface that you want to collect NBAR statistics.
NBAR can be enabled in two ways:
Enabling on the device
The following is a set of commands issued on a router to enable NBAR
on the FastEthernet 0/1 interface.
router#enable
Password:*****
router#configure terminal
router-2621(config)#ip cef
router-2621(config)#interface FastEthernet 0/1
router-2621(config-if)#ip nbar protocol-discovery
router-2621(config-if)#exit
router-2621(config)#exit
router-2621(config)#show ip nbar protocol-discovery
|
Please note that the part in red has to be repeated for
each interface individually.
Back
Enabling from NetFlow Analyzer User Interface
Alternately, you may check the router's NBAR supported status and also
enable NBAR on the interfaces from the NetFlow Analyzer's NBAR Configuration
page. The steps to enable from User Interface are:
-
Under NBAR enabled interfaces : You will first have
to enable NBAR on an interface before you can start collecting NBAR data.
This step allows you to enable NBAR on the interface. Enabling NBAR on
the interface is done through SNMP and requires SNMP write community.
- Use the "Click Here" link to enable
NBAR on Interfaces.
- Set SNMP Read Community, SNMP Write Community
& the Port, in case you want to alter the default parameters. The
values given during installation are prepopulated in the screen.
-
Click on "Check Status" to see if the interfaces
on the router have NBAR enabled on them. Click on "Check all Status"
at the top of the window to know the NBAR support status of all the interfaces
(under various routers). At the end of the status check a message is displayed
at the bottom of the window( of each router pane). If NBAR has been enabled
on the interfaces then the message " Success :
NBAR status of the interfaces updated" is displayed. If the
Check Status operation didnt succeed, due to SNMP error or Request Time-Out,
then the message "SNMP Error : NBAR status of
the interfaces not updated" is displayed. Also NBAR support
is displayed as 'Yes' or 'Unknown'
under the router name as the case may be.
- In the right pane the status of each
interface is shown under "NBAR Status". If NBAR is enabled on
all interfaces then the status is shown as "Enabled"
against each of the interfaces in that router.
- Select the interfaces you want NBAR to be
enabled on(which are currently not enabled).
- Click on "Enable NBAR".
- If NBAR is enabled on the interface then
the status will be displayed as "Enabled"
against each of the selected interfaces. If NBAR cannot be enabled on
the interface then the status will be displayed in red (Unknown
or Disabled).
Back
How do I disable NBAR?
Disabling NBAR can be done in two ways.
Disabling on the device
The following is a set of commands issued on a router to disable NBAR
on the FastEthernet 0/1 interface.
router#enable
Password:*****
router#configure terminal
router-2621(config)#interface FastEthernet 0/1
router-2621(config-if)#no ip nbar protocol-discovery
router-2621(config-if)#exit
router-2621(config)#exit |
Please note that the part in red has to be repeated for
each interface individually.
Disabling from NetFlow
Analyzer User Interface
The steps to disable from User Interface are:
-
Under NBAR enabled interfaces: This step allows you
to disable NBAR on the interface. Disabling NBAR on the device is done
through SNMP and requires you to provide the SNMP write community.
- Click on "Modify Interfaces".
- Set SNMP Read Community, SNMP Write Community
& the Port, in case it is not already set.
- Select the interfaces on which you want to
disable NBAR and click on "Disable NBAR".
- If NBAR is disabled on the interface then
the status will be displayed as "Disabled"
against each of the selected interfaces. If NBAR cannot be disabled on
the interface then the status will be displayed in red (Unknown
or Enabled).
Polling
What is Polling - The process
of sending the SNMP request periodically to the device to retrieve information
( Traffic usage/ Interface Statistics in this case ) is termed polling.
A low polling interval (of say 5 minutes) gives you granular reports but
may place an increased load on your server if you poll large amount of
interfaces. Time out value needs to be set to a higher value in case your
routers are at remote locations.
After NBAR has been enabled on select interfaces the polling can be
started on those interfaces.
Start Polling
Polling can be done on those interfaces on which NBAR has been enabled
earlier.Please do the following to start polling on an interface:
- Under "Polling for NBAR data" :
- Use the link "click here " to invoke
the screen which lists the NBAR enabled interfaces.
- Select the interfaces on which you want to do
polling.
- Set the Polling Parameters - the Polling Interval
& the Time Out. The Polling interval decides the frequency at which
the NetFlow Analyzer server will poll the device. Time out is the amount
of time for which NetFlow Analyzer server waits for the SNMP response
from the device.
- Click "Update" to
update the Polling Parameters.
Stop Polling
Polling can be stopped on those interfaces by following these steps.
-
Under "Polling for NBAR data" :
- Use the "Modify Poll Parameters"
to invoke the screen, which lists the already polled interfaces with the
check box selected and the "Polling Status" set as "Polling".
- Unselect the interfaces on which you want
to stop polling.
- Click "Update"
to stop polling.
 |
The default NBAR data storage period is 2 months. You can change the
storage period from Raw Data Settings under Settings
page. |
Copyright © 2008,
ZOHO Corp. All Rights Reserved.
ManageEngine