NBAR Reporting


What is NBAR?

 

NBAR (Network Based Application Recognition) is an intelligent classification engine in Cisco IOS Software that can recognize a wide variety of applications like Web-based and client/server applications. It can analyze & classify application traffic in real time. NBAR is supported in most Cisco switches and routers and this information is available via SNMP. Click here to view the list of protocols that are recognized by NBAR.

 

 

Why do I need NBAR?

 

NBAR, by adding intelligent network classification to your infrastructure, helps in ensuring that the network bandwidth is used efficiently by working with QoS(Quality Of Service ) feature. With NBAR, network-traffic classification becomes possible and by this we can know how much of say , HTTP traffic is going on. By knowing this, QoS standards can be set. Unlike NetFlow, which relies on port & protocol for application categorization, NBAR performs a deep-packet inspection and allows you to recognize applications that use dynamic ports. Also, the NBAR approach is useful in dealing with malicious software using known ports to fake being "priority traffic", as well as non-standard applications using non-determinaly ports.

 

 

How do I enable NBAR?

You will first have to check whether your router supports NBAR. Please visit here to know about the Platforms & IOS that support NBAR. NBAR can be enabled only on those interfaces which are identified by NetFlow Analyzer.

 

If your router supports NBAR, then you will have to enable NBAR on each of the interface that you want to collect NBAR statistics.

NBAR can be enabled in two ways:

 

Enabling on the device

The following is a set of commands issued on a router to enable NBAR on the FastEthernet 0/1 interface.

 

router#enable
Password:*****
router#configure terminal

router-2621(config)#ip cef
router-2621(config)#interface FastEthernet 0/1
router-2621(config-if)#ip nbar protocol-discovery
router-2621(config-if)#exit

router-2621(config)#exit
router-2621(config)#show ip nbar protocol-discovery

 

Important Please note that the part in red has to be repeated for each interface individually.

Back

Enabling from NetFlow Analyzer User Interface

Alternately, you may check the router's NBAR supported status and also enable NBAR on the interfaces from the NetFlow Analyzer's NBAR Configuration page. The steps to enable from User Interface are:

  1. Under NBAR enabled interfaces : You will first have to enable NBAR on an interface before you can start collecting NBAR data. This step allows you to enable NBAR on the interface. Enabling NBAR on the interface is done through SNMP and requires SNMP write community.
      1. Use the "Click Here" link to enable NBAR on Interfaces.
      2. Set SNMP Read Community, SNMP Write Community & the Port, in case you want to alter the default parameters. The values given during installation are prepopulated in the screen.
      3. Click on "Check Status" to see if the interfaces on the router have NBAR enabled on them. Click on "Check all Status" at the top of the window to know the NBAR support status of all the interfaces (under various routers). At the end of the status check a message is displayed at the bottom of the window( of each router pane). If NBAR has been enabled on the interfaces then the message " Success : NBAR status of the interfaces updated" is displayed. If the Check Status operation didnt succeed, due to SNMP error or Request Time-Out, then the message "SNMP Error : NBAR status of the interfaces not updated" is displayed. Also NBAR support is displayed as 'Yes' or 'Unknown' under the router name as the case may be.
        • In the right pane the status of each interface is shown under "NBAR Status". If NBAR is enabled on all interfaces then the status is shown as "Enabled" against each of the interfaces in that router.
      4. Select the interfaces you want NBAR to be enabled on(which are currently not enabled).
      5. Click on "Enable NBAR".
      6. If NBAR is enabled on the interface then the status will be displayed as "Enabled" against each of the selected interfaces. If NBAR cannot be enabled on the interface then the status will be displayed in red (Unknown or Disabled).

Back

How do I disable NBAR?

Disabling NBAR can be done in two ways.

 

Disabling on the device

The following is a set of commands issued on a router to disable NBAR on the FastEthernet 0/1 interface.

 

router#enable
Password:*****
router#configure terminal
router-2621(config)#interface FastEthernet 0/1
router-2621(config-if)#no ip nbar protocol-discovery
router-2621(config-if)#exit

router-2621(config)#exit

 

Important Please note that the part in red has to be repeated for each interface individually.

Disabling from NetFlow Analyzer User Interface

The steps to disable from User Interface are:

  1. Under NBAR enabled interfaces: This step allows you to disable NBAR on the interface. Disabling NBAR on the device is done through SNMP and requires you to provide the SNMP write community.
      1. Click on "Modify Interfaces".
      2. Set SNMP Read Community, SNMP Write Community & the Port, in case it is not already set.
      3. Select the interfaces on which you want to disable NBAR and click on "Disable NBAR".
      4. If NBAR is disabled on the interface then the status will be displayed as "Disabled" against each of the selected interfaces. If NBAR cannot be disabled on the interface then the status will be displayed in red (Unknown or Enabled).

Polling

What is Polling - The process of sending the SNMP request periodically to the device to retrieve information ( Traffic usage/ Interface Statistics in this case ) is termed polling. A low polling interval (of say 5 minutes) gives you granular reports but may place an increased load on your server if you poll large amount of interfaces. Time out value needs to be set to a higher value in case your routers are at remote locations.

 

After NBAR has been enabled on select interfaces the polling can be started on those interfaces.

 

 

Start Polling

Polling can be done on those interfaces on which NBAR has been enabled earlier.Please do the following to start polling on an interface:


  1. Under "Polling for NBAR data" :
      1. Use the link "click here " to invoke the screen which lists the NBAR enabled interfaces.
      2. Select the interfaces on which you want to do polling.
      3. Set the Polling Parameters - the Polling Interval & the Time Out. The Polling interval decides the frequency at which the NetFlow Analyzer server will poll the device. Time out is the amount of time for which NetFlow Analyzer server waits for the SNMP response from the device.
      4. Click "Update" to update the Polling Parameters.

Stop Polling

Polling can be stopped on those interfaces by following these steps.

  1. Under "Polling for NBAR data" :
      1. Use the "Modify Poll Parameters" to invoke the screen, which lists the already polled interfaces with the check box selected and the "Polling Status" set as "Polling".
      2. Unselect the interfaces on which you want to stop polling.
      3. Click "Update" to stop polling.
The default NBAR data storage period is 2 months. You can change the storage period from Raw Data Settings under Settings page.
Copyright © 2019, ZOHO Corp. All Rights Reserved.
ManageEngine