Using Cisco NBAR to Monitor Traffic Protocols on Your Network

Posted on in Networking

Many network administrators already know how to use tools like Cacti or MRTG to monitor the usage on their network links. (If you don't, let me know and I'll show you how.) Unfortunately, those tools only reveal part of the story. They show you how much traffic is traversing a link, but not what kind of traffic is traversing a link. The difference may not be that important until your corporate DS3 is hitting 42 Mbps and you have no idea why.

What is <acronym title="Network Based Application Recognition">NBAR?</acronym>

According to Cisco:

NBAR is an intelligent classification engine in Cisco IOS Software that can recognize a wide variety of applications, including Web-based and client/server applications.

In layman's terms, NBAR examines traffic on a designated router interface and makes note of what application the traffic is associated with. It does this by mapping traffic ports to protocols (i.e. 25/TCP is SMTP), but it also recognizes traffic with no standard port number like various <acronym title="Peer-to-Peer">P2P</acronym> protocols. The primary purpose of NBAR is to recognize the traffic on an interface so that <acronym title="Quality of Service">QoS</acronym> policies can be applied to it. This is a big step forward compared to clunky <acronym title="Access Control List">ACL</acronym>s which require exact protocol and port matching.

QoS? I just want to know what's going on!

Nothing could be simpler. If you release of IOS supports NBAR, simply add the 'ip nbar protocol-discovery' configuration command to the interface that your users are using as their default gateway. For example:

SLAP#config t
Enter configuration commands, one per line. End with CNTL/Z.
SLAP(config)#interface FastEthernet0/0
SLAP(config-if)#ip nbar protocol-discovery
SLAP(config-if)#^Z
SLAP#wr
Building configuration...
[OK]
SLAP#

SLAP show ip nbar protocol-discovery top-n 6Once NBAR is gathering data, you can use the 'show ip nbar resources' command to see how much memory it's taking up. As long as the numbers are acceptable, you can leave NBAR protocol discovery running as long as you like. To see the really interesting information, issue 'show ip nbar protocol-discover' and look at all the protocols flowing to (and perhaps through) your router. In the screenshot to the right, you can see that I've limited the output by using the 'top-n' variant of the above command.

Slaptijack's Koding Kraken