This document will briefly describe the NBAR2 configuration on Cisco devices and some of useful diagnostics commands.
NBAR2 is part of Flexible Netflow (FNF) configuration, to have correctly configured FNF one needs to configure all three parts: recorder, exporter and monitor.
The Following represents the recommended configuration:
flow record SolarwindsNetflow
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
collect transport tcp flags
collect interface input
collect counter bytes long
collect counter packets long
collect timestamp sys-uptime first
collect timestamp sys-uptime last
collect application name
For NBAR2 is crucial the command "collect application name" - this will enable the sending of AppID in each flow.
flow exporter SolarwindsNetflow
transport udp 2055
template data timeout 60
option application-table timeout 60
option application-attributes timeout 300
For NBAR2 is important the command "option application-table" - this will enable the sending of a list of all applications that can be classified using NBAR2 included those manually created. Here with timeout 60 seconds.
Command "option application-attributes" will enable sending the categories for all applications. Here with 300 seconds timeout.
flow monitor SolarwindsNetflow
cache timeout active 60
This basically interconnects the flow recorder and flow exporter. There can be configured more than one exporter, recorder and monitor in one time.
Then the configuration of course has to be assigned to interface which we want to monitor Netfow from.
interface GigabitEtherent 0/0/1
ip flow monitor SolarwindsNetflow input
ip flow monitor SolarwindsNetflow output
For diagnostic purposes is useful to use following commands:
show flow record "recordName"
show flow export "exporterName"
show flow monitor "monitorName"
show flow exporter statistics
show flow interface
The number of application device is able to recognize depends on Protocol Pack that the device has installed. The Protocol Pack is basically list of applications and their definitions and categories that the device is able to recognize. The Protocol Pack is continuously being updated by Cisco. Each new version typically brings couple of new applications that the router is able to recognize/report.
For checking current installed Protocol Pack issue following command:
show ip nbar version
NBAR software version: 20
NBAR minimum backward compatible version: 20
Loaded Protocol Pack(s):
Name: Advanced Protocol Pack
Publisher: Cisco Systems Inc.
NBAR Engine Version: 20
Creation Time: Wed Mar 25 13:17:24 UTC 2015
The currently installed Protocol Pack is in version 14. Protocol Pack can be dependent on IOS version, so it could happen that before installing new Protocol Pack user will have to upgrade his IOS first.
A List of all available applications can be viewed after issuing following command:
show ip nbar protocol-id
Flow with Application ID:
If the application attributes are configured(command "option application-attribute"), device periodically sends list of attributes for all applications in following format:
Disclaimer: Please note, any content posted herein is provided as a suggestion or recommendation to you for your internal use. This is not part of the SolarWinds software or documentation that you purchased from SolarWinds, and the information set forth herein may come from third parties. Your organization should internally review and assess to what extent, if any, such custom scripts or recommendations will be incorporated into your environment. You elect to use third party content at your own risk, and you will be solely responsible for the incorporation of the same, if any.