Submit a ticketCall us

Webinar: Web Help Desk for HR, Facilities and Accounting Departments
This webinar will focus on use cases for HR, Facilities and Accounting.

Having a unified ticketing and asset management system for all the departments in your company can provide end-users with a seamless experience and make things easier for your IT team. Yet, with different business tasks and objectives, many departments don’t fully understand the capabilities of Web Help Desk and how the software can be customized for effective use in their departments.
Register Now.

Home > Success Center > Netflow Traffic Analyzer (NTA) > NTA 4.2.3 Administrator Guide > Get started with NTA > Set up NBAR2 on Cisco devices

Set up NBAR2 on Cisco devices

Network Based Application Recognition (NBAR) is the mechanism used by certain Cisco routers and switches to recognize a dataflow by inspecting some of the packets sent. SolarWinds NTA 4.2 supports unknown traffic detection and advanced application recognition through NBAR2.

First, configure your Cisco devices to send NBAR2 data to SolarWinds NTA. Second, add those devices as nodes in SolarWinds NPM and SolarWinds NTA.

The following values are examples used in the commands below:

  • NTArec
  • NTAexp
  • NTAmon
  • GigabitEthernet0/1
  • 10.10.10.10

Create a new Flexible NetFlow configuration

Add the flow record

This process is similar to creating a standard NetFlow configuration. In this case, you add the collect application name command to enable the sending of AppID in each flow.

flow record NTArec
	match ipv4 tos
	match ipv4 protocol
	match ipv4 source address
	match ipv4 destination address
	match transport source-port
	match transport destination-port
	match interface input
	collect interface output
	collect counter bytes
	collect counter packets
	collect application name
exit

Add the flow exporter

The option application-table command enables the sending of a list of applications that can be classified using NBAR2, including applications that were manually created. The option application-attributes command enables the sending of categories for all applications.

flow exporter NTAexp
	destination 10.10.10.10
	source GigabitEthernet0/1
	transport udp 2055
	export-protocol netflow-v9
	template data timeout 60
	option application-table timeout 60
	option application-attributes timeout 300
exit

Add the flow monitor

The flow monitor connects the flow recorder and the flow exporter. You can configure multiple recorders, exporters, and monitors at once.

flow monitor NTAmon
	description NetFlow nbar
	record NTArec
	exporter NTAexp
	cache timeout inactive 30
	cache timeout active 60
exit

When receiving long flows, these values may need to be adjusted, see Troubleshoot Long Flow Errors for more details. For more information about the timeout values, refer to the Cisco NetFlow Command Reference.

Apply the monitor on an interface

Assign the Flexible NetFlow configuration to the interface from which to monitor NetFlow.

interface GigabitEthernet0/1
	ip flow monitor NTAmon input
	ip flow monitor NTAmon output
exit

Diagnostic commands

show flow record "recordName"
show flow export "exporterName"
show flow monitor "monitorName"
show flow exporter statistics
show flow interface

Determine the applications your device can recognize

The Protocol Pack is a list of applications, definitions, and categories that your device can recognize.

Check the Protocol Pack version

show ip nbar version

View a list of the available applications

show ip nbar protocol-id

Edit an existing record

If you edit an existing record that is in use, you receive the following error:

% Flow Record: Flow Record is in use. Remove from all clients before editing.

To resolve this error, remove the connection between the monitor, record, and interface.

Disable the connection

interface GigabitEthernet0/1
	no ip flow monitor NTAmon input
	no ip flow monitor NTAmon output
exit

Add the application recognition field into the record

flow record NTArec
	collect application name
exit

Add the application recognition field into the exporter

flow exporter NTAexp
	option application-table timeout 60
	option application-attributes timeout 300

Restore the connection

interface GigabitEthernet0/1
	ip flow monitor NTAmon input
	ip flow monitor NTAmon output
exit
 
Last modified
06:50, 13 Apr 2017

Tags

Classifications

Public