Device Configuration for NBAR

Overview

This page identifies the configuration to use NBAR in Cisco routers for Highlight application visibility.
An alternative method of application visibility can be enabled using Flow, details on the Flow configuration page.

NBAR can cause a high CPU load on the router so the location needs to have a device which is adequately sized for the volume of traffic expected

Device setup for NBAR

Highlight must be capable of reaching the device via SNMP. See the basic SNMP configuration page. Highlight does NOT require 'write' access to the router to collect NBAR information.

To enable NBAR on the device you will need to make two changes on the router:

enable Cisco Express Forwarding, which activates the type of packet switching necessary for NBAR; and
enable NBAR discovery itself on the required interface

As an example let us assume the interface on which you want to collect NBAR statistics is GigabitEthernet0/0, and enter the following commands on the router:

 ip cef
 !
 interface GigabitEthernet0/0
 ip nbar protocol-discovery

We strongly recommend you do not enable NBAR on more than one interface. Although configuring NBAR on multiple interfaces will not in itself cause performance problems, it can cause inaccuracies in the collected statistics.

If (and only if) SNMP Views have been used to restrict Highlight access, the following view must be added, replacing HighlightVIEW with the view-name you have used:

snmp-server view HighlightVIEW ciscoNBARProtocolDiscoveryMIB included

IOS Versions and Hardware

NBAR is supported on most Cisco platforms, down to and including 800-series routers, but you will need to be running the correct IOS version (Release / Build) and the correct image / feature set. Some routers may not be able to take enough memory (RAM or Flash) to support the image which supports NBAR, so check carefully. You should as a minimum have IOS Version 12.3.

The router must have a feature set (or license for IOS 15.x) which supports NBAR eg IP, or IP PLUS. Some firewall or security feature sets, especially on smaller devices, may not support NBAR or the NBAR mib. You will need the “advipservices” or “data” license - use show lic to check, or alternatively licence details are available from Reporting inventory.

Adding Customer specific 'Unknown' Applications

If the router is identifying a local customer application as 'unknown' in NBAR then that application profile can be added to the router and reported by Highlight.

NBAR2

Read more about how you can create a custom protocol for NBAR2.

NBAR

As an example to add a customer specific application called 'Sceptre' which uses a TCP port of 6666, the router configuration would be:

ip nbar custom sceptre tcp 6666

The router will now recognise the Sceptre application, and Highlight will automatically collect and display information for this application under the name Sceptre.

If the router is identifying other applications as 'unknown' then follow the process in the next section Identifying 'Unknown' Applications in order to analyse them in Highlight.

Identifying 'Unknown' Applications

Sometimes, you will be using applications which NBAR does not recognise. These applications will be labelled 'unknown' in the AI display.

It is possible to 'dig' further to discover the nature of these applications, by asking NBAR to list every protocol (application) it sees on a link, and then examining the results. This is not something which can be done through Highlight, but is a one-off activity which must be done on the router itself. The activity will create additional load on the router, so we recommend that it is only be carried out for a short length of time – say thirty minutes. Although it is a 'debug' command it will not generate console output, so is 'safer' [lower load] than most debug operations. Here's what to do:

Log in to the router, enable privileged commands.
Enter
show proc cpu
At the top of the screen, read the 'one minute' cpu value, which shows the current load on the router CPU. If it is in excess of 30%, we recommend waiting for a quieter time before running this sequence of commands.
Enter
debug ip nbar unclassified-port-stats
This will start the router collecting detailed information.
After a few minutes, enter
show ip nbar unclassified-port-stats
The router will display a detailed list of Applications it has seen. Copy / paste this information into a safe place. The output should look something like this:
6666/tcp:76
46830/tcp:16
6010/tcp:14
12350/tcp:13
12975/tcp:7
50589/tcp:7
29762/tcp:7
5228/tcp:5
You will get a list of the top applications by port in the format "port/protocol:packets"
Once you have this information, enter
undebug ip nbar unclassified-port-stats

With this information you can create custom NBAR entries to define names for these applications.

For example the tcp 6666 above could be a proprietary Finance application called 'Sceptre'. We create a custom NBAR entry for Sceptre with this command (there are two ways to do this dependent on the software version of your Cisco router)

Old Style:

ip nbar custom-01 sceptre tcp 6666

New Style:

ip nbar custom sceptre tcp 6666

The router will now recognise the Sceptre application, and Highlight will automatically collect and display information for this application under the name Sceptre.

Follow this link for further details on troubleshooting NBAR.