What NBAR Is And How To Use It

by Bill Heller
What NBAR is and How To Use It

A favorite networking tool of mine is NBAR (Network Based Application Recognition). It’s a very useful tool which Cisco Systems includes for free on many of its platforms. It comes in many different flavors and sizes, but its potentially useful in every form.

One of my favorite technologies is Quality of Service (QoS) and one of the most fundamental features of QoS is classification, i.e., teaching the network to identify different types of traffic in order to treat those different types of traffic differently based upon mission requirements. To that end, NBAR is very useful as it can recognize many different types of traffic. NBAR can even be modified and taught to recognize types of traffic on a customized basis in order to more closely and precisely recognize specific traffic types which concern your enterprise.

NBAR comes with different capabilities depending on the type of platform. Routers are the best and most sophisticated homes for NBAR capabilities – even to the point that the new and improved form of NBAR, NBAR2 is available more so on routers than switches. But one of the great things to know is that NBAR is still available on devices which specialize in switching, like Cisco’s Nexus switch product line. They have a scaled back version, but it is there nevertheless and highly useful.

Network Based Application Recognition is an application or software which may be activated on a device. It is then typically activated on one or more interfaces. The role of NBAR is to then recognize the type of traffic passing through the interface(s) on which it is activated. The following graphic shows many references to NBAR:

In this graphic we see some fundamental NBAR configuration commands. First, please note the command on the interface “ip nbar protocol-discovery.” That command tells NBAR to start looking and keeping track of the types of traffic it sees on that interface. This may be activated on multiple interfaces simultaneously.

Please note that CEF (Cisco Express Forwarding) is usually a requirement of NBAR activation. NBAR may use significant amounts of CPU. Therefore, one would ALWAYS make sure CEF is turned on (using the command “show ip cef”) and also make sure the CPU isn’t already overloaded (using the command “show process cpu”).

Once NBAR is activated on the machine, the graphic has shown that NBAR is being used in the QoS configuration. The command under class-map “Test” which states “match protocol ftp” in fact means “match on ftp traffic recognized by NBAR.” Also, in the policy-map called “Demo” the traffic matched by class-map “Test” is marked as dscp 15. This is a classic example of “Classification and Marking” which is absolutely fundamental to the entire concept of QoS.

Another use of NBAR is for a survey of the types and quantities of traffic going through a network environment. NBAR doesn’t just recognize many traffic types – it also keeps track of the amount of the types of traffic it sees. In this way a network engineer can ask NBAR what it has detected after it has been turned on.

It’s a wonderful tool for a contractor to use. The percentage of network engineers who know what type of traffic and how much of it are being used on their network is surprisingly low. So when a consultant is asked to look at a client network and help it to run more efficiently, it is important to know what types of traffic and how much in order to demonstrate to the client that the ability to tune the network in such a way as to prioritize the important and de-prioritize the unimportant is key.

The commands used to look at the types and quantity of traffic recognized by NBAR are “show ip nbar protocol-discovery” and “show ip nbar protocol-discovery top-n N” (where the “N” stands for a number). In both cases, NBAR will display the results in the order of the busiest traffic appears at the top of the result, with the least at the bottom. Note the following graphic:

The above graphic is the result of the command “show ip nbar protocol-discovery top-n 6.” Note that at the time of this command the busiest form of traffic was http. The polling frequency was at the default, which was 5 minutes. This can be changed to as low as 30 seconds using the “load-interval 30” command. As you can see, NBAR gives statistics as packet count, byte count, average bps for the sample period and maximum bps for the sample period – in both directions. The last traffic type it enumerates is traffic it sees as “unknowns”.

It’s really great as a consultant to be able to turn on NBAR for an hour or two, deal with other things and meetings, and then come back and look at the results of NBAR to see just what is really out there.

Another great thing about NBAR is the ability to customize it. NBAR comes with ten built-in “custom” classes, and others may be created. Additionally, existing traffic classifications may be modified. For instance, NBAR recognizes “http” as a type of traffic. By default it recognizes http traffic as TCP port 80 traffic. In some situations an enterprise will use other ports for the http traffic. NBAR may be modified to replace or add additional ports. For example, one may modify the “http” recognition to include ports 80, 8080, 8081, etc..

Below are some examples of customizing NBAR:

Please note that the example demonstrates teaching NBAR about which ports to use when recognizing http, which it previously recognized as only port 80. And, “custom-01” which previously had no configuration, has been taught to recognize udp ports 16400 and 16401. Much more extensive recognition criteria may be used, like telling NBAR to recognize traffic with particular information in the http header.

If this isn’t enough, there is also a much more sophisticated version of NBAR called “NBAR2.” NBAR2 recognizes more types of traffic and has additional features and sub-classification methods.

Because NBAR and NBAR2 can do so many things, and can be customized in so many ways, it would literally be an entire blog series. But I hope I have piqued your curiosity so that you will look into using this excellent, sophisticated – and free (which I like a lot) Cisco tool, which has been built into IOS, IOS-XE and NexusOS in various forms.

Good luck and happy networking!

For more information on Cisco networking tools, visit our Cisco course catalog.

Related Posts

Close Bitnami banner
Bitnami