04-08-2009 04:07 AM - edited 03-06-2019 05:04 AM
Hi,
I'm planning nbar to get feel of applications that are traversing my router.
i hope this is the simplest n best until there is anything else we can do excluding netflow et al.
I intend to get an idea of what applications are flowing across the link.
1)Would it be best to have it on wan facing interface or lan facing interface?
2)Its read that this also causes rise in cpu and may cause the device to go awry..is that the case & if so, whats the max threshold it uses.
My current router is having a cpu usage of around 11%.
3) Any other specific things which need to included with nbar to enhance the output i get to be more useful.
Thanks
Solved! Go to Solution.
04-08-2009 07:02 AM
Here's a measurement analysis of nbar in action:
HTH,
John
04-08-2009 04:18 AM
Thats interesting.
I never thought of using NBAR as a diagnostic tool.
I wouldnt.
I would use a sniffer and examine the traffic that way.
Keep an eye on the biggest talkers and monitor them as they cycle for a few days of normal business. You will be able to see the source and destination hosts, the ports they communicate on, the volume of their bi-directional traffic, etc.
HTH
Victor
04-08-2009 05:54 AM
Actually, my intention is to see what all classes of traffic flows through it..like http,ftp etc & the rate of flow alongwith their usage.
I am planning to put sniffer as well later..as you suggested.But to start with i want to what nbar returns.
Any suggestions would he helpful.
Thanks
04-08-2009 06:05 AM
Well, you can't control nbar's cpu utilization or thresholds. You can either enable or disable it. If you have a ton of different traffic going through your router, then I could see it being a major impact on it, but if there's not too many different classes, you should be okay. I would keep a close eye on the router though.
HTH,
John
04-08-2009 06:56 AM
Thanks,
I'm having a 2821 with average link usage being around 50%.Any idea if this coupled with nbar would get the router down.
& any specific reason why nbar causes this major impact..is it because it has to parse through headers to make out the information.
04-08-2009 07:02 AM
Here's a measurement analysis of nbar in action:
HTH,
John
04-08-2009 07:24 AM
#1 If both interfaces deal with the same traffic, shouldn't really matter.
#2 It does, and John's reference documents additional load. However, if your CPU is only around 11%, you likely have enough spare capacity.
#3 Yes, by default, NBAR discovery will count the protocols it knows of. Often much traffic will be counted as unknown. If NBAR discovery shows this, you can activate a debug option that NBAR will break unknown traffic down by some major IP protocols (e.g. TCP/UDP) and port numbers.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide