Solved: nbar

suthomas1 · ‎04-08-2009

Hi,

I'm planning nbar to get feel of applications that are traversing my router.

i hope this is the simplest n best until there is anything else we can do excluding netflow et al.

I intend to get an idea of what applications are flowing across the link.

1)Would it be best to have it on wan facing interface or lan facing interface?

2)Its read that this also causes rise in cpu and may cause the device to go awry..is that the case & if so, whats the max threshold it uses.

My current router is having a cpu usage of around 11%.

3) Any other specific things which need to included with nbar to enhance the output i get to be more useful.

Thanks

John Blakley · ‎04-08-2009

Here's a measurement analysis of nbar in action:

http://www.cisco.com/en/US/technologies/tk543/tk759/technologies_white_paper0900aecd8031b712_ps6616_Products_White_Paper.html

HTH,

John

HTH, John *** Please rate all useful posts ***

View solution in original post

lamav · ‎04-08-2009

Thats interesting.

I never thought of using NBAR as a diagnostic tool.

I wouldnt.

I would use a sniffer and examine the traffic that way.

Keep an eye on the biggest talkers and monitor them as they cycle for a few days of normal business. You will be able to see the source and destination hosts, the ports they communicate on, the volume of their bi-directional traffic, etc.

HTH

Victor

suthomas1 · ‎04-08-2009

Actually, my intention is to see what all classes of traffic flows through it..like http,ftp etc & the rate of flow alongwith their usage.

I am planning to put sniffer as well later..as you suggested.But to start with i want to what nbar returns.

Any suggestions would he helpful.

Thanks

John Blakley · ‎04-08-2009

Well, you can't control nbar's cpu utilization or thresholds. You can either enable or disable it. If you have a ton of different traffic going through your router, then I could see it being a major impact on it, but if there's not too many different classes, you should be okay. I would keep a close eye on the router though.

HTH,

John

HTH, John *** Please rate all useful posts ***

suthomas1 · ‎04-08-2009

Thanks,

I'm having a 2821 with average link usage being around 50%.Any idea if this coupled with nbar would get the router down.

& any specific reason why nbar causes this major impact..is it because it has to parse through headers to make out the information.

John Blakley · ‎04-08-2009

Here's a measurement analysis of nbar in action:

http://www.cisco.com/en/US/technologies/tk543/tk759/technologies_white_paper0900aecd8031b712_ps6616_Products_White_Paper.html

HTH,

John

HTH, John *** Please rate all useful posts ***

Joseph W. Doherty · ‎04-08-2009

#1 If both interfaces deal with the same traffic, shouldn't really matter.

#2 It does, and John's reference documents additional load. However, if your CPU is only around 11%, you likely have enough spare capacity.

#3 Yes, by default, NBAR discovery will count the protocols it knows of. Often much traffic will be counted as unknown. If NBAR discovery shows this, you can activate a debug option that NBAR will break unknown traffic down by some major IP protocols (e.g. TCP/UDP) and port numbers.