Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

nbar traffic

Hi,

We ran nbar last time to check out flows in our network.There were some unknown protocols registered,any idea what are they composed of?there are counts for edonkey & kerberos as well, are they harmful & how to tackle them?

The output gives the 5 min bit rate alongwith byte count, which means the count would vary as time passes off,so end of the day wouldnt these be basically average readings & what does Max bit rate & 5min bit rate differ on?

Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Bronze

Re: nbar traffic

Please refer to the documentation on how to read the show ip cache verbose flow output

http://www.cisco.com/en/US/docs/ios/netflow/command/reference/nf_02.html#wp1013892

The port information is there :)

__

Edison.

5 REPLIES
Super Bronze

Re: nbar traffic

"There were some unknown protocols registered,any idea what are they composed of?"

There's a debug NBAR option that can futher "break out" the unknowns (stats by port numbers). (NB: don't recall the actual command.)

"there are counts for edonkey & kerberos as well, are they harmful & how to tackle them?"

Whether they're harmful and what to do about them is up to you. One common concern is their usage of bandwidth. If this is problem for you, you can block them, rate limit them, deprioritze them, etc. (BTW, I found some NBAR matching not always accurate. You need to know the actual criteria being used by NBAR for specific "protocols". Sometimes it's just port matching, and it could be other traffic.)

New Member

Re: nbar traffic

To further identify the hosts using some of the protocols, would it be fine by creating an acl (deny or permit)& enabling log-input option.

How do we actually interpret the packet count that are given..like can we get the size of the protocol in MBytes & how is the bit rate summed up.

Thanks.

Hall of Fame Super Bronze

Re: nbar traffic

Sunny,

I recommend configuring NetFlow instead.

NetFlow will display the port being used by the src/dst.

__

Edison.

New Member

Re: nbar traffic

Thanks,I also viewed sh ip cache flow which shows me src/des alongwith protocols like tcp/udp but not particular ports.

Is that the same thing.

Hall of Fame Super Bronze

Re: nbar traffic

Please refer to the documentation on how to read the show ip cache verbose flow output

http://www.cisco.com/en/US/docs/ios/netflow/command/reference/nf_02.html#wp1013892

The port information is there :)

__

Edison.

319
Views
3
Helpful
5
Replies