I never thought of using NBAR as a diagnostic tool.
I would use a sniffer and examine the traffic that way.
Keep an eye on the biggest talkers and monitor them as they cycle for a few days of normal business. You will be able to see the source and destination hosts, the ports they communicate on, the volume of their bi-directional traffic, etc.
Well, you can't control nbar's cpu utilization or thresholds. You can either enable or disable it. If you have a ton of different traffic going through your router, then I could see it being a major impact on it, but if there's not too many different classes, you should be okay. I would keep a close eye on the router though.
#1 If both interfaces deal with the same traffic, shouldn't really matter.
#2 It does, and John's reference documents additional load. However, if your CPU is only around 11%, you likely have enough spare capacity.
#3 Yes, by default, NBAR discovery will count the protocols it knows of. Often much traffic will be counted as unknown. If NBAR discovery shows this, you can activate a debug option that NBAR will break unknown traffic down by some major IP protocols (e.g. TCP/UDP) and port numbers.
Hi everyone, I would like to thank you in advance for any help you can provide a newcomer like myself!
Im studying the 100-105 book by Odom and am currently on the topic of Port security. I purchased a used 2960 and I'm trying to follow a...
While deploying a number of 18xx/2802/3802 model access points (APs), which run AP-COS as their operating platform. It can be observed on some occasions that while many of their access points were able to join the fabric WLC withou...
I am going to design and build an LAN network under a tunnel underground with long distance between the switches.
I will have 2 Catalyst switches and 8 Industrial IE3000, and they will be connected with fiber.
For now I am planning on use Layer-2 s...