Last month at CiscoLive 2014 in Milan, Italy I sat in a class that discussed NBAR2 AVC NetFlow exports. NBAR2 is what allows a Cisco router to watch a series of packets within a flow to determine the layer 7 application.  NBAR2 is a part of the Application Visibility and Control (AVC) architecture, which also includes metrics on round trip time, retransmits, TCP window size, HTTPhost, URL, URI, jitter, packet loss and more.

NBAR2 AVC

NBAR2 AVC is available on the following hardware:

Wireless Gear

  • WLC Based (2504, 5508, 8500, 7500)
  • AP/Unified Access Based 3850, 5760)

WAN and Internet Edge

  • WAN Edge (ISRG2, ASR1K, 44xx)
  • Internet edge (CSR1kV)
  • Managed Service Provider (MSP)

Perimeter Security

  • Firewall (ASA-CX)

The NBAR2 AVC ability to identify applications doesn’t necessarily just stop at identifying applications such as VoIP.  It can look deeper and identify the actual payload type (i.e. RTP_PT), which leads to details on the codec used and specific event information (e.g. SSRC).

AVC RTP Payload Type

Notice in the above screen capture that 0 is defined in RFC 3551 (below) as PCMU, which is sometimes considered G711.  

http://tools.ietf.org/html/rfc3551#page-28


RFC 3551         RTP A/V Profile          July 2003
PT   encoding    media type  clock rate [Hz] channels
___________________________________________________
0    PCMU         A             8,000       1
1    reserved     A
2    reserved     A
3    GSM          A             8,000       1
4    G723         A             8,000       1
5    DVI4         A             8,000       1
6    DVI4         A            16,000       1
7    LPC          A             8,000       1
8    PCMA         A             8,000       1
9    G722         A             8,000       1

You will also notice in the image below, ‘101’ which is defined in RFC 2833 as “Line lockout tone”.

Event                                      encoding (decimal)
Acceptance tone                                         96
Confirmation tone                                       97
Dial tone, recall                                       98
End of three party service tone                         99
Facilities tone                                        100
Line lockout tone                                      101
Number unobtainable tone                               102
Offering tone                                          103
Permanent signal tone                                  104
Preemption tone                                        105
Queue tone                                             106
Refusal tone                                           107
Route tone                                             108

   < partial paste of table : full table too big for this blog >

NBAR2 AVC doesn’t stop at identifying layer 7 applications, either.  It also places the applications discovered into categories and sub-categories.

NBAR2 Category

If you are looking for the richest possible information with flow data, you need to look at NBAR2 AVC exports.  And keep in mind that we need to stop thinking of flow technology as NetFlow because the IETF standard is called IPFIX. Even Cisco is making the migration from NetFlow to IPFIX and many of the sFlow vendors are migrating to IPFIX, as well, because IPFIX encompasses all of these legacy technologies, capitalizes on their best features and lays out a powerful protocol capabily of much more than SNMP, syslog, NetFlow and sFlow combined.  Exports like those available from NBAR2 AVC are the future of flow technology.

Jake

Jake Bergeron is currently one of Plixer's Sr. Solutions Engineers - He is currently responsible for providing customers with onsite training and configurations to make sure that Scrutinizer is setup to their need. Previously he was responsible for teaching Plixer's Advanced NetFlow Training / Malware Response Training. When he's not learning more about NetFlow and Malware detection he also enjoys Fishing and Hiking.

Related