Configuring Flexible NetFlow NBAR has been discussed in our blogs before, but it’s still such a hot topic, I thought it warranted more coverage.
With NetFlow v9 Flexible NetFlow support, configuring the export of NBAR information to your NetFlow collector is simple to do by following these four steps.
4 Simple Steps
1. Define Flow record – creates the record, need to define the record characteristics
flow record nbar-record
match application name – This exports the NBAR application IDs.
The match application name option option is critical for NBAR reporting. match application name is what provides the translation from the Protocol IDs and the more meaningful Application Name using the Protocol ID list.
2. Define Flow exporter – creates the exporter, defining the source interface and destination for the flows
flow exporter export-to-scrutinizer
option application-table timeout 60 – sets timeout to 60 seconds, default is 10 minutes
The option application-table timeout 60 entry so that the Protocol ID list template will be sent every 60 seconds to your NetFlow collector.
3. Define Flow monitor – configures the connection between the flow record and flow exporter
flow monitor nbar-monitor
4. Apply Flow monitor to interface(s) – associates the flow monitor to the selected interface(s)
ip flow monitor nbar-monitor input
In the ip flow monitor entry above, ‘input‘ refers to ‘ingress‘. For NBAR reporting, ingress is all that’s required to get the Application information.
For more detail on how to configure FNF NBAR, see Brad Reese’s article on www.networkworld.com.
Protocol ID List
The “show ip nbar protocol id” command will display the list of Application Names/Protocol IDs included on your router/switch.
If you have Applications that are not defined in this Protocol ID list, you can easily create custom NBAR applications as shown in this example, defining the GoToMeeting application.
And just for the record, since we’ve been asked this question frequently, the Cisco ASA does not currently support NBAR. Might be something you want to hound your Cisco rep about, eh?