Last month at CiscoLive 2014 in Milan, Italy I sat in a class that discussed NBAR2 AVC NetFlow exports. NBAR2 is what allows a Cisco router to watch a series of packets within a flow to determine the layer 7 application. NBAR2 is a part of the Application Visibility and Control (AVC) architecture, which also includes metrics on round trip time, retransmits, TCP window size, HTTPhost, URL, URI, jitter, packet loss and more.
NBAR2 AVC is available on the following hardware:
- WLC Based (2504, 5508, 8500, 7500)
- AP/Unified Access Based 3850, 5760)
WAN and Internet Edge
- WAN Edge (ISRG2, ASR1K, 44xx)
- Internet edge (CSR1kV)
- Managed Service Provider (MSP)
- Firewall (ASA-CX)
The NBAR2 AVC ability to identify applications doesn’t necessarily just stop at identifying applications such as VoIP. It can look deeper and identify the actual payload type (i.e. RTP_PT), which leads to details on the codec used and specific event information (e.g. SSRC).
Notice in the above screen capture that 0 is defined in RFC 3551 (below) as PCMU, which is sometimes considered G711.
RFC 3551 RTP A/V Profile July 2003
PT encoding media type clock rate [Hz] channels
0 PCMU A 8,000 1
1 reserved A
2 reserved A
3 GSM A 8,000 1
4 G723 A 8,000 1
5 DVI4 A 8,000 1
6 DVI4 A 16,000 1
7 LPC A 8,000 1
8 PCMA A 8,000 1
9 G722 A 8,000 1
You will also notice in the image below, ‘101’ which is defined in RFC 2833 as “Line lockout tone”.
Event encoding (decimal)
Acceptance tone 96
Confirmation tone 97
Dial tone, recall 98
End of three party service tone 99
Facilities tone 100
Line lockout tone 101
Number unobtainable tone 102
Offering tone 103
Permanent signal tone 104
Preemption tone 105
Queue tone 106
Refusal tone 107
Route tone 108
< partial paste of table : full table too big for this blog >
NBAR2 AVC doesn’t stop at identifying layer 7 applications, either. It also places the applications discovered into categories and sub-categories.
If you are looking for the richest possible information with flow data, you need to look at NBAR2 AVC exports. And keep in mind that we need to stop thinking of flow technology as NetFlow because the IETF standard is called IPFIX. Even Cisco is making the migration from NetFlow to IPFIX and many of the sFlow vendors are migrating to IPFIX, as well, because IPFIX encompasses all of these legacy technologies, capitalizes on their best features and lays out a powerful protocol capabily of much more than SNMP, syslog, NetFlow and sFlow combined. Exports like those available from NBAR2 AVC are the future of flow technology.