Cisco NBAR (Network based application recognition) Graphs!!

efly · Post by **efly** » Thu Dec 11, 2003 4:28 pm

Hello all,

I have been working with the Cisco NBAR MIB and can help someone along with the breaking down the details of the MIB[s] involved with this feature. This would be the first open sourced development that I know of for this information. I am not a programmer but I am a network engineer and know about this mib in depth.

For those of you that don't know what NBAR does: NBAR can be enabled on Cisco router interfaces and it collects data on 75 different applications and stores #packets, #bytes and 5min bit rate of each Application. Starting with IOS version 12.2(15T) is can be polled via SNMP. I have been successfully SNMP polling this MIB and know pretty much all you would need to get a pretty solid script started. It could provide the same information that FlowScan does but with less router configuration and more application information.

If anyone would be willing to work with me on this project I would be glad to provide you with all I know to get the ball rolling.

Let me know

EFLY

Deano · Post by **Deano** » Fri Dec 12, 2003 5:51 am

I could be very interested - I may in fact have an immediate requirement.

I cant get a supported router with the rigth IOS until next week though. I'm downloading the MIB to have a look.

If we started with the basics and I just wanted Bytes for say HTTP,HTTPS,FTP,ICMP,DNS(UDP&TCP) + Others for 1 interface what would be the best part of the MIB to start with ?

How have you found the NBAR load on the CPU - which platfroms and what sort of bandwidths have you tried. I could have uses on both 256K lines on 1720s up to 160 Mb/s of Inet Traffic through 7206 G1s and 6509 MSFC

Deano

efly · Post by **efly** » Fri Dec 12, 2003 10:12 am

Deano,

I sent you a PM..

EFLY

RyanT · Post by **RyanT** » Sun Dec 14, 2003 11:37 pm

Hello,

I am in the middle of a project using Cacti to report NBar data. Which OID did you end up using? What is the best way to graph the data?

Thanks!!

cdukes · Post by **cdukes** » Wed Dec 17, 2003 10:14 am

Hi,
I too would be very interested in this.
Can you do an export of your templates for this (if you are using 0.84) so that I can play around with it?

I work for an ISP that is all Cisco -- and lots of it. So I have a wide range of gear to play with.
Regards,
Clayton

Deano · Post by **Deano** » Wed Dec 17, 2003 3:20 pm

Ok. We're testing (myself and Efly) an NBAR query and related templates now. Hopefully we'll be in a position to publish soon.

Within my test bed I have a query pulling back Bits/Sec and Pkts/Sec for selected protocols from selected NBAR enabled interfaces. These stats are from the NBAR "All Stats" table in the MIB.

Unfortunately the "TopN" stats need SNMP write access to setup. Cacti has now method for this and currently I'm not sure my coding is sufficient to write a robust script that could configure them.

Deano

cdukes · Post by **cdukes** » Wed Dec 17, 2003 3:28 pm

Deano wrote:I'm not sure my coding is sufficient to write a robust script that could configure them.

Configure what...the Cisco devices?
I may be able to help, just let me know what you need exactly.

-Clayton

Deano · Post by **Deano** » Thu Dec 18, 2003 7:31 pm

Ok graphs from the "All Stats" NBAR Mib now available - see here

Deano

RyanT · Post by **RyanT** » Fri Dec 19, 2003 1:32 am

I have sucuessfully deployed cacti to report nbar statistics, works great. Here is a the cisco document about the NBAR MIB. Also, I have sucuessfully used UCD to configure a router for the top-N feature. I will publish the commands with cacti config soon.

Also, the cnpdAllStats(inPKTS,OutPKTS,INBytes,Outbytes) stats are not a per second number. It reports total Packets/bytes since the router was last rebooted. The only OID I found usefull is the cnpdallstatsbitrate.

I found the following urls very useful...

http://www.cisco.com/univercd/cc/td/doc ... tpdmib.htm

http://www.cisco.com/warp/public/732/Tech/qos/nbar/

Have Fun!!!

Deano · Post by **Deano** » Fri Dec 19, 2003 4:04 am

The Packets and Bytes variables do indeed report running totals - in exactly the same way as many other snmp counters do (like the interface traffic/packet counters)- So they're configured as "counters" and Cacti/RRD works out the rate between poll intervals.

The bitrate variables are configured as "gauge" as of course they dont need to have the rate caclulated and its the absolute vlaue thats important.

Of course for the traffic (bits/sec) these should give the same results but for me its actually Packets/Sec for ICMP that I'm most interested in on one of my routers.

Deano

RyanT · Post by **RyanT** » Fri Dec 19, 2003 8:42 am

I see, very cool. I was not using Cacti correctly. Thanks for the tip!!!

efly · Post by **efly** » Fri Dec 19, 2003 9:21 am

I should have some pretty sweet graphs soon. Deano I will shoot the results from a router that is running on average about 500kb/s (frame-relay) and on that interface there should be quiet a few protocols to light up the graph.

Thanks for help Deano.

--EFLY

RyanT · Post by **RyanT** » Thu Jan 15, 2004 4:16 pm

I got the SNMP commands worked out with UCD to create the Top-n tables with Nbar. My next problem is what is the best way to have cacti create a graph. I get the following data after creating a Top 3 table:

C:\ucd\usr\bin>snmpwalk -c public 10.34.0.17 .1.3.6.1.4.1.9.9.244.1.4
enterprises.9.9.244.1.4.1.1.2.6.1 = "http"
enterprises.9.9.244.1.4.1.1.2.6.2 = "netbios"
enterprises.9.9.244.1.4.1.1.2.6.3 = "telnet"
enterprises.9.9.244.1.4.1.1.3.6.1 = Counter32: 63000
enterprises.9.9.244.1.4.1.1.3.6.2 = Counter32: 39000
enterprises.9.9.244.1.4.1.1.3.6.3 = Counter32: 7000

Any ideas?

Deano · Post by **Deano** » Fri Jan 16, 2004 4:13 am

Because the OID has 2 Indexes youc ant crat a simple XML query. so yiu have 2 choices.

1) Hand code the OIDs of interest to you in individual data sources and graph them.

2) Create a Script + XML query which handles the multiple indexes internally and presents Cacti with a single index it can reference. (Which is how my main NBAR stuff works). This could then be reapplied to any NBAR enabled host quickly.

Option 2 is possible but I prob dont have the time for a week or so to try it myself.

Deano

RyanT · Post by **RyanT** » Fri Jan 16, 2004 12:25 pm

Any Ideas how to handle the Top-n table changing. For Example the first time I run the table I get:

C:\ucd\usr\bin>snmpwalk -c public 10.34.0.17 .1.3.6.1.4.1.9.9.244.1.4
enterprises.9.9.244.1.4.1.1.2.6.1 = "http"
enterprises.9.9.244.1.4.1.1.2.6.2 = "telnet"
enterprises.9.9.244.1.4.1.1.2.6.3 = "citrix"
enterprises.9.9.244.1.4.1.1.2.6.4 = "ftp"
enterprises.9.9.244.1.4.1.1.2.6.5 = "egp"
enterprises.9.9.244.1.4.1.1.3.6.1 = Counter32: 16000
enterprises.9.9.244.1.4.1.1.3.6.2 = Counter32: 3000
enterprises.9.9.244.1.4.1.1.3.6.3 = Counter32: 1000
enterprises.9.9.244.1.4.1.1.3.6.4 = Counter32: 0
enterprises.9.9.244.1.4.1.1.3.6.5 = Counter32: 0

The Second Time I get:

C:\ucd\usr\bin>snmpwalk -c public 10.34.0.17 .1.3.6.1.4.1.9.9.244.1.4
enterprises.9.9.244.1.4.1.1.2.6.1 = "secure-http"
enterprises.9.9.244.1.4.1.1.2.6.2 = "netbios"
enterprises.9.9.244.1.4.1.1.2.6.3 = "telnet"
enterprises.9.9.244.1.4.1.1.2.6.4 = "citrix"
enterprises.9.9.244.1.4.1.1.2.6.5 = "ftp"
enterprises.9.9.244.1.4.1.1.3.6.1 = Counter32: 10000
enterprises.9.9.244.1.4.1.1.3.6.2 = Counter32: 3000
enterprises.9.9.244.1.4.1.1.3.6.3 = Counter32: 2000
enterprises.9.9.244.1.4.1.1.3.6.4 = Counter32: 2000
enterprises.9.9.244.1.4.1.1.3.6.5 = Counter32: 0

Thanks!!

Cacti

Cisco NBAR (Network based application recognition) Graphs!!

Cisco NBAR (Network based application recognition) Graphs!!

Re: Cisco NBAR (Network based application recognition) Graph

NBAR

Who is online