Understanding network bandwidth content is one of the essentials for each IT admin who needs to ensure the business traffic has always the priority over someones private Youtube streaming during a lunch break. SolarWinds Network Traffic Analyzer has been used many years for its ability to finger point at IP address which was behind suspicious high-volume data transfer. NTA historically used widely used port-based application detection known as NetFlow (used in protocols NetFlow v5, v9, IPFIX, sFlow, jFlow, Huawei Netstream).
As many of you know, port-based application detection works effectively if each application you care about communicates via its own, specific, port (SNMP, SQL, DNS, etc.). As a natural reaction to block unwanted traffic you may create firewall rules and allow specific ports only. This works unless the owner of the application change its protocol to HTTP or even better HTTPs and port-based categorization is not as useful anymore (as firewall rules based on ports only). Most of the traffic will look like "WEB" or "Encrypted".
At the end of a day, it's still better than knowing nothing but it leads to the further inspection by using firewalls and logs or user browsing history or Wireshark hunt.
But we all would like to have better visibility into the corporate network traffic and understand if business traffic or video call is not negatively impacted by somebody's web browsing or media streaming. Many network-gear vendors are aware of that problem with "tunneling" over ports 80 or 443 to various cloud storage apps, SaaS or social networks. Cisco, Citrix or PaloAlto introduced "Application Flows" known as NBAR2, Citrix AppFlow and Palo Alto App-ID in IPFIX. All these names have one common element - advanced application classification technique using application signatures database and deep packet inspection. This is all done directly within your network gear (Routers, some L3 switches, firewalls and Wireless Controllers).
The advantage of "AppFlow" technology is obvious. It gives you better application classification even though applications are using the same port (for example port 80). It gives you visibility (even though limited) into encrypted traffic (port 443) and it gives you that without need of additional probes, spanning ports and other complicated things. Palo Alto, Cisco and Citrix keep their application signature databases up to date and usually offer new device updates every month as a classic software update for your gear. As example look at this page NBAR2 (Next Generation NBAR) Protocol Pack FAQ - Cisco which list NBAR2 supported devices and also typical Protocol Pack update time-lines.
Many of you already have Cisco ASR 1000 or ISR-G2 devices and if you haven't, you can use SolarWinds NTA (beta) now and get better application visibility of your bandwidth. NTA 4.2 beta brings support for Cisco NBAR2 as a first (but not last) implementation of Application Flow information. NTA still uses flow-based technology to read app-flow and is quite easy to enable NBAR2 on your devices and let NTA to tell you who deals to much with Youtube over SSL, Google cloud application or torrents.
I know you're interested to try this out and takes you just few steps:
1) Enable NBAR2 as part of Flexible NetFlow (if you haven't yet)
flow record SolarwindsNetflow
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
collect transport tcp flags
collect interface input
collect counter bytes long
collect counter packets long
collect timestamp sys-uptime first
collect timestamp sys-uptime last
collect application name
flow exporter SolarwindsNetflow
transport udp 2055
template data timeout 60
option application-table timeout 60
option application-attributes timeout 300
flow monitor SolarwindsNetflow
cache timeout active 60
2) Configure the interface from where you want to monitor Netflow (with NBAR2) - this part is the same as you do when configuring classical port-based NetFlow (in my example GigabitEthernet 0/0/1)
interface GigabitEtherent 0/0/1
ip flow monitor SolarwindsNetflow input
ip flow monitor SolarwindsNetflow output
3) Check NBAR2 support & configuration by runing "show ip nbar version" command
You should get output similar to this:
NBAR software version: 20
NBAR minimum backward compatible version: 20
Loaded Protocol Pack(s):
Name: Advanced Protocol Pack
Publisher: Cisco Systems Inc.
NBAR Engine Version: 20
Creation Time: Wed Mar 25 13:17:24 UTC 2015
4) Subscribe to NTA 4.2 Beta program (available for those who have NTA commercial license)
5) Install NTA Beta on the non-production server and add NetFlow source Node into NTA (same process as you adding classical NetFlow source).
Once you start getting the data in NTA you will see a switch in a top right hand corner on a summary page in the "Top 5 Applications" resource. Use it to select between NetFlow - port based and NBAR2 - AppFlow data view. This switch is available everywhere in NTA for the charts which show some application classification. NBAR2 is automatically detected and if device doesn't support NBAR2 you'll be not able to use that switch.
Let's demonstrate the added value of App-Flow NBAR2 comparing classical NetFlow v5 and NBAR2 data classification for the situation where some IP address watch Youtube over SSL:
I would very happy if you - SolarWinds users - can try this beta and help me to collect feedback on two main questions:
1) What version of your protocol pack you have on your devices (step #3 from the list above)
2) Does NBAR2 in NTA helps you to see better data than the current port-based flow?
As always, I appreciate all your effort and enthusiasm you spent with this Beta version of NTA. I'd like to hear to any other comments and feature request you may have around this theme such as reports, alerts, etc.
We do not want to end support with NBAR2 on ASR or G2 devices, but also working on WLC support and to the future Citrix and PaloAlto AppFlows. If you have other app-flow capable device, let us know.