We are in the process of looking deeper into our traffic patterns both on the LAN and on the WAN. We run a number of tools (Nagios, Cacti, WireShark, etc.) to keep an eye on overall traffic and performance but to get beyond this and dig deeper you need tools like NetFlow and NBAR. I figured I’d start with our smallest office and get a feel for how things are flowing over the WAN. We’ve got a Cisco 2821 on site connected to a T1 over our MLPS network. I figured I’d enable NBAR first and do a simple discovery of what traffic is flowing. Here are the steps I took:
- Login to the router.
- Verify it isn’t overloaded before doing anything. I ran a “show process cpu” to verify all is well. My router was running an 1% before I began any NBAR processes and I had plenty of free memory so I figured it was safe to enable.
- Perform a “wr” to make sure the current config is written. You’ll also want to back up the config if you don’t have an automated way of doing this already. (I use CatTools….highly recommend.)
- OPTIONAL STEP: Set your router to reload in 10 minutes. (reload in 10) That way if you enable NBAR and something goes wrong in 10 minutes your router will reboot with the last known good configuration before you enabled NBAR. If everything is ok cancel the reload (reload cancel)
- Enable NBAR on your serial interface.
- Again, check out your router performance with “show process cpu”. If it’s taking a huge hit use the “no” form of the above statement to disable NBAR.
- To see the results use the command “show ip nbar protocol-discover”. You’ll see something like:
- If the list is long you can just return the Top 10 with: “show ip nbar protocol-discover top-n 10”
- To keep an eye on how many resources are used by NBAR use the command “show ip nbar resources”
Router(config-if)#ip nbar protocol-discovery
That’s pretty much it. You can get a lot of information about what’s happening this way. To really roll up the numbers you’ll need netflow tools which I’ll discuss in another post.