NBAR provides the Protocol Discovery feature as an easy way to discover application protocols that are transiting an interface by displaying various traffic statistics. The NBAR PD MIB expands the capabilities of NBAR Protocol Discovery by providing the following functionalities through SNMP:
Enable or disable Protocol Discovery per interface
Monitor ingress and egress traffic
Display the following per-protocol statistics: total number of input and output packets and bytes and input and output bit rates
Configure and view multiple Top-N tables that list protocols by bandwidth usage
Configure thresholds based on traffic of particular protocols or applications, and send notifications when these thresholds are crossed
Maintain a history table of notification events, with a maximum of 5000 entries
Record the time when Protocol Discovery was enabled
The fundamental principles behind the NBAR PD MIB are as follows:
NBAR PD MIB was introduced in IOS release 12.2(15)T.
NBAR functionality can be configured via SNMP (read-only and read-write objects).
The MIB contains 32-bit and 64-bit SNMP counters.
Full NBAR functionality is not supported on interfaces where tunneling or encryption is used. See the workaround described in the "NBAR Scope" section.
Table 10-1 summarizes the NBAR PD MIB content.
Table | Description | SNMP Access |
---|---|---|
cnpdSupportedProtocols | List of all supported protocols | Read-only |
cnpdAllStats | All NBAR statistics per interface | Read-only |
cnpdTopNStats | Top-N table statistics | Read-only |
cnpdThresholdhistory | History of falling or rising events | Read-only |
cnpdStatus | Enable or disable NBAR per interface, including time stamp | Read-write |
cnpdTopNConfig | Configure the Top-N table by interface | Read-write |
cnpdThresholdConfig | Protocol threshold configuration | Read-write |
cnpdNotificationsConfig | Enable traps | Read-write |
cnpdMIBNotifications | Rising or falling events | — |
The supported protocols can be displayed by accessing the following objects. Note that a new module (PDLM) is required to extend the currently supported protocols.
cnpdSupportedProtocolsTable— Lists all the protocols and applications that NBAR can recognize.
cnpdSupportedProtocolsEntry— An entry in the supported protocols table reflecting key information about a protocol.
cnpdSupportedProtocolsName— Reflects the valid string of a protocol or application that NBAR recognizes.
The Protocol Discovery statistics group has two tables. cnpdStatusTable enables Protocol Discovery, and cnpdAllStatsTable stores the Protocol Discovery statistics. Because NBAR predefines a large list of protocols and applications, in most cases only the initial configuration is required to display relevant application traffic. Here are some details from the group:
cnpdStatusPdEnable— This read-write object is used to enable and disable Protocol Discovery on an interface. Values are true and false.
cnpdStatusLastUpdateTime— This is the sysUpTime value when Protocol Discovery was enabled on an interface. This value is 0 if the interface does not have Protocol Discovery enabled.
cnpdAllStatsEntry— The following NBAR Protocol Discovery statistics are gathered:
- cnpdAllStatsInPkts, cnpdAllStatsHCInPkts—The packet counters of inbound packets (32-bit, 64-bit)
- cnpdAllStatsOutPkts, cnpdAllStatsHCOutPkts—The packet counters of outbound packets (32-bit, 64-bit)
- cnpdAllStatsInBytes, cnpdAllStatsHCInBytes—The byte counters of inbound octets (32-bit, 64-bit)
- cnpdAllStatsOutBytes, cnpdAllStatsHCOutBytes—The byte counters of outbound octets (32-bit, 64-bit)
- cnpdAllStatsInBitRate—The inbound bit rate
- cnpdAllStatsOutBitRate—The outbound bit rate
An SNMP example is provided later in this chapter.
The Top-N statistics group displays a list of consumed bandwidth per application over a specified interval. The user can select the interface, sample period, and statistic used to base the table on. A maximum of 1024 Top-N tables can exist across all interfaces. Tables are ordered by applications using the most bandwidth. Some relevant objects are as follows:
cnpdTopNConfigIfIndex—Select the interface for configuring a Top-N table
cnpdTopNConfigStatsSelect—Select the statistic used for the order of the Top-N table (bit rate, byte, or packet-based)
cnpdTopNConfigSampleTime—The interval in seconds at which the bit rate is sampled if the cnpdTopNConfigStatsSelect object is set to bitRateIn, bitRateOut, or bitRateSum
cnpdTopNConfigRequestedSize—The number of requested entries in the associated cnpdTopNStatsTable (read-create)
cnpdTopNConfigGrantedSize—The actual size of the associated cnpdTopNStatsTable entry (read-only)
cnpdTopNConfigTime—The value of sysUpTime when the associated cnpdTopNStatsTable entry was created
cnpdTopNStatsRate, cnpdTopNStatsHCRate—The amount of change in the selected statistic (cnpdTopNConfigStatsSelect) during this sampling interval (32-bit, 64-bit)
Multiple thresholds for individual protocols on an interface can be defined. When a threshold is exceeded, the information is stored and a notification (SNMP trap) is generated, including a summary of the related threshold information. A hysteresis mechanism stops multiple traps from occurring for the same breached threshold within a sample period. The following list summarizes interesting MIB objects in this context:
cnpdThresholdConfigEntry— Contains configuration information to set thresholds for the purpose of notifications. The following details can be configured:
- cnpdThresholdConfigIfIndex—Selects the interface to apply thresholds to.
- cnpdThresholdConfigInterval—The interval in seconds over which the data is sampled and compared with the thresholds cnpdThresholdConfigRising and cnpdThresholdConfigFalling.
- cnpdThresholdConfigSampleType—The method of sampling the selected statistic and calculating the value to be compared to cnpdThresholdConfigRising or cnpdThresholdConfigFalling. Possible entries are absoluteValue and deltaValue.
- cnpdThresholdConfigProtocol—Selects the protocol where the threshold should be placed.
- cnpdThresholdConfigProtocolAny—Provides the option to check any protocol that meets the threshold (value=true) or only the protocol defined by cnpdThresholdConfigProtocol (value=false).
- cnpdThresholdConfigStartup—The startup value (rising, falling, risingOrFalling) for monitoring the threshold.
cnpdThresholdHistoryTable— Because SNMP traps are sent over the unreliable UDP protocol, this table provides a history of the last 5000 threshold breached events.
cnpdNotificationsEnable— Used to enable or disable notifications on a global basis (value=true or value=false).
cnpdThresholdRisingEvent— The notification that a rising counter has breached the defined threshold.
cnpdThresholdFallingEvent— The notification that a falling counter has breached the defined threshold.