NBAR Protocol Discovery (PD) MIB

NBAR provides the Protocol Discovery feature as an easy way to discover application protocols that are transiting an interface by displaying various traffic statistics. The NBAR PD MIB expands the capabilities of NBAR Protocol Discovery by providing the following functionalities through SNMP:

  • Enable or disable Protocol Discovery per interface

  • Monitor ingress and egress traffic

  • Display the following per-protocol statistics: total number of input and output packets and bytes and input and output bit rates

  • Configure and view multiple Top-N tables that list protocols by bandwidth usage

  • Configure thresholds based on traffic of particular protocols or applications, and send notifications when these thresholds are crossed

  • Maintain a history table of notification events, with a maximum of 5000 entries

  • Record the time when Protocol Discovery was enabled

The fundamental principles behind the NBAR PD MIB are as follows:

  • NBAR PD MIB was introduced in IOS release 12.2(15)T.

  • NBAR functionality can be configured via SNMP (read-only and read-write objects).

  • The MIB contains 32-bit and 64-bit SNMP counters.

  • Full NBAR functionality is not supported on interfaces where tunneling or encryption is used. See the workaround described in the "NBAR Scope" section.

Table 10-1 summarizes the NBAR PD MIB content.

Table 10-1. NBAR PD MIB Details
TableDescriptionSNMP Access
cnpdSupportedProtocolsList of all supported protocolsRead-only
cnpdAllStatsAll NBAR statistics per interfaceRead-only
cnpdTopNStatsTop-N table statisticsRead-only
cnpdThresholdhistoryHistory of falling or rising eventsRead-only
cnpdStatusEnable or disable NBAR per interface, including time stampRead-write
cnpdTopNConfigConfigure the Top-N table by interfaceRead-write
cnpdThresholdConfigProtocol threshold configurationRead-write
cnpdNotificationsConfigEnable trapsRead-write
cnpdMIBNotificationsRising or falling events

NBAR Supported Protocols

The supported protocols can be displayed by accessing the following objects. Note that a new module (PDLM) is required to extend the currently supported protocols.

  • cnpdSupportedProtocolsTable— Lists all the protocols and applications that NBAR can recognize.

  • cnpdSupportedProtocolsEntry— An entry in the supported protocols table reflecting key information about a protocol.

  • cnpdSupportedProtocolsName— Reflects the valid string of a protocol or application that NBAR recognizes.

NBAR Protocol Discovery Statistics

The Protocol Discovery statistics group has two tables. cnpdStatusTable enables Protocol Discovery, and cnpdAllStatsTable stores the Protocol Discovery statistics. Because NBAR predefines a large list of protocols and applications, in most cases only the initial configuration is required to display relevant application traffic. Here are some details from the group:

  • cnpdStatusPdEnable— This read-write object is used to enable and disable Protocol Discovery on an interface. Values are true and false.

  • cnpdStatusLastUpdateTime— This is the sysUpTime value when Protocol Discovery was enabled on an interface. This value is 0 if the interface does not have Protocol Discovery enabled.

  • cnpdAllStatsEntry— The following NBAR Protocol Discovery statistics are gathered:

    - cnpdAllStatsInPkts, cnpdAllStatsHCInPkts—The packet counters of inbound packets (32-bit, 64-bit)

    - cnpdAllStatsOutPkts, cnpdAllStatsHCOutPkts—The packet counters of outbound packets (32-bit, 64-bit)

    - cnpdAllStatsInBytes, cnpdAllStatsHCInBytes—The byte counters of inbound octets (32-bit, 64-bit)

    - cnpdAllStatsOutBytes, cnpdAllStatsHCOutBytes—The byte counters of outbound octets (32-bit, 64-bit)

    - cnpdAllStatsInBitRate—The inbound bit rate

    - cnpdAllStatsOutBitRate—The outbound bit rate

An SNMP example is provided later in this chapter.

NBAR Top-N Statistics

The Top-N statistics group displays a list of consumed bandwidth per application over a specified interval. The user can select the interface, sample period, and statistic used to base the table on. A maximum of 1024 Top-N tables can exist across all interfaces. Tables are ordered by applications using the most bandwidth. Some relevant objects are as follows:

  • cnpdTopNConfigIfIndex—Select the interface for configuring a Top-N table

  • cnpdTopNConfigStatsSelect—Select the statistic used for the order of the Top-N table (bit rate, byte, or packet-based)

  • cnpdTopNConfigSampleTime—The interval in seconds at which the bit rate is sampled if the cnpdTopNConfigStatsSelect object is set to bitRateIn, bitRateOut, or bitRateSum

  • cnpdTopNConfigRequestedSize—The number of requested entries in the associated cnpdTopNStatsTable (read-create)

  • cnpdTopNConfigGrantedSize—The actual size of the associated cnpdTopNStatsTable entry (read-only)

  • cnpdTopNConfigTime—The value of sysUpTime when the associated cnpdTopNStatsTable entry was created

  • cnpdTopNStatsRate, cnpdTopNStatsHCRate—The amount of change in the selected statistic (cnpdTopNConfigStatsSelect) during this sampling interval (32-bit, 64-bit)

NBAR Protocol Discovery Thresholds, Traps, and History

Multiple thresholds for individual protocols on an interface can be defined. When a threshold is exceeded, the information is stored and a notification (SNMP trap) is generated, including a summary of the related threshold information. A hysteresis mechanism stops multiple traps from occurring for the same breached threshold within a sample period. The following list summarizes interesting MIB objects in this context:

  • cnpdThresholdConfigEntry— Contains configuration information to set thresholds for the purpose of notifications. The following details can be configured:

    - cnpdThresholdConfigIfIndex—Selects the interface to apply thresholds to.

    - cnpdThresholdConfigInterval—The interval in seconds over which the data is sampled and compared with the thresholds cnpdThresholdConfigRising and cnpdThresholdConfigFalling.

    - cnpdThresholdConfigSampleType—The method of sampling the selected statistic and calculating the value to be compared to cnpdThresholdConfigRising or cnpdThresholdConfigFalling. Possible entries are absoluteValue and deltaValue.

    - cnpdThresholdConfigProtocol—Selects the protocol where the threshold should be placed.

    - cnpdThresholdConfigProtocolAny—Provides the option to check any protocol that meets the threshold (value=true) or only the protocol defined by cnpdThresholdConfigProtocol (value=false).

    - cnpdThresholdConfigStartup—The startup value (rising, falling, risingOrFalling) for monitoring the threshold.

  • cnpdThresholdHistoryTable— Because SNMP traps are sent over the unreliable UDP protocol, this table provides a history of the last 5000 threshold breached events.

  • cnpdNotificationsEnable— Used to enable or disable notifications on a global basis (value=true or value=false).

  • cnpdThresholdRisingEvent— The notification that a rising counter has breached the defined threshold.

  • cnpdThresholdFallingEvent— The notification that a falling counter has breached the defined threshold.

Part II: Implementations on the Cisco Devices