Solved: Enabling application visibility in Flexible Netflow packets via NBAR

momosebi · ‎10-26-2025

Hello guys

I'm having a little trouble with NBAR and I'm hoping someone could be of help.

So I've just deployed SolarWinds and I'm trying to enable NBAR on Cisco C9404R switch for deep application visibility. Then have the NBAR data applied into Netflow and have it exported to Solarwinds. In the Netflow flow record, I entered the 'match application name' command in order to capture NBAR data. I also entered the 'ip nbar protocol-discovery' command on the interface to be monitored. However, when I applied the Netflow on the interface with the 'flow monitor NTAMonitor input' command, I get an error saying something about it is not supported with the selected flow record fields. I'd need to remove the 'match application name' command from the flow record before I can now apply the flow monitor to the interface. I tried this both on an SVI interface, and on physical interfaces of the switch, the same result.

I'd like to know if there's any other thing, any prerequisite that is needed before I can achieve this.

balaji.bandi · ‎10-26-2025

what IOS XE code ?

Restrictions for Flexible NetFlow

Flexible NetFlow and NBAR cannot be configured together at the same time on the same interface.

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9400/software/release/17-12/configuration_guide/nmgmt/b_1712_nmgmt_9400_cg/configuring_flexible_netflow.html

BB

=====Preenayamo Vasudevam=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

balaji.bandi · ‎10-26-2025

Can you post the sample configuration to look what is the error:

refer below guides working example :

https://www.balajibandi.com/?p=1383

https://community.cisco.com/t5/networking-knowledge-base/flexible-netflow/ta-p/3137331

BB

=====Preenayamo Vasudevam=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

momosebi · ‎10-26-2025

Hello @balaji.bandi

Here is the configuration excerpt...

flow record NTARecord

match ipv4 source address

match ipv4 destination address

match ipv4 protocol

match transport source-port

match transport destination-port

match ipv4 tos

match interface input

match application name

collect interface output

collect counter bytes long

collect counter packets long

exit

flow exporter NTAExport

destination 172.16.0.106

source vlan 999

transport udp 2055

template data timeout 60

export-protocol netflow-v9

option application-table timeout 60

option application-attributes timeout 300

exit

flow monitor NTAMonitor

record NTARecord

exporter NTAExport

cache timeout active 60

cache timeout inactive 30

exit

interface g1/0/48

ip flow monitor NTAMonitor input

ip nbar protocol-discovery

exit

@Joseph W. Doherty I don't have access to the switch right now so I can't pull the specific version of the switch. But I did check in Cisco feature navigation and it was stated there that the 9400 series do support NBAR. I also confirmed this from the switch itself as I was able to enter the 'ip nbar protocol-discovery' command on the switch's interface and when I ran the 'show ip nbar protocol-discovery' command, I confirmed that the switch was indeed performing deep application inspection as I was able to see all the different applications that were flowing through the switch.

My problem only lies in enabling Netflow to capture this NBAR data so it can export it to Solarwinds. From research I've made, entering the 'match application name' command or the 'collect application name' command in the flow record of the Netflow configuration is supposed to enable Netflow to capture this NBAR data. But I'm unable to apply it to any interface on the switch.

What I'm not sure of however is if there is need for some specific module that needs to be installed into the switch to enable this integration.

balaji.bandi · ‎10-26-2025

what IOS XE code ?

Restrictions for Flexible NetFlow

Flexible NetFlow and NBAR cannot be configured together at the same time on the same interface.

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9400/software/release/17-12/configuration_guide/nmgmt/b_1712_nmgmt_9400_cg/configuring_flexible_netflow.html

BB

=====Preenayamo Vasudevam=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

momosebi · ‎10-26-2025

Wow!!! Thanks @balaji.bandi

I think that just might be the cause. How do you guys even find these online resources. I pretty much skimmed through the whole internet searching for an answer before coming here but never stumbled upon this lol.

So what do you suggest, that I remove the 'ip nbar protocol-discovery' command from the interface and leave only the 'ip flow monitor NTAMonitor input' command on the interface? Do you think that might fix it?

balaji.bandi · ‎10-26-2025

its limitation, not sure anything more on 17.15 IOS XE code.

BB

=====Preenayamo Vasudevam=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Joseph W. Doherty · ‎10-26-2025

I don't have access to the switch right now so I can't pull the specific version of the switch. But I did check in Cisco feature navigation and it was stated there that the 9400 series do support NBAR. I also confirmed this from the switch itself as I was able to enter the 'ip nbar protocol-discovery' command on the switch's interface and when I ran the 'show ip nbar protocol-discovery' command, I confirmed that the switch was indeed performing deep application inspection as I was able to see all the different applications that were flowing through the switch.

BTW, I didn't state or intend to imply the 9400 didn't support NBAR, at all, but that not all features of NBAR might be supported, which from @balaji.bandi 's later post appears to be the case working with NetFlow (or possibly the converse). You might yet find some other specific NBAR features (often more comprehensive packet analysis), found on other platforms (like software based routers) not available on the 9400.

Hopefully, you realize the above kind of limitations, on switches, are generally due to lack of hardware support (or software that doesn't [yet] take advantage of all the hardware's capabilities).

Anyway, as I originally noted, what you've been trying to configure, as noted in your error message, appears to be a correct error message, i.e. it's "not supported".

As to your latter question, about removing NBAR protocol discovery might fix the problem, maybe. That command, I recall (?) just, more or less, just has NBAR to do a basic analysis on all its seen traffic and gather stats. As long as both NBAR and NetFlow are not working on the same interface, that would appear to bypass the restriction. Should be easy enough to try.

momosebi · ‎10-26-2025

Thank you @Joseph W. Doherty

I'll give it a try tomorrow and let you know how it goes. Since it appears to be a limitation as @balaji.bandi and I may not be able to acheive what I am trying to, if it doesn't work I might just've to consider using another platform or uprading the IOS version. Do you know any Cisco switch platform that supports this?

Joseph W. Doherty · ‎10-26-2025

Do you know any Cisco switch platform that supports this?

Off-the-top-of-my-head, sorry, I don't.

Generally, software based routers are the most feature rich.

Joseph W. Doherty · ‎10-26-2025

Can't speak specifically on your 9404, but in the past, switch support of NBAR, on L3 switches was non-existent to very limited. I believe the 9k architecture has additional capabilities, possibly including NBAR, but exactly what's supported mainly depends on the UADP version, the IOS version, and the sup capabilities (possibly beyond which UADP version they use). An error message noting "not supported" often means just that.

If you post the information requested by @balaji.bandi , you might also note the sup variant and the IOS version too.

momosebi · ‎11-01-2025

Hello guys

So a quick update... as agreed, I removed the 'ip nbar protocol-discovery' command from the interface, leaving only the 'ip flow monitor NTAMonitor input' command on the interface, but it still gives the same error. I figured that as long as the 'match application name' command is in the flow record configuration, it effectively enables NBAR in Netflow. So enabling Netflow on an interface when that command has been entered in the flow record, effectively attempts to enable both NBAR and Netflow on that interface, which unfornately the switch does not support.

As it stands, The C9404R switch is the highest-end switch the customer has in their environment, and they have no Cisco router, so I doubt any other switch in the environment would support this feature.

Joseph W. Doherty · ‎11-01-2025

I figured that as long as the 'match application name' command is in the flow record configuration, it effectively enables NBAR in Netflow.

Yea, that makes sense as being similar to using a match statement in a QoS policy that uses NBAR.

As it stands, The C9404R switch is the highest-end switch the customer has in their environment, and they have no Cisco router, so I doubt any other switch in the environment would support this feature.

Very possibly true. However, as NBAR implementation features vary, as do various switch platform hardware, and, of course, a particular IOS implementation, you can never be very certain what anyone platform might, or might not, support. Again, as a generalization, switches often lag far behind software based routers, for some features, because they depend so much on specialized hardware.