With Shankar Sthanuretnam
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn from Cisco expert Shankar Sthanuretnam about next generation Network Based Application Recognition. (NBAR2) is a Deep Packet Inspection technology traditionally available on Cisco routers
Shankar Sthanuretnam is the technical leader for network-based application recognition (NBAR) within the Network Operating Systems Technology Group. He has been leading platform-independent software development for NBAR and next-generation NBAR (NBAR2) for more than four years. With over 18 years of industry experience in data networking, he has worked on software design and architecture in areas including deep packet inspection, VoIP, network processors, TCP/IP, and LAN/WAN routing technologies. He holds a bachelor of technology degree in computer science from the Indian Institute of Technology, Bombay.
Remember to use the rating system to let Shankar know if you have received an adequate response.
Shankar might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Network Infastructure sub-community discussion forum shortly after the event. This event lasts through March 23, 2012. Visit this forum often to view responses to your questions and the questions of other community members.
NBAR2 is is available on ASR1k and ISR-G2 platforms. NBAR2 features are being added incrementally IOS XE release 3.3 and IOS release 15.2(1)T onwards. For more details on specific feature availability in IOS and IOS XE images, please visit:
NBAR (Network Based Application Recognition) is a stateful Deep Packet Inspection technology available on Cisco IOS and IOS-XE routers. It can examine the L3-L7 payload of router traffic and identify which application the traffic belongs to as well as some associated properties. Examples of applications are Skype, Youtube, bittorrent, citrix etc. This information is used by other router features such as QoS, Flexible netflow etc. to enable application based services (e.g. marking/policing based on application and reporting application information in netflow records sent to the collector). NBAR2 is the next-generation architectural evolution of NBAR. NBAR2 can identify many applications seen in enterprise and service provide networks. New application support is being added constantly. For more information on NBAR2 features, please see:
There was also a session on NBAR2 at Cisco Live London 2012: BRKRST-2065 - Application Visibility Control – NBAR2, QoS, FNF and Insight Reporter. The presented material can be accessed by logging into Cisco Live Virtual.
Based on the implementation of NBAR i.e., to identify and block peer-to-peer app, I have following questions:
Is it possible for NBAR2 to recognize skype and other Peer-to-peer traffic and what happens when the traffic is encrypted?
Let me know the answers when you can.
NBAR2 uses some heuristic techniques to identify encrypted streams of peer-to-peer apps like skype, bittorrent etc. These heuristic "signatures" are constantly updated to keep pace with new versions of supported apps. There's some risk of false-positives or false-negatives for encrypted apps. This is mitigated by rigorous R&D, and validation of signatures by a dedicated expert team. There's also a process of continuous feedback from live traffic analysis, customer reports etc.
In many cases, the apps may also change behavior when completely blocked, and new behavior may not be caught with the available signatures. To avoid such situations, we recommend throttling (rather than blocking) of peer-to-peer traffic.
The list of apps supported by NBAR2 is available at: