Solved: Attempting to setup a cisco 3850 with NBAR in order to use NetFlow.

Mogwai · ‎05-01-2023

hello, I'm running into a bit of a wall here. In out environment, we are using 3850's & dual 4500X's. I'm attempting to trail the Netflow in order to get a deeper insight into our network environment. That being said, I'm having trouble getting the information straight to configure this, as I'm seeing in multiple conflicting posts on if 3850's support NBAR?

Do Cisco 3850's support NBAR currently? If so what version is needed? (Currently running 16.6.7)
If they do what would be the proper method to get this running? If not possible on a 3850, can tis be done on the 4500X?

Reza Sharifi · ‎05-01-2023

Hi,

It does not appear that the 3850 supports NBAR, even though it is configurable. See link:

https://thwack.solarwinds.com/product-forums/netflow-traffic-analyzer-nta/f/forum/26696/netflow-nbar2-nta-configuration-with-cisco-catalyst-3850

I recently opened a TAC case on this for our 3850s. They referred me to the Cisco Feature Navigator which shows that NBAR is not supported. The Cisco Feature Navigator archive shows only Feature ID 29027: Easy QOS: NBAR attributes based QOS, which is part of the AVC (Application Visibility and Control) feature.

Even though a few commands seem to be implemented, such as collect application name, Cisco TAC says the NBAR is not supported for wired interfaces on any version of IOS for 3850s. A chapter of the Denali Configuration guide implies that wired AVC is indeed possible.

https://community.cisco.com/t5/switching/nbar2-support-on-4500x-switches/td-p/3040387

View solution in original post

Reza Sharifi · ‎05-01-2023

Hi,

It does not appear that the 3850 supports NBAR, even though it is configurable. See link:

https://thwack.solarwinds.com/product-forums/netflow-traffic-analyzer-nta/f/forum/26696/netflow-nbar2-nta-configuration-with-cisco-catalyst-3850

I recently opened a TAC case on this for our 3850s. They referred me to the Cisco Feature Navigator which shows that NBAR is not supported. The Cisco Feature Navigator archive shows only Feature ID 29027: Easy QOS: NBAR attributes based QOS, which is part of the AVC (Application Visibility and Control) feature.

Even though a few commands seem to be implemented, such as collect application name, Cisco TAC says the NBAR is not supported for wired interfaces on any version of IOS for 3850s. A chapter of the Denali Configuration guide implies that wired AVC is indeed possible.

https://community.cisco.com/t5/switching/nbar2-support-on-4500x-switches/td-p/3040387

Mogwai · ‎05-01-2023

Awesome thanks for clearing that up for me! On that note do you know if NBAR is also configurable on the 4500X's off the top of your head?

Mogwai · ‎05-01-2023

Scratch that, it appears that Cisco requires the Supervisor engine 7 with the 4500X models for NBAR to work.

Joseph W. Doherty · ‎05-01-2023

BTW, as you asked about NetFlow and NBAR, and support for the latter on the 3850 and 4500-X, I'm wondering if what you really might have in mind, or if not in mind, what might work for you is Flexible NetFlow. Flexible NetFlow appears (i.e. mentioned as a feature) to have some support on both the 3850 and 4500-X.

Also BTW, "full" NBAR can do things like dig into HTTP packets for public host names or Citrix packet's subtypes, etc., i.e. something not easily accomplished in hardware, without, probably, much additional expensive hardware. The sup32-PISA, I recall (?), didn't have all the features of a router's NBAR and limited throughput (2Gbps) vs. what the sup32 (15 Mpps) could do normally. It's FPM (flexible packet matching) probably one of the forerunners of Flexible NetFlow.

Joseph W. Doherty · ‎05-01-2023

Unfortunately, I don't know, for sure, the answers to your questions. The only switch that I know supported NBAR (like/subset/limited) features was the sup32-PISA.

I wouldn't be to hopeful for 3850s or 4500Xs. Possibly Catalyst 9k might support deeper packet inspection, but if so, I'm unaware of such.

Notwithstanding the above, I don't recall NetFlow needing NBAR.