ENA offers support for Cisco NBAR (Network-Based Application Recognition), to help ensure the quality of application performance.
NBAR vs Flow
ENA provides support for both NBAR and Flow technologies.
Whilst Flow identifies the source and destination of every conversation, it does not tell you the makeup of those conversations.
With ENA, you can use NBAR technology to categorize the traffic across an interface. This shows you the breakdown of traffic that shares the same TCP or UDP port, and uses deep packet inspection to identify different characteristics of this traffic.
Because NBAR is accessed through SNMP, it is polled like any other metric.
ENA provides a system NBAR dashboard at the View, device and port level. As with every ENA dashboard (both system and custom dashboards), you can drill down further into the selected items shown on the dashboard.
At the View level, you can see NBAR-capable devices within the selected View. These are not necessarily enabled for NBAR. Please see the NBAR Objects dashlet article for further information on how to manage your NBAR-capable devices.
At the device level, you can see a list of the available NBAR-supported applications on the device, alongside the NBAR metrics for the device. These show you if NBAR statistics are being polled, and if any applications are blacklisted for NBAR.
At the port level, you can see an overview of the current NBAR status on for the selected port.
For help on how to enable a managed object for NBAR polling, please see this section.
In ENA, the concept of In/Out coverage tells you the percentage of traffic that is being covered for NBAR. For example, if the In/Out coverage percentage for the selected device or port is 90%, this means that 90% of traffic is being monitored for NBAR. The remaining 10% is not being monitored for NBAR.
In ENA, you can blacklist protocols that you do not want to see on a port. This means that an event or incident will be raised when NBAR picks up the blacklisted protocol, so any blacklisted traffic above zero will be flagged.
Blacklisting is set at the device level, but can be overridden at the port level, e.g. if blacklisting is set at the device level then you can turn it off at the port level, and if it's off at the device level then you can turn it on at the port level.
You can only set blacklisted traffic if you belong to a user group with the Object Editing permission.
Blacklisting is not available with ENA's Flow monitoring.