Traffic monitoring has become an integral feature of any network. One of these areas is in application recognition that allows you to define your Cisco (News - Alert) NBAR applications. Application definitions can also be exported in flow protocol reports. By using NBAR, IP traffic information from applications like Skype (News - Alert), Telnet, RT and H.323 can now be identified and exported. This is especially important when looking at significant “unknown” NetFlow traffic that may show up on NBAR reports.

In order to resolve various traffic issues, you need to have the latest iOS version since Cisco adds support for various application recognition modules or PDLMs to a network, a recent blog post revealed. With every newer release of iOS, NBAR adds a few more apps enabling you to have better accuracy of NBAR. In addition, you can then use the Well Known Port (WKP) reports to identify unknown traffic based on port activity. A PDLM adds new NetFlow protocols to its list. However, being aware of such concepts like native and non-native PDLMs, separate version numbers, and internal module names is important before downloading. A native PDLM is embedded and received with the NetFlow Cisco iOS software while a non-native PDLM is individually downloadable from the Cisco website. Separate version numbers are used to maintain the PDLM version while internal module names, for native and non-native PDLMs, remain unique and independent and are used to indicate the PDLM module protocol as well as the module version number. To be downloaded, PDLM must be higher than the module installed, while the Cisco iOS NBAR software version must be less or equal to the software version of the Cisco iOS image.

As a NetFlow test case, you may notice outbound traffic on UDP (News - Alert) port 4500. Since this is IPSEC VPN traffic, we can define it and mark it on the router as UDP port 4500. You may also know that PfR active monitoring traffic is on, say, UDP 16390. You can then create a NetFlow NBAR application with a “pfractmon” designation.

By doing this for each flexible NetFlow protocol, “unknown” traffic becomes known.