close banner

The Complete Guide to NBAR

Get answers to any questions you have on network based application recognition (NBAR)


Network Based Application Recognition

NBAR (Network-Based Application Recognition) recognizes, classifies, analyzes, and regulates real-time application traffic on a network to help optimize the efficiency of available resources.

An intelligent classification engine developed by Cisco Systems as an inherent component of its IOS Software, NBAR conducts deep packet inspection to recognize and intelligently identify multiple web-based and client/server applications that, because they use dynamic ports, would otherwise travel a network unnoticed.

NBAR classifies the applications as critical or non-critical so that the critical applications can take precedence on the network. Mission-critical applications, therefore, are guaranteed a minimum amount of bandwidth, policy routed and identified by NBAR for preferential treatment. Non-critical applications can be identified for best-effort service, policed or blocked if needed.

NBAR was developed by Cisco Systems as part of its Content Networking platform for implementing intelligent network services. Cisco Content Networking dynamically recognizes Internet business applications, employing network services for end-to-end security, performance, and availability.

NBAR2, or Next Generation NBAR, is a more recent addition to Cisco’s NBAR offering. It is a re-architecture of NBAR based on the Service Control Engine (SCE), featuring more advanced classification techniques that offer greater accuracy. It supports more than a thousand applications and sub-classifications.


NBAR’s primary purpose is to apply Quality of Service (QoS) policies to network traffic. With NBAR, network administrators can perform bandwidth policing because they have a full view of the applications in use by the network at any given time, and can decide how much bandwidth to assign for each application.

In today’s enterprise network organization, network bandwidth availability is limited. Even so, low-priority applications such as notoriously get it the way, hindering availability for high-priority applications.

NBAR helps to optimize network availability for mission-critical applications such as e-commerce, supply chain management and workforce optimization so that they are given the highest priority. It also recognizes applications that are dynamically assigned TCP and UDP ports.

By intelligently identifying and classifying applications based on business requirements, NBAR helps assign different levels of service, translating the requirements into network policies. As a result, network managers can configure the network to provide the appropriate levels of service to specific applications.

NBAR2 provides even more advanced classification technique than NBAR, leveraging them from SCE, which allow classification of IPv4, IPv6 and v6 transition techniques. Also, NBAR2 can classify more evasive web-based applications such as Office 365, as well as mobile applications such as Facetime, using advanced classification techniques.

HOW does it work?

NBAR provides intelligent network classification for network infrastructure. It has the ability to recognize a wide variety of applications, including those that dynamically assign Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) port numbers. Upon recognition of the application, the network assigns it specific services.

Using quality-of-service (QoS) features, NBAR helps ensure network bandwidth is being used to meet enterprise objectives. This means:

  • guaranteed bandwidth for critical applications;
  • limited bandwidth for non-critical applications;
  • avoiding congestion by dropping specific packets; and
  • marking specific packets to enable end-to-end QoS from.

While many network administrators are using monitoring tools to oversee network link usage, these tools only provide a partial view – the volume of traffic, but not type of traffic. NBAR examines traffic on a designated router interface, identifying it by the application. This is done by mapping traffic ports to standard and non-standard protocols – much more manageable than access control lists (ACLs) that require precise matching of protocols and ports.

NBAR supports a wide range of network protocols, including some of these stateful protocols that were difficult to classify before NBAR:

  • HTTP classification by URL, host, and Multipurpose Internet Mail Extensions (MIME) type
  • Oracle SQL*Net
  • Sun RPC
  • Microsoft Exchange
  • UNIX r commands
  • VDOLive
  • RealAudio
  • Microsoft Netshow
  • FTP
  • StreamWorks
  • Trivial File Transfer Protocol (TFTP)

NBAR2 provides support for an even greater number of protocol types, including non-TCP and non-UDP IP protocols, statically assigned TCP and UDP port numbers, dynamically assigned TCP and UDP port numbers, and subport classification or classification based on deep packet inspection. Network administrators can obtain new protocol support by downloading protocol packs from Cisco Connection Online.

WHERE should it be used?

Other capabilities of NBAR include multiple-service performance optimization, elimination of data-flow bottlenecks, latency minimization, spam reduction or blocking, malware detection and blocking, enhanced network security, simplification of new protocol additions, and even the reduction of expenses as well as the ability to maximize revenue. The highlights:

Performance for Mission-Critical Applications

Mission-critical applications by their very definition must perform consistently well. Bottlenecks, therefore, are unacceptable – especially when the bandwidth should be there.

Very often, however, employees are using Internet applications such as streaming audio and video or are downloading new programs, all of which can quickly consume bandwidth.

NBAR intelligently classifies applications, enabling the network to provide differentiated services to each application. Absolute priority and a guaranteed amount of bandwidth can be applied to mission-critical applications. Limited bandwidth can also be applied to less critical applications. This means users can access mission-critical applications with minimal delay, without needing to upgrade costly WAN links or cutting off access to commonly used but less critical applications.

Reduction of WAN Costs

NBAR enables intelligent utilization of WAN bandwidth, providing acceptable service levels with minimal possible bandwidth. This helps keep WAN service costs in check while still providing access to client/server and web-based applications.

Improved Web Response

NBAR identifies the Web pages and type of Web content that are critical to the organization. For example, priority can be given to customers accessing a sales order page, and sales tools can be given guaranteed bandwidth, so that a sales rep never has to wait for a price quote.

Also, NBAR can identify by MIME type, giving select applications priority in the network.

Additionally, NBAR helps check that non-critical web content such as JPEG, GIF, and MPEG files do not consume large amounts of bandwidth.

Improved Virtual Private Network (VPN) Performance

Running NBAR and a VPN in the same router helps improve service quality because NBAR can identify mission-critical traffic before it is encrypted, enabling the appropriate QoS controls to be applied by the network. This also helps ensure the packets are processed in the correct order to maximize security.

For example, NBAR will identify a packet from a mission-critical application as “gold-service”, placing it into a priority queue. When used with network service providers that offer differentiated services, the application still receives priority treatment on the VPN.

Improved Multiservice Performance

NBAR can intelligently identify each packet type – data, voice or video – and provide the proper network characteristics. For example, on a critical conference call, streaming video needs to be clear and easy to understand. NBAR can easily identify it and assign it a higher priority class to receive a minimum guaranteed bandwidth. Other traffic that doesn’t rely on network latency, such as e-mail, are assigned a lower priority class.

WHEN do you use NBAR?

Applications Intelligently Classified

Web-based and client/server applications are not recognized by traditional classification technologies such as access control lists (ACLs). NBAR adds intelligent classification so that mission-critical applications are given priority by the network, helping ensure no delays.

New Protocols Can Be Quickly Added

NBAR uses a flexible packet description language, enabling easy and quick support for newly added applications.

Protocol Discovery

NBAR determines protocols and applications that are currently running on a network. With this understanding of the current traffic mix and application requirements, the appropriate QoS policy can then be created.

Support for QoS

After intelligently classifying the packet by NBAR, the router utilizes one of these underlying QoS services:

  • Guaranteed bandwidth with CBWFQ,
  • Policing and limiting bandwidth
  • Marking for differentiated service downstream or from the service provider (ToS or DSCP)
  • Drop policy to avoid congestion (WRED)

The underlying QoS features provide the differentiated services to the network, helping ensure mission-critical applications receive priority over non-critical traffic.

LiveAction Provides Greater Visibility with NBAR and Virtually Any Other Data Source

LiveAction is preferred Cisco partner and offers the leading enterprise network monitoring software solution. LiveNX has deep integrations with Cisco SD-WAN and other Cisco infrastructure for complete Cisco network performance monitoring.