Skip to main content
Cisco Meraki

Network-Based Application Recognition (NBAR) integration with MR access points


NBAR is an advanced application recognition engine developed by Cisco that utilizes several classification techniques and has the ability to dynamically update its classification rules. It supports more than 1500 applications and sub-classifications, with less than 1% unknown and less than 1% unclassified encrypted traffic. 


NBAR advantages over the traditional Meraki Traffic Analytics

  • Out-of-the-box visibility into more than 1500 applications running on a network

  • More granular Layer 7 and Traffic Shaping rules using enhanced visibility for applications

  • Well-established traffic classification engine used by many traditional Cisco products

  • Deep Packet Inspection

Use cases

  • NBAR on MR access points provides better application visibility compared to a traditional Meraki Traffic Analytics and reduces the number of uncategorized applications such as Miscellaneous secure web.


Without NBAR you would see the following Application details.




Note categories like “Miscellaneous secure web” and “UDP” with groups multiple traffic flows into one category. 


With NBAR enabled, you will notice a much more detailed view on the Application details page. For example:




Because NBAR allows MR access points to categorize more applications, it also allows admins to enforce more granular L7 firewall and traffic shaping rules, giving Meraki admins more flexibility into blocking and prioritizing the desired applications:




Note: Due to hardware limitations NBAR integration with MR access points is supported only on the 802.11ax (WiFi-6) access points and not supported on 802.11ac (WiFi-5) Wave 2 and previous generations of MR access points.

  • All MR access points in a network must be 802.11ax (WiFi-6) APs

  • A network firmware must be set to MR 27.1+ version *

  • The network type could be Wireless or Combined. If all MRs in the wireless sub-network of a combined network support NBAR (Wi-Fi 6 APs running MR 27.1+) then NBAR categories will be available on the Firewall & Traffic shaping page irrespective of MX sub-network NBAR support. However, NBAR categories for L7 firewall rules and traffic shaping rules on the Network-wide > Group Policy will only appear if both MX and MR(s) in the combined networks support NBAR.

  • The network must not be a configuration template or be bound to a configuration template

* MR 27+ firmware is not supported on all MR models. Please refer to the to Product Firmware Version Restrictions 

Disabling NBAR

Since all MR access points in a network must be 802.11ax (WiFi-6) in order to support NBAR and ensure that Layer 7 and Traffic Shaping rules that are based on NBAR classification are uniformly enforced on all MRs in a network, currently, it's not allowed to add non-WiFi-6 MRs to a network that consists of only WiFi-6 MR with the network firmware set to MR 27.1+. You might run into this corner case if you are adding non-WiFi-6 MR(s) to a network that only has WiFi-6 MR(s) and running MR 27.1 + firmware. When you try to add non-WiFi-6 MR(s) to such network from your Inventory, a banner similar to the following will pop up:

Screenshot at Aug 03 08-52-50.png

Similarly, if you try to move non-WiFi-6 MR(s) to a network that only has WiFi-6 MR(s) and running MR 27.1 + firmware the following message will appear:

Screenshot at Aug 24 13-10-53.png

If you still wish to add or move non-WiFi-6 MR(s), please follow the steps below.

Warning: Following the steps below will remove any Layer 7 Firewall rules and/or Traffic Shaping rules that use application(s) categorized by NBAR from the dashboard if such rules are configured. These rules will no longer be enforced.

  1. Temporarily disable Traffic analysis from Network-wide > Configure > General page - Traffic analysis section. Change Traffic analysis option to Disabled: do not collect traffic types.
  2. Add non-WiFi-6 MR(s) to the network
  3. Re-enable Traffic analysis. Please note that NBAR will stay disabled in this network as long as non-WiFi-6 APs are present in the network.

If you would like to re-enable NBAR in this network please remove any non-WiFi-6 APs from the network.

After non-WiFi-6 APs are removed from the network and the network meets the rest of the NBAR requirements, Layer 7 Firewall rules and Traffic Shaping rules that use application(s) categorized by NBAR will be automatically restored if no changes have been made to these rules. Any changes made to the Layer 7 or Traffic Shaping rules while non-WiFi-6 APs have been present in the network will overwrite previously configured Layer 7 Firewall rules or Traffic Shaping rules that use NBAR.





  • Was this article helpful?