Home > Wireless LAN > Firewall and Traffic Shaping > Network-Based Application Recognition (NBAR) integration with MR access points

Network-Based Application Recognition (NBAR) integration with MR access points

Overview

NBAR is an advanced application recognition engine developed by Cisco that utilizes several classification techniques and has the ability to dynamically update its classification rules. It supports more than 1400 applications and sub-classifications, with less than 1% unknown and less than 1% unclassified encrypted traffic. 

 

NBAR advantages over the traditional Meraki Traffic Analytics

  • Out-of-the-box visibility into more than 1400 applications running on a network

  • More granular Layer 7 and Traffic Shaping rules using enhanced visibility for applications

  • Well-established traffic classification engine used by many traditional Cisco products

  • Deep Packet Inspection

Use cases

  • NBAR on MR access points provides better application visibility compared to a traditional Meraki Traffic Analytics and reduces the number of uncategorized applications such as Miscellaneous secure web.

 

Without NBAR you would see the following Application details.

 

1.png

 

Note categories like “Miscellaneous secure web” and “UDP” with groups multiple traffic flows into one category. 

 

With NBAR enabled, you will notice a much more detailed view on the Application details page. For example:

 

2.png

 

Because NBAR allows MR access points to categorize more applications, it also allows admins to enforce more granular L7 firewall and traffic shaping rules, giving Meraki admins more flexibility into blocking and prioritizing the desired applications:

 

3.png

Requirements

Note: Due to hardware limitations NBAR integration with MR access points is supported only on the 802.11ax (WiFi-6) access points and not supported on 802.11ac (WiFi-5) Wave 2 and previous generations of MR access points.

  • All MR access points in a network must be 802.11ax (WiFi-6) APs

  • A network firmware must be set to MR 27.1+ version *

  • The network type must be Wireless or Combined (MS - any switch models + MR - WiFi-6 APs only)

  • The network must not be a configuration template or be bound to a configuration template

 

* MR 27+ firmware is not supported on all MR models. Please refer to the to Product Firmware Version Restrictions 

Disabling NBAR

Since all MR access points in a network must be 802.11ax (WiFi-6) in order to support NBAR and ensure that Layer 7 and Traffic Shaping rules that are based on NBAR classification are uniformly enforced on all MRs in a network, currently, it's not allowed to add non-WiFi-6 MRs to a network that consists of only WiFi-6 MR with the network firmware set to MR 27.1+. You might run into this corner case if you are adding non-WiFi-6 MR(s) to a network that only has WiFi-6 MR(s) and running MR 27.1 + firmware. When you try to add non-WiFi-6 MR(s) to such network from your Inventory, a banner similar to the following will pop up:

Screenshot at Aug 03 08-52-50.png

Similarly, if you try to move non-WiFi-6 MR(s) to a network that only has WiFi-6 MR(s) and running MR 27.1 + firmware the following message will appear:

Screenshot at Aug 24 13-10-53.png

If you still wish to add or move non-WiFi-6 MR(s), please follow the steps below.

Warning: Following the steps below will remove any Layer 7 Firewall rules and/or Traffic Shaping rules that use application(s) categorized by NBAR from the dashboard if such rules are configured. These rules will no longer be enforced.

  1. Temporarily disable Traffic analysis from Network-wide > Configure > General page - Traffic analysis section. Change Traffic analysis option to Disabled: do not collect traffic types.
  2. Add non-WiFi-6 MR(s) to the network
  3. Re-enable Traffic analysis. Please note that NBAR will stay disabled in this network as long as non-WiFi-6 APs are present in the network.

If you would like to re-enable NBAR in this network please remove any non-WiFi-6 APs from the network.

After non-WiFi-6 APs are removed from the network and the network meets the rest of the NBAR requirements, Layer 7 Firewall rules and Traffic Shaping rules that use application(s) categorized by NBAR will be automatically restored if no changes have been made to these rules. Any changes made to the Layer 7 or Traffic Shaping rules while non-WiFi-6 APs have been present in the network will overwrite previously configured Layer 7 Firewall rules or Traffic Shaping rules that use NBAR.

 

 

 

 

Last modified

Tags

Classifications

This page has no classifications.

Explore the Product

Click to Learn More

Article ID

ID: 9563

Explore Meraki

You can find out more about Cisco Meraki on our main site, including information on products, contacting sales and finding a vendor.

Explore Meraki

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can keep track of the latest announcements, find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community