September 2017 · Reading time: 9 minutes
As enterprise networks grow more complex and the volume of traffic increases, traditional monitoring methods are no longer sufficient. By 2017, the rise of cloud applications, BYOD, and increased bandwidth requirements pushed IT teams to seek better visibility and control of their network traffic. Enter NetFlow and NBAR2 — powerful tools that work in tandem to enable advanced traffic analysis, classification, and policy enforcement.
What is NetFlow?
NetFlow, developed by Cisco, is a network protocol that collects IP traffic information as it enters or exits an interface. It provides valuable metadata about traffic flows, including source and destination IPs, ports, protocol types, and volume. This data allows network engineers to build a comprehensive picture of how bandwidth is being consumed, detect anomalies, and support security investigations.
The Evolution to Flexible NetFlow
Originally limited in its template and use cases, NetFlow evolved into Flexible NetFlow (FNF), which gives engineers the ability to customize flow records. This flexibility makes it easier to adapt flow collection to suit specific enterprise needs, such as capturing IPv6 traffic, multicast flows, or application-specific metadata. By 2017, most enterprise routers and switches supported FNF, and vendors integrated collection into NMS tools.
Understanding NBAR2
NBAR2 (Next Generation Network-Based Application Recognition) is Cisco’s deep packet inspection engine. It can identify and classify over a thousand applications by analyzing Layer 7 traffic patterns. When paired with NetFlow, NBAR2 enriches flow records with application-level identifiers, allowing for more granular visibility.
Why Combine NetFlow and NBAR2?
NetFlow alone is excellent for traffic profiling, but it lacks application context. NBAR2 fills this gap. With both technologies enabled on network devices, flow exports include not only IP and port metadata, but also application names, media types, and protocol hierarchies. This makes troubleshooting, QoS planning, and capacity management far more effective.
Real-World Deployment Considerations
- Performance impact: While modern devices handle NetFlow and NBAR2 efficiently, enabling these features on older platforms may strain CPU resources.
- Storage: Flow data volume can be significant. Plan your flow collector’s capacity accordingly, especially if long-term retention is required.
- Granularity: Avoid over-collection by tailoring templates to business needs. Not every packet requires deep inspection.
Popular Use Cases in 2017
Organizations used NetFlow + NBAR2 for:
- Detecting shadow IT and unauthorized apps.
- Enforcing business policy by prioritizing critical apps like VoIP or SAP.
- Capacity planning and WAN link optimization.
- Incident response and forensic investigations.
Integrating with Network Management Systems
Most flow collectors and NMS platforms integrated NetFlow analysis by 2017. Vendors like SolarWinds, Plixer, and Scrutinizer supported NBAR2-enhanced flows, offering dashboards with application breakdowns, geographic maps, and performance alerts.
Limitations and Challenges
NBAR2 cannot decrypt encrypted traffic. As HTTPS adoption grew, visibility into application behavior shrank unless supplemented by SSL inspection or endpoint telemetry. Additionally, maintaining updated protocol packs was essential to avoid misclassification.
Best Practices for Implementation
- Use Flexible NetFlow templates to capture only necessary fields.
- Update NBAR2 protocol packs regularly.
- Test performance impact on lab gear before full rollout.
- Integrate alerts from flow analysis into your SIEM or SOC tools.
Conclusion
By combining NetFlow and NBAR2, enterprises in 2017 achieved meaningful improvements in application visibility, control, and network efficiency. While encryption and newer protocols posed challenges, these tools laid the groundwork for more intelligent networking and security operations in modern environments.