Export flows, group traffic, map application traffic and more: NetFlow Analyzer Training
Download as PPTX, PDF0 likes312 views
The document provides an overview and agenda for a training on NetFlow Analyzer. It discusses initial setup steps including exporting flows from devices, viewing real-time traffic graphs, and configuring alerts. Common challenges are also addressed, such as mapping unknown applications or setting interface speed. Upcoming training will cover additional topics like alarms, customizing data storage, and traffic troubleshooting.
![My interface utilization says it's above 100 percent. How do I set the correct
value?
Solution: Three possibilities
1. The speed is incorrect.
2. [OR] time sync problem.
3. [OR] GRE/ESP tunneling through
the device is double counted
• Set the proper IN and OUT speed in
bytes. Go to Inventory > Select
Interfaces > Set Speed.
• Make sure the device time and NFA
time is in sync
• Check flow filters](https://image.slidesharecdn.com/netflowanalyzertraining20183agettingtheinitialsettingright-180314141113/85/Export-flows-group-traffic-map-application-traffic-and-more-NetFlow-Analyzer-Training-25-320.jpg)
Export flows, group traffic, map application traffic and more: NetFlow Analyzer Training
- 1. Free training on NetFlow Analyzer - Part I Getting the initial settings right
- 3. Agenda • Exporting flows • Traffic grouping • Application mapping • Threshold based alerting • In-depth traffic visibility • Knowledge base and best practices
- 4. Demo on NetFlow Analyzer 123083
- 5. Minimum system requirements 2.4 GHz quad-core processor, or equivalent 4GB RAM 50GB storage Windows/LinuxPostgreSQL/MSSQL These specifications only apply when raw data is turned off and the flow rate is below 3,000 flows/sec. Requirements will vary with different settings.
- 6. Initial setup Set up flow export Viewing & customizing real-time traffic graphs Configuring alerts Step1 Step 2 Step 3
- 7. Step 1: Configuring flow export from interfaces NetFlow sFlow J-Flow IP FIX NetStream AppFlow
- 8. Devices supported by NetFlow Analyzer https://www.manageengine.com/products/netflow/supported-devices.html
- 9. Where and how do you send flows? Ways of exporting flows to NetFlow Analyzer: i. Manual configuration ii. Using Network Configuration Manager Ports to be considered: • Server port: NetFlow Analyzer's web server port • Listener port: Port on which NetFlow Analyzer receives flows • Both ports are configurable
- 10. Using Network Configuration Manager Benefits of using Network Configuration Manager: • No need to write commands • Predefined configlets • Export flows from multiple interfaces in bulk • Backup and restore configurations for devices • Create new configlets Apply credentials Select interfaces Export flow Add devices
- 11. Creating/modifying a configlet • In Network Configuration Manager, go to Settings > Configlets. Add a new configlet by creating a custom template. • Select devices and enter flow configuration commands. • Execute the new configlet.
- 12. Common challenges faced after exporting flows
- 13. #1. NetFlow Analyzer shows "No Data Available" in graphs, even after I've configured flows. Solution: Two possibilities 1. The device is not configured correctly for exporting flows. 2. A firewall or access list is blocking the UDP port. • Check if flows are received with the help of Wireshark. • Yes- Check for windows firewall/IP tables for any restrictions and template timeout to 60 seconds. • No- Correct the configuration by setting the active timeout to 60 seconds.
- 14. #2. I've added five interfaces. Why is one of my interfaces, "Interface Gi0/1," not listed in NetFlow Analyzer? Solution: The particular interface isn't configured for exporting flows. • Interface is not configured correctly. • Check for correct interface along with its export configurations.
- 15. Step 2: Visibility into real-time traffic details Inventory Flow analysis Config management IP SLA Packet analysis Traffic overview Real-time traffic graphs
- 16. Inventory: Flow Analysis Traffic overview Device Device groups Lay 4 & 7 applications DSCP-based QoS Wireless LAN controllers Interface IP / interface group Attacks
- 17. Know the who, when and what of your network traffic. - Applications - Protocols - QoS - Source - Destination - Conversation Gain detailed visibility into traffic usage by
- 18. Visibility into Layer 7 application traffic • Gain visibility into NBAR2 applications with Cisco AVC monitoring (Application Visibility and Control). • Advanced NBAR is used to identify web traffic, URL’s, file sharing and random port application. • View NBAR2 application, URL hit count (HTTP host report), QoS class hierarchy and application response time monitoring reports(ART monitoring).
- 19. Understand traffic for current QoS policies Check the traffic usage by each DSCP value for policy effectiveness.
- 20. Manage traffic usage by WLAN controllers • Monitor Cisco WLAN controllers and Meraki devices. • Find the top traffic usage by access points, SSIDs, applications, clients etc. • Troubleshoot a bandwidth spikes by identifying consumption by SSIDs, finding its top clients and complete conversation details for the selected time period.
- 21. Snapshot summary Device traffic details: • Traffic speed • Associated interfaces by speed, volume and utilization • Top applications and protocols • Top QoS • Top Source, destination and conversation • AS traffic Group traffic details: • Traffic by speed, volume, utilization and packets • Associated applications and protocols • DSCP QoS traffic • Source, destination and conversation Application traffic details: • Traffic usage by volume • Associated interfaces QoS traffic details: • Traffic usage by volume • Associated interfaces WLC traffic details: • Controller traffic by speed, volume and packets • Associated access points • Application traffic • DSCP QoS traffic • Conversation details with Client IPs and SSIDs Interface traffic details: • Traffic by speed, volume, utilization and packets • Top applications and protocols • Top Source, destination and conversation by geo-location, network and DNS name • Top QoS traffic by DSCP and TOS • SNMP/FNF NBAR, CBQoS • Multicast report • Medianet by volume, RTT, packet loss • AVC
- 22. • Identify junk/unusual traffic that disrupts your critical services. • Using advanced mining algorithm, ASAM detects internal and external security threats. • ASAM classifies traffic as suspect flows, bad source and destination, DDoS, and scans/probes. Detect attacks with flow-based advanced security analytics module
- 23. Tips to enhance visibility into your traffic
- 24. My interfaces are named "IfIndex1" and "IfIndex2." How can I view the actual name of devices and interfaces? Solution: Three options • Fetch name from router with SNMP 1. Create SNMP credential v1/v2/v2 from discovery 2. Associate SNMP credentials 3. Edit device • Fetch the DNS name. • Enter your own name.
- 25. My interface utilization says it's above 100 percent. How do I set the correct value? Solution: Three possibilities 1. The speed is incorrect. 2. [OR] time sync problem. 3. [OR] GRE/ESP tunneling through the device is double counted • Set the proper IN and OUT speed in bytes. Go to Inventory > Select Interfaces > Set Speed. • Make sure the device time and NFA time is in sync • Check flow filters
- 26. Most of the applications are listed as "_App". How do I map those applications and also add my own applications? Solution: Application mapping for _App • Interface >Application > _App > Show port. • Map application and define IP address/ IP network/ IP range. Application mapping for own apps • Settings> netflow> mapping > add
- 27. Is there a way to view cumulative traffic? Branches VLANRelated appsNetwork subnet Department Traffic grouping
- 28. Sort traffic usage by groups Types of groups Device Interface IP Application DSCP Benefits of creating groups: • Monitor combined bandwidth usage to get better picture of traffic consumption. • Provide access to operators based on groups. • Provide better visibility to improve troubleshooting.
- 30. How do I check traffic usage by different branches? Solution Create a device grouping for different branches. • Combine devices under a branch to create groups. • Generate group reports.
- 31. How do I monitor combined traffic for VLAN? Solution An un-routed VLAN will not send traffic like an interface, but NetFlow Analyzer will discover its associated interfaces. • Create an Interface Group that includes all of the VLAN's interfaces to monitor the cumulative traffic. • Other option: failover, load balancing, port channeling, and aggregation.
- 32. How do I manage each of my customers' traffic ? Solution Create IP groups for each customer. • Combine IPs to create groups. • Generate group reports. • Group based on IP range, network, monitoring between sites. • Other option: between sites and department
- 33. How do I view business critical traffic and see how much bandwidth is used? Solution Create application groups. • Combine apps to create a group. • Find total utilization for each group. • Pull combined traffic reports.
- 34. Simplified and customizable Inventory Edit configurationCustom filters/sort Custom views Quick search
- 35. Filter up to the last 30 days Create device group Create device/interface/app group Inventory search Set speed Set SNMP Zoom in graphs Generate instant reports New in v12 Unmanage/delete device Add to Network Configuration Manager Table/list/status viewConfigure NBAR & CBQoS Service policy & ACL Clear alarm/add note Various device-specific custom options New in v12
- 36. Step 3: Alerting Link down Link overutilized Threshold violation Link slow
- 37. Alert Profiles Preconfigured alerts: • Link down • No flow Threshold based alerts • IP range, IP address or IP network • Based on port/protocol range • Based on application • Based on DSCP
- 38. I want to get alerted when the interface is over utilized in a WAN link? Solution • Set a threshold alert for overutilized links. • Provide a threshold value. • Set up email/SMS notifications.
- 39. Thresholds based on multiple conditions Select source Select criteria Define threshold Save alert profile Alerts specific to below violation: • Utilization • Volume • Speed • Packets Alert severity levels: • Critical • Trouble • Attention
- 40. How do I set up notifications? Types of notifications: • Email • SMS • Trigger SNMP trap • Modify an alarm's description. • Get reports via email. New in v12 Step 1: Configure mail server settings. Step 2: Set threshold. Step 3: Provide an email address or phone number. Step 4: Save alert.
- 41. Summary Set up flow export #1. Data not available #2. Interfaces not listed Viewing & customizing bandwidth graphs #1. Fetch device/interface name #2. Utilization above 100% #3. Map unknown applications #4. Show DNS name #5. Categorize traffic groups #6. Customize time filter Configuring alerts #1. Set interface overutilized alert #2. Link down Step1 Step 2 Step 3
- 42. Upcoming training on March 20th Part II: Diagnosing and troubleshooting traffic issues faster • Alarms • Customizing data storage • Troubleshooting with forensics • Reporting and automation • Capacity planning • Traffic shaping • Customizing dashboards • Usage-based billing
- 43. Need more help? youtube.com/netflowanalyzertechvideos help.netflowanalyzer.com forums.manageengine.com/netflowanalyzer netflowanalyzer-support@manageengine.com +1 (888) 720-9500 / +1 (408) 916 - 9400