1. Comprehensive tool for bandwidth monitoring, traffic analytics,
and network anomaly detection.
ManageEngine NetFlow Analyzer
2. NetFlow Analyzer: Introduction
A single solution for bandwidth monitoring, traffic analysis, and network anomaly
detection with the following technologies.
NetFlow, sFlow, IPFIX, J-Flow, NetStream, and Appflow: For bandwidth
and traffic analytics
Cisco NBAR 2
Cisco CBQoS
Cisco Medianet monitoring
Cisco Application Visibility and Control (AVC)
Monitoring on Cisco WLC
DPI
4. Abstract
• NetFlow is a technology developed by CISCO
• Used by end user applications like Netflow Analyzer.
• NetFlow deals with third layer of OSI called Network layer .
• Devices : Router, switches & Firewall .
• Exported using User Datagram Protocol (UDP)
5. Flow is defined as a unidirectional stream of packets between a source
and destination .
Key Fields
Source ip
Destination ip
Source port
Destination port
protocol
ToS byte
Ifindex
6. Series of flows form a single datagram
This flows are collected in a netflow cache and form a UDP
datagram after a certain time it will be send it to collector .
Important Stats :
Each flow is of ~150 bytes .
Each UDP datagram can carry 30
flows
So totally 30 * (150 bytes ) = 4500
bytes/UDP datagram .
*stats prepared wrt V5 format
8. Router Configuration
1. Set destination address (server where NFA is installed)
2. Set Port for NetFlow export
3. Set version of NetFlow export
4. Set time interval to export flows
5. Set Source Interface for NetFlow export
6. We should say what are all the interfaces we are going to take account Enabling NetFlow
on Interfaces (all Interfaces)
•Ingress
•Egress
For configuration:
http://www.manageengine.com/products/netflow/help/cisco-netflow/cisco-ios-
netflow.html
9. router#configure terminal
router(config)#ip flow-export destination 192.168.9.101 9996
router(config)#ip flow-export source FastEthernet 0/1
router(config)#ip flow-export version 5
router(config)#ip flow-cache timeout active 1
router(config)#ip flow-cache timeout inactive 15
router(config)#snmp-server ifindex persist
*router(config)#interface FastEthernet 0/1
* router(config-if)#ip flow ingress
*router(config-if)#exit
*repeat these commands to enable NetFlow on each interface
Sample configuration for Cisco
10. Ingress Vs Egress
Enabling ingress in an interface then it will send the "IN" data to collector . Similarly egress
sends out data .
Advantage of using ingress & egress commands :
Instead of collecting IN andOUT data of the same interface collect only IN data or OUT data
on both the interfaces present and send it to collector to get the correct stats.
Then make a calculation , the ifindex1's IN will provide you two things : IN of ifindex1 and
that will be the OUT of ifindex2 . similarly ifindex2's IN will be IN of ifindex2 and OUT of
ifindex1 .
11. IN IN
OUT OUT
R
Ingress and Egress in Detail
ifindex
1
ifindex
2
Consider there is a router with two interfaces and we enabled ingress on both interfaces
OUT of Ifindex 1 = IN of Ifindex 2 OUT of Ifindex2 = IN of Ifindex1
12. Device vs Server
Device side
NetFlow Cache
NetFlow Exporter
Server side
NetFlow Collector
NetFlow installed server
In NetFlow Analyzer we have a in-build collector . So we don't
need a physical collector equipment .
14. Traffic
NFA Web GUI
Device with Flexible NetFlow,
NBAR, QoS, and IPSLA enabled
Cisco WAAS with WAAS
CM 4.1 or higher
SNMP to collect
QoS, NBAR, and
IPSLA stats
Web Service
Management
Agent (WSMA) for
Cisco Mediatrace
UDP NetFlow for
Traffic, NBAR, and
Medianet reports Via API for Cisco
WAAS stats
NetFlow Analyzer – Working Architecture
• QoS, NBAR, IPSLA, Medianet,
and Mediatrace available only
for Cisco devices
• Non-Cisco devices export flows
including sFlow, IPFIX, and
more for bandwidth and traffic
reports
15. Data Storage
• Raw Data :
Storing the entire information about the
traffic information.
• Aggregated data :
Storing the top 100 information.
19. SNMP version 1 , version 2 and version 3.
Using SNMP to get the Device name, interface name and interface speed value.
We use Interface speed value to generate the Utilization Report.
Update SNMP
22. Threshold violation alerts
Alerts for lower and higher threshold violations.
Alerts on interface, IP group, and interface group.
Alerts based on application, port, IP, and DSCP.
Prioritized alerts based on severity.
SNMP traps to any NMS and email alerts.
23. The following report formats are included by default in NetFlow
Analyzer:
1. Forensic report
2. Consolidated report
3. Search report
4. Compare report
5. Capacity planning report
Reports in NetFlow Analyzer
24. Forensic report
Forensics reports are detailed reports that are generated from only the raw data
collected for any selected time period.
29. Usage-based billing
Volume and speed based billing.
Alerts and automatically emails reports on usage or bill plan.
Charge back customers, departments, or projects for bandwidth usage.
On-demand utilization report for a bill plan.
30. Schedule reports
Schedule all reports available in NetFlow Analyzer.
Schedule daily, weekly, and monthly reports.
Separate schedule for interface, IP group, and interface Group.
Automatic emailing of all reports based on user-defined schedules.
31. Attacks
Leverages flow data.
Real-time pattern matching.
Identifies suspicious traffic, scans, bad source and destination, and DoS attacks.
Alerts based on each problem algorithm.
32. Application visibility and control (NBAR 2)
Application visibility and control is the combination of multiple technologies
found on Cisco devices.
Cisco AVC is capable of:
1. Providing better application visibility
2. Validating QoS policies
3. Providing HTTP URL traffic information
4. Providing application response time (ART) reports
39. NetFlow Analyzer editions
Essential edition
Single installation product
Handle 1,000 interfaces
Scale up to 50,000 flows per second
Distributed edition
Distributed architecture with Central and Collector
Handle 1,000 interfaces per Collector
Scale up to 50,000 flows per second
Comes with all add-ons bundled except High Performance.