Your SlideShare is downloading. ×

Change the Way You Analyze Flow Data

704
views

Published on

- What is Flow Based Monitoring? …

- What is Flow Based Monitoring?
- Flow Based Monitoring – Working & Applications
- SolarWinds NetFlow Traffic Analyzer (NTA) - Overview
- What’s new in SolarWinds NetFlow Traffic Analyzer (NTA) 4.0?
- Applications of NTA 4.0
- Data on the Rise
- Flow Storage – Technology
- NTA 4.0 Flow Storage Management Scenarios
- nstallation Guidelines for NTA 4.0
- Summary

Published in: Technology, Business

1 Comment
0 Likes
Statistics
Notes
  • Be the first to like this

No Downloads
Views
Total Views
704
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
1
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Change the Way You Analyze Flow Data © 2013, SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.
  • 2. Agenda • What is Flow Based Monitoring? • Flow Based Monitoring – Working & Applications • SolarWinds NetFlow Traffic Analyzer (NTA) - Overview • What’s new in SolarWinds NetFlow Traffic Analyzer (NTA) 4.0? • Applications of NTA 4.0 • Data on the Rise • Flow Storage – Technology • NTA 4.0 Flow Storage Management Scenarios • Installation Guidelines for NTA 4.0 • Summary © 2013, SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. 2
  • 3. What is Flow Based Monitoring? » Flow - Unidirectional sequence of packets organized as a set of fields called a flow record » Each Flow record helps identify the WHO, WHAT, WHEN and WHERE of network traffic » When flow export is enabled on a device, relevant header information about the traffic passing through its interfaces is captured for reporting » Important traffic information captured in a flow record includes source and destination IP address, source and destination port, protocol, interfaces, ToS entries, etc. » While Cisco® NetFlow is the most famous, non-Cisco network hardware vendors support flow formats such as sFlow®, IPFIX, Juniper® JFlow, Huawei Netstream™, Citrix® AppFlow, etc. © 2013, SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. 3
  • 4. How Does Flow Monitoring Work? » Flows are captured differently for each type of flow technology. Once enabled on the device and as traffic passes through a specific router or switch interface,  NetFlow - IP header information of traffic packets are captured and stored in a cache and exported based on active and inactive timeout values.  sFlow - Based on the sampling rate one out of ‘N’ packets are captured and exported through a flow analysis tool for traffic reporting. » These Flows are exported from the device interface (Flow Exporter) to a centralized Flow Collector (Analyzer) that processes the data and generates reports. © 2013, SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. 4
  • 5. How Does Flow Monitoring Work? Internet Se0/1 NetFlow Enabled MPLS Link Flow Exporter Fa0/1 Router NetFlow Packets sFlow Packets Switch sFlow Enabled Flow Collector with Storage Gi0/1 Gi0/2 LAN Lab © 2012 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. 5 Flow Analyzer UX
  • 6. Applications of Flow Based Monitoring Flow based monitoring helps see how traffic flows in your network. General data that can be derived by analyzing flows are, » Investigate cases of very high bandwidth usage – Which user or application is using up bandwidth? » Detect and diagnose network problems - Be notified of outages » Real-time traffic congestion management » Understand application usage - Monitor and detect changes in usage » Perform audit trail analysis - Identify unauthorized network activity & trace sources of DoS attacks » Trending and capacity planning © 2013, SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. 6
  • 7. SolarWinds NetFlow Analyzer (NTA) - Overview SolarWinds NetFlow Traffic Analyzer (NTA) enables capturing flow data and converting them in to easy-to-interpret charts and tables that describe how exactly your network bandwidth is being used. With NTA you can, » Monitor network bandwidth & traffic pattern down to interface levels » Highlights ‘Top talkers’ in the network - Identify users, applications and protocols that consume most bandwidth » Stores & displays by-the-minute flow data for long retention periods(limited only by disc storage capacity) » Analyzes Cisco® NetFlow, Juniper® J-Flow, IPFIX, sFlow®, Huawei NetStream™ & other flow data © 2013, SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. 7
  • 8. SolarWinds NetFlow Traffic Analyzer (NTA) 4.0 © 2013, SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.
  • 9. What’s New in NTA 4.0? » Offers long term storage of 1 minute granular data. You can now look at traffic data over days or months. » All conversations can be stored for as long as needed, limited only by server hardware & storage capacity » Ability to handle over 50,000 flows per second » Better load time on Orion/NTA resources/reports » Flexible deployment options that are easy to scale © 2013, SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. 9
  • 10. Why NTA 4.0 ? » By-the-minute granular data – Investigate into root causes of spikes and micro bursts in network » Process 50K+ sustained flows per second – Handle more data and IP conversations for high speed networks » View all IP conversations – Easily detect low bandwidth traffic generated by botnet communication and propagation, DNS storms, etc. © 2013, SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. 10
  • 11. Why NTA 4.0 ? (Cont.) » History of events - Drill down options into each IP Conversation » Bandwidth capacity planning & budgeting - Pull out traffic data as required and take informed decisions » LAN Traffic Visibility - Detect network anomalies, IP conversation issues, application behavior problems using 1 minute granular IP conversation data © 2013, SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. 11
  • 12. Data on the Rise » Multiple monitoring points in the network leading to exponential growth in flow data » High speed networks contributing to more IP conversations and eventually more flow data » By-the-minute flow data retained for long periods requiring more disc space. » Flow accumulation leading to increased database query time © 2013, SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. 12
  • 13. Flow Storage - Technology © 2013, SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.
  • 14. Flow Storage in NetFlow 3.10 » Flow data is stored in relational databases like Microsoft SQL » As flow data size increases, query and retrieve time increases » Relational databases use B-tree to query data(more suitable for databases that undergo real-time changes) » Flow data is 0 cardinality data i.e. once captured the data does not change © 2013, SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. 14
  • 15. Flow Storage in NetFlow 4.0 » NTA 4.0 uses open source database called FastBit to query data » FastBit implements a set of alternative indexes called compressed bitmap indexes that provide efficient searching and retrieval operations » No locking on the data aids in faster reading of data » Performance enhancements in polling engine increases processing speed and capacity © 2013, SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. 15
  • 16. Flow Storage Structure After NetFlow 4.0 Before NetFlow 4.0 NetFlow Data SW NTA + Other Orion Modules NetFlow Data Additional Storage Database currently shared by flow data and the NTA/Orion Modules SW NTA + Other Orion Modules Additional Storage if required Move flow data out, add more storage for better performance and more storage space © 2013, SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. 16
  • 17. NTA 4.0 Flow Storage Management Scenarios © 2013, SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.
  • 18. 1. Single Server (Evaluation) In small networks, the main poller, SQL database, Web application & Flow Storage reside in a single server. Database & Server resources are shared Performance Advantage: » Flow storage can still be moved out separately from the Orion server to gain efficient use of CPU. » Performance benefits from the technology of the data not the physical machine its on. © 2013, SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. 18
  • 19. 2. Stand-alone Server (Embedded Flow Storage) The Main Poller and Flow Storage resides on the same server while the SQL server runs separately. Flow Storage logically exists separately Performance Advantage: » Flow Storage exists in the same machine as the main poller, and can be removed as and when required without adding more systems. © 2013, SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. 19
  • 20. 3. Independent Flow Storage (Recommended) Flow storage and SQL server resides separately on two servers. Flow Storage Physically exists separately Performance Advantage: » » » Flow storage now physically separated from SQL server Performance boost for Orion Server Flexibility to scale all three components of NTA individually to gain better performance and more storage. © 2013, SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. 20
  • 21. Installation Guidelines for NTA 4.0 © 2013, SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.
  • 22. System Requirements for NTA 4.0 » Additional disc storage for database : Depending on flow data to be stored » 64 bit OS : Most Customers already use Server 2008 or above. (NTA 4.0 works on 32 bit OB, without the advantages of the new features) » To be installed on volume that is NTFS formatted : Enables use on local or network storage like NAS, SAN. © 2013, SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. 22
  • 23. Simple Installation » Option1: Install both NTA 4.0 & Flow Storage on the same machine » Option2: Install NTA 4.0 only » Follow installation wizard. No change in UI © 2013, SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. 23
  • 24. Recommended Upgrade Sequence Ensure a smooth upgrade to NTA 4.0 in your typical multi-poller environment of with the following upgrade sequence: 1 3 Additional Pollers Flow Storage Server Upgrade to NTA 4.0 with remote Flow Storage 2 Main Poller SQL Server Step1 : Install NTA 4.0 on the new Flow Storage Server Step2 : Upgrade NTA 4.0 on the Main Poller Step3 : And finally, install on the additional Pollers © 2013, SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. 24
  • 25. Start Collecting Network Traffic Flow Data » Once setup, NTA immediately starts ingesting flow data into the storage engine. » Simultaneously , using available system resources, NTA migrates old flow data from the SQL database. » Migration does not interfere with or interrupt current flow monitoring operations » No manual intervention required to migrate data! © 2013, SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. 25
  • 26. Summary » Zero cost upgrade!  If you are a customer under active maintenance, the upgrade is absolutely FREE! » » » » » » Avail scalability and performance benefits Don’t worry about migrating old flow data Retain flow data for 6+ months No separate investment on SQL licenses, or SQL DBA NTA 4.0 FAQ’s SolarWinds NTA 4.0 is now available for evaluation © 2013, SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. 26
  • 27. Thank you! © 2013, SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. 27