Comprehensive tool for bandwidth monitoring, traffic analytics,
and network anomaly detection.
ManageEngine NetFlow Analyzer
NetFlow Analyzer: Introduction
A single solution for bandwidth monitoring, traffic analysis, and network anomaly
detection with the following technologies.
NetFlow, sFlow, IPFIX, J-Flow, NetStream, and Appflow: For bandwidth
and traffic analytics
Cisco NBAR 2
Cisco Medianet monitoring
Cisco Application Visibility and Control (AVC)
Monitoring on Cisco WLC
• NetFlow is a technology developed by CISCO
• Used by end user applications like Netflow Analyzer.
• NetFlow deals with third layer of OSI called Network layer .
• Devices : Router, switches & Firewall .
• Exported using User Datagram Protocol (UDP)
Flow is defined as a unidirectional stream of packets between a source
and destination .
Series of flows form a single datagram
This flows are collected in a netflow cache and form a UDP
datagram after a certain time it will be send it to collector .
Important Stats :
Each flow is of ~150 bytes .
Each UDP datagram can carry 30
So totally 30 * (150 bytes ) = 4500
bytes/UDP datagram .
*stats prepared wrt V5 format
1. Set destination address (server where NFA is installed)
2. Set Port for NetFlow export
3. Set version of NetFlow export
4. Set time interval to export flows
5. Set Source Interface for NetFlow export
6. We should say what are all the interfaces we are going to take account Enabling NetFlow
on Interfaces (all Interfaces)
router(config)#ip flow-export destination 192.168.9.101 9996
router(config)#ip flow-export source FastEthernet 0/1
router(config)#ip flow-export version 5
router(config)#ip flow-cache timeout active 1
router(config)#ip flow-cache timeout inactive 15
router(config)#snmp-server ifindex persist
*router(config)#interface FastEthernet 0/1
* router(config-if)#ip flow ingress
*repeat these commands to enable NetFlow on each interface
Sample configuration for Cisco
Ingress Vs Egress
Enabling ingress in an interface then it will send the "IN" data to collector . Similarly egress
sends out data .
Advantage of using ingress & egress commands :
Instead of collecting IN andOUT data of the same interface collect only IN data or OUT data
on both the interfaces present and send it to collector to get the correct stats.
Then make a calculation , the ifindex1's IN will provide you two things : IN of ifindex1 and
that will be the OUT of ifindex2 . similarly ifindex2's IN will be IN of ifindex2 and OUT of
Ingress and Egress in Detail
Consider there is a router with two interfaces and we enabled ingress on both interfaces
OUT of Ifindex 1 = IN of Ifindex 2 OUT of Ifindex2 = IN of Ifindex1
Device vs Server
NetFlow installed server
In NetFlow Analyzer we have a in-build collector . So we don't
need a physical collector equipment .
V5 (Most common)
V7 (Used on Cisco Catalyst switches)
V9 (Template Based )
V10 ( IPFIX )
NFA Web GUI
Device with Flexible NetFlow,
NBAR, QoS, and IPSLA enabled
Cisco WAAS with WAAS
CM 4.1 or higher
SNMP to collect
QoS, NBAR, and
Agent (WSMA) for
UDP NetFlow for
Traffic, NBAR, and
Medianet reports Via API for Cisco
NetFlow Analyzer – Working Architecture
• QoS, NBAR, IPSLA, Medianet,
and Mediatrace available only
for Cisco devices
• Non-Cisco devices export flows
including sFlow, IPFIX, and
more for bandwidth and traffic
• Raw Data :
Storing the entire information about the
• Aggregated data :
Storing the top 100 information.
SNMP version 1 , version 2 and version 3.
Using SNMP to get the Device name, interface name and interface speed value.
We use Interface speed value to generate the Utilization Report.
Interface groups (port channel)
Threshold violation alerts
Alerts for lower and higher threshold violations.
Alerts on interface, IP group, and interface group.
Alerts based on application, port, IP, and DSCP.
Prioritized alerts based on severity.
SNMP traps to any NMS and email alerts.
The following report formats are included by default in NetFlow
1. Forensic report
2. Consolidated report
3. Search report
4. Compare report
5. Capacity planning report
Reports in NetFlow Analyzer
Forensics reports are detailed reports that are generated from only the raw data
collected for any selected time period.
Volume and speed based billing.
Alerts and automatically emails reports on usage or bill plan.
Charge back customers, departments, or projects for bandwidth usage.
On-demand utilization report for a bill plan.
Schedule all reports available in NetFlow Analyzer.
Schedule daily, weekly, and monthly reports.
Separate schedule for interface, IP group, and interface Group.
Automatic emailing of all reports based on user-defined schedules.
Leverages flow data.
Real-time pattern matching.
Identifies suspicious traffic, scans, bad source and destination, and DoS attacks.
Alerts based on each problem algorithm.
Application visibility and control (NBAR 2)
Application visibility and control is the combination of multiple technologies
found on Cisco devices.
Cisco AVC is capable of:
1. Providing better application visibility
2. Validating QoS policies
3. Providing HTTP URL traffic information
4. Providing application response time (ART) reports
NetFlow Analyzer editions
Single installation product
Handle 1,000 interfaces
Scale up to 50,000 flows per second
Distributed architecture with Central and Collector
Handle 1,000 interfaces per Collector
Scale up to 50,000 flows per second
Comes with all add-ons bundled except High Performance.