Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

NFA - Middle East Workshop


Published on

Learn about traffic and bandwidth management.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

NFA - Middle East Workshop

  1. 1. Comprehensive tool for bandwidth monitoring, traffic analytics, and network anomaly detection. ManageEngine NetFlow Analyzer
  2. 2. NetFlow Analyzer: Introduction A single solution for bandwidth monitoring, traffic analysis, and network anomaly detection with the following technologies.  NetFlow, sFlow, IPFIX, J-Flow, NetStream, and Appflow: For bandwidth and traffic analytics  Cisco NBAR 2  Cisco CBQoS  Cisco Medianet monitoring  Cisco Application Visibility and Control (AVC)  Monitoring on Cisco WLC  DPI
  3. 3. Flow of NetFlow Basics
  4. 4. Abstract • NetFlow is a technology developed by CISCO • Used by end user applications like Netflow Analyzer. • NetFlow deals with third layer of OSI called Network layer . • Devices : Router, switches & Firewall . • Exported using User Datagram Protocol (UDP)
  5. 5. Flow is defined as a unidirectional stream of packets between a source and destination . Key Fields Source ip Destination ip Source port Destination port protocol ToS byte Ifindex
  6. 6. Series of flows form a single datagram This flows are collected in a netflow cache and form a UDP datagram after a certain time it will be send it to collector . Important Stats : Each flow is of ~150 bytes . Each UDP datagram can carry 30 flows So totally 30 * (150 bytes ) = 4500 bytes/UDP datagram . *stats prepared wrt V5 format
  7. 7. Architecture Router Vs Server
  8. 8. Router Configuration 1. Set destination address (server where NFA is installed) 2. Set Port for NetFlow export 3. Set version of NetFlow export 4. Set time interval to export flows 5. Set Source Interface for NetFlow export 6. We should say what are all the interfaces we are going to take account Enabling NetFlow on Interfaces (all Interfaces) •Ingress •Egress For configuration: netflow.html
  9. 9. router#configure terminal router(config)#ip flow-export destination 9996 router(config)#ip flow-export source FastEthernet 0/1 router(config)#ip flow-export version 5 router(config)#ip flow-cache timeout active 1 router(config)#ip flow-cache timeout inactive 15 router(config)#snmp-server ifindex persist *router(config)#interface FastEthernet 0/1 * router(config-if)#ip flow ingress *router(config-if)#exit *repeat these commands to enable NetFlow on each interface Sample configuration for Cisco
  10. 10. Ingress Vs Egress Enabling ingress in an interface then it will send the "IN" data to collector . Similarly egress sends out data . Advantage of using ingress & egress commands : Instead of collecting IN andOUT data of the same interface collect only IN data or OUT data on both the interfaces present and send it to collector to get the correct stats. Then make a calculation , the ifindex1's IN will provide you two things : IN of ifindex1 and that will be the OUT of ifindex2 . similarly ifindex2's IN will be IN of ifindex2 and OUT of ifindex1 .
  11. 11. IN IN OUT OUT R Ingress and Egress in Detail ifindex 1 ifindex 2 Consider there is a router with two interfaces and we enabled ingress on both interfaces OUT of Ifindex 1 = IN of Ifindex 2 OUT of Ifindex2 = IN of Ifindex1
  12. 12. Device vs Server Device side NetFlow Cache NetFlow Exporter Server side NetFlow Collector NetFlow installed server In NetFlow Analyzer we have a in-build collector . So we don't need a physical collector equipment .
  13. 13. Versions V5 (Most common) V7 (Used on Cisco Catalyst switches) V9 (Template Based ) V10 ( IPFIX )
  14. 14. Traffic NFA Web GUI Device with Flexible NetFlow, NBAR, QoS, and IPSLA enabled Cisco WAAS with WAAS CM 4.1 or higher SNMP to collect QoS, NBAR, and IPSLA stats Web Service Management Agent (WSMA) for Cisco Mediatrace UDP NetFlow for Traffic, NBAR, and Medianet reports Via API for Cisco WAAS stats NetFlow Analyzer – Working Architecture • QoS, NBAR, IPSLA, Medianet, and Mediatrace available only for Cisco devices • Non-Cisco devices export flows including sFlow, IPFIX, and more for bandwidth and traffic reports
  15. 15. Data Storage • Raw Data : Storing the entire information about the traffic information. • Aggregated data : Storing the top 100 information.
  16. 16. Text System Requirement
  17. 17. Device Addition
  18. 18.  SNMP version 1 , version 2 and version 3.  Using SNMP to get the Device name, interface name and interface speed value.  We use Interface speed value to generate the Utilization Report. Update SNMP
  19. 19.  Speed/Utilization/Packets/Volume  Top Source/ Destination  Application.  Conversation.  QOS. Interface details
  20. 20. Groups  Device Group  Interface groups (port channel)  IP Group
  21. 21. Threshold violation alerts  Alerts for lower and higher threshold violations.  Alerts on interface, IP group, and interface group.  Alerts based on application, port, IP, and DSCP.  Prioritized alerts based on severity.  SNMP traps to any NMS and email alerts.
  22. 22. The following report formats are included by default in NetFlow Analyzer: 1. Forensic report 2. Consolidated report 3. Search report 4. Compare report 5. Capacity planning report Reports in NetFlow Analyzer
  23. 23. Forensic report Forensics reports are detailed reports that are generated from only the raw data collected for any selected time period.
  24. 24. Consolidated report
  25. 25. Search report
  26. 26. Compare reports Same interfaces for different time period Different interfaces for same time period
  27. 27. Capacity planning Capacity Planning Report
  28. 28. Usage-based billing  Volume and speed based billing.  Alerts and automatically emails reports on usage or bill plan.  Charge back customers, departments, or projects for bandwidth usage.  On-demand utilization report for a bill plan.
  29. 29. Schedule reports  Schedule all reports available in NetFlow Analyzer.  Schedule daily, weekly, and monthly reports.  Separate schedule for interface, IP group, and interface Group.  Automatic emailing of all reports based on user-defined schedules.
  30. 30. Attacks  Leverages flow data.  Real-time pattern matching.  Identifies suspicious traffic, scans, bad source and destination, and DoS attacks.  Alerts based on each problem algorithm.
  31. 31. Application visibility and control (NBAR 2) Application visibility and control is the combination of multiple technologies found on Cisco devices. Cisco AVC is capable of: 1. Providing better application visibility 2. Validating QoS policies 3. Providing HTTP URL traffic information 4. Providing application response time (ART) reports
  32. 32. Application response time
  33. 33. Get traffic data and app traffic based on access point. Report on SSID and connected clients. Controller-based reports. Cisco WLC
  34. 34. WLC clients
  35. 35. Traffic Shaping
  36. 36. Text Text Text
  37. 37. NetFlow Analyzer editions Essential edition  Single installation product  Handle 1,000 interfaces  Scale up to 50,000 flows per second Distributed edition  Distributed architecture with Central and Collector  Handle 1,000 interfaces per Collector  Scale up to 50,000 flows per second  Comes with all add-ons bundled except High Performance.
  38. 38. Thank you.