The document provides an overview and agenda for a training on NetFlow Analyzer. It discusses initial setup steps including exporting flows from devices, viewing real-time traffic graphs, and configuring alerts. Common challenges are also addressed, such as mapping unknown applications or setting interface speed. Upcoming training will cover additional topics like alarms, customizing data storage, and traffic troubleshooting.

1. Free training on NetFlow Analyzer - Part I
Getting the initial settings right

3. Agenda
• Exporting flows
• Traffic grouping
• Application mapping
• Threshold based alerting
• In-depth traffic visibility
• Knowledge base and best practices

4. Demo on NetFlow Analyzer 123083

5. Minimum system requirements
2.4 GHz quad-core
processor, or
equivalent
4GB RAM 50GB storage Windows/LinuxPostgreSQL/MSSQL
These specifications only apply when raw data is turned off and the flow rate is below 3,000
flows/sec. Requirements will vary with different settings.

6. Initial setup
Set up flow export Viewing & customizing
real-time traffic graphs
Configuring alerts
Step1 Step 2 Step 3

7. Step 1: Configuring flow export from interfaces
NetFlow sFlow J-Flow
IP FIX NetStream AppFlow

8. Devices supported by NetFlow Analyzer
https://www.manageengine.com/products/netflow/supported-devices.html

9. Where and how do you send flows?
Ways of exporting flows to NetFlow
Analyzer:
i. Manual configuration
ii. Using Network Configuration Manager
Ports to be considered:
• Server port: NetFlow Analyzer's web server port
• Listener port: Port on which NetFlow Analyzer
receives flows
• Both ports are configurable

10. Using Network Configuration Manager
Benefits of using Network Configuration Manager:
• No need to write commands
• Predefined configlets
• Export flows from multiple interfaces in bulk
• Backup and restore configurations for devices
• Create new configlets
Apply
credentials
Select
interfaces
Export
flow
Add
devices

11. Creating/modifying a configlet
• In Network Configuration Manager, go to
Settings > Configlets. Add a new configlet
by creating a custom template.
• Select devices and enter flow
configuration commands.
• Execute the new configlet.

12. Common challenges faced after
exporting flows

13. #1. NetFlow Analyzer shows "No Data Available" in graphs, even after I've
configured flows.
Solution: Two possibilities
1. The device is not configured
correctly for exporting flows.
2. A firewall or access list is blocking
the UDP port.
• Check if flows are received with the
help of Wireshark.
• Yes- Check for windows firewall/IP
tables for any restrictions and template
timeout to 60 seconds.
• No- Correct the configuration by setting
the active timeout to 60 seconds.

14. #2. I've added five interfaces. Why is one of my interfaces, "Interface Gi0/1," not
listed in NetFlow Analyzer?
Solution:
The particular interface isn't configured
for exporting flows.
• Interface is not configured correctly.
• Check for correct interface along with
its export configurations.

15. Step 2: Visibility into real-time traffic details
Inventory
Flow analysis
Config management
IP SLA
Packet analysis
Traffic overview Real-time traffic graphs

16. Inventory: Flow Analysis
Traffic overview
Device
Device groups
Lay 4 & 7 applications DSCP-based QoS
Wireless LAN controllers
Interface
IP / interface group
Attacks

17. Know the who, when and what of
your network traffic.
- Applications
- Protocols
- QoS
- Source
- Destination
- Conversation
Gain detailed visibility
into traffic usage by

18. Visibility into Layer 7 application traffic
• Gain visibility into NBAR2 applications with Cisco AVC
monitoring (Application Visibility and Control).
• Advanced NBAR is used to identify web traffic, URL’s, file sharing
and random port application.
• View NBAR2 application, URL hit count (HTTP host report), QoS
class hierarchy and application response time monitoring
reports(ART monitoring).

19. Understand traffic for current QoS policies
Check the traffic usage by each DSCP value for policy
effectiveness.

20. Manage traffic usage by WLAN controllers
• Monitor Cisco WLAN controllers
and Meraki devices.
• Find the top traffic usage by access
points, SSIDs, applications, clients
etc.
• Troubleshoot a bandwidth spikes
by identifying consumption by
SSIDs, finding its top clients and
complete conversation details for
the selected time period.

21. Snapshot summary
Device traffic details:
• Traffic speed
• Associated interfaces by speed, volume
and utilization
• Top applications and protocols
• Top QoS
• Top Source, destination and
conversation
• AS traffic
Group traffic details:
• Traffic by speed, volume, utilization
and packets
• Associated applications and protocols
• DSCP QoS traffic
• Source, destination and conversation
Application traffic details:
• Traffic usage by volume
• Associated interfaces
QoS traffic details:
• Traffic usage by volume
• Associated interfaces
WLC traffic details:
• Controller traffic by speed, volume and
packets
• Associated access points
• Application traffic
• DSCP QoS traffic
• Conversation details with Client IPs and
SSIDs
Interface traffic details:
• Traffic by speed, volume, utilization and
packets
• Top applications and protocols
• Top Source, destination and
conversation by geo-location, network
and DNS name
• Top QoS traffic by DSCP and TOS
• SNMP/FNF NBAR, CBQoS
• Multicast report
• Medianet by volume, RTT, packet loss
• AVC

22. • Identify junk/unusual traffic that disrupts your critical services.
• Using advanced mining algorithm, ASAM detects internal and
external security threats.
• ASAM classifies traffic as suspect flows, bad source and
destination, DDoS, and scans/probes.
Detect attacks with flow-based advanced security
analytics module

23. Tips to enhance visibility into your
traffic

24. My interfaces are named "IfIndex1" and "IfIndex2." How can I view the actual
name of devices and interfaces?
Solution: Three options
• Fetch name from router with SNMP
1. Create SNMP credential
v1/v2/v2 from discovery
2. Associate SNMP credentials
3. Edit device
• Fetch the DNS name.
• Enter your own name.

25. My interface utilization says it's above 100 percent. How do I set the correct
value?
Solution: Three possibilities
1. The speed is incorrect.
2. [OR] time sync problem.
3. [OR] GRE/ESP tunneling through
the device is double counted
• Set the proper IN and OUT speed in
bytes. Go to Inventory > Select
Interfaces > Set Speed.
• Make sure the device time and NFA
time is in sync
• Check flow filters

26. Most of the applications are listed as "_App". How do I map those applications
and also add my own applications?
Solution:
Application mapping for _App
• Interface >Application > _App >
Show port.
• Map application and define IP
address/ IP network/ IP range.
Application mapping for own apps
• Settings> netflow> mapping > add

27. Is there a way to view cumulative traffic?
Branches
VLANRelated appsNetwork subnet
Department
Traffic grouping

28. Sort traffic usage by groups
Types of groups
Device
Interface
IP
Application
DSCP
Benefits of creating groups:
• Monitor combined bandwidth usage to get
better picture of traffic consumption.
• Provide access to operators based on
groups.
• Provide better visibility to improve
troubleshooting.

29. Scenarios: Creating groups

30. How do I check traffic usage by different branches?
Solution
Create a device grouping for
different branches.
• Combine devices under a branch
to create groups.
• Generate group reports.

31. How do I monitor combined traffic for VLAN?
Solution
An un-routed VLAN will not send traffic like an
interface, but NetFlow Analyzer will discover
its associated interfaces.
• Create an Interface Group that
includes all of the VLAN's
interfaces to monitor the
cumulative traffic.
• Other option: failover, load
balancing, port channeling, and
aggregation.

32. How do I manage each of my customers' traffic ?
Solution
Create IP groups for each customer.
• Combine IPs to create groups.
• Generate group reports.
• Group based on IP range, network,
monitoring between sites.
• Other option: between sites and
department

33. How do I view business critical traffic and see how much bandwidth is used?
Solution
Create application groups.
• Combine apps to create a group.
• Find total utilization for each group.
• Pull combined traffic reports.

34. Simplified and customizable Inventory
Edit configurationCustom filters/sort
Custom views Quick search

35. Filter up to the last 30 days Create device group
Create device/interface/app
group
Inventory search
Set speed Set SNMP Zoom in graphs Generate instant reports
New in v12
Unmanage/delete device
Add to Network
Configuration Manager
Table/list/status viewConfigure NBAR & CBQoS
Service policy & ACL Clear alarm/add note
Various device-specific custom options
New in v12

36. Step 3: Alerting
Link down Link overutilized
Threshold violation Link slow

37. Alert Profiles
Preconfigured alerts:
• Link down
• No flow
Threshold based alerts
• IP range, IP address or IP network
• Based on port/protocol range
• Based on application
• Based on DSCP

38. I want to get alerted when the interface is over utilized in a WAN link?
Solution
• Set a threshold alert for overutilized
links.
• Provide a threshold value.
• Set up email/SMS notifications.

39. Thresholds based on multiple conditions
Select source Select criteria Define threshold Save alert profile
Alerts specific to below violation:
• Utilization
• Volume
• Speed
• Packets
Alert severity levels:
• Critical
• Trouble
• Attention

40. How do I set up notifications?
Types of notifications:
• Email
• SMS
• Trigger SNMP trap
• Modify an alarm's description.
• Get reports via email. New in v12
Step 1: Configure mail server settings.
Step 2: Set threshold.
Step 3: Provide an email address or phone number.
Step 4: Save alert.

41. Summary
Set up flow export
#1. Data not available
#2. Interfaces not listed
Viewing & customizing
bandwidth graphs
#1. Fetch device/interface name
#2. Utilization above 100%
#3. Map unknown applications
#4. Show DNS name
#5. Categorize traffic groups
#6. Customize time filter
Configuring alerts
#1. Set interface overutilized
alert
#2. Link down
Step1 Step 2 Step 3

42. Upcoming training on March 20th
Part II: Diagnosing and troubleshooting traffic issues
faster
• Alarms
• Customizing data storage
• Troubleshooting with forensics
• Reporting and automation
• Capacity planning
• Traffic shaping
• Customizing dashboards
• Usage-based billing

43. Need more help?
youtube.com/netflowanalyzertechvideos
help.netflowanalyzer.com
forums.manageengine.com/netflowanalyzer
netflowanalyzer-support@manageengine.com
+1 (888) 720-9500 / +1 (408) 916 - 9400

44. Thank you!
netflowanalyzer-support@manageengine.com