AdventNet ManageEngine NetFlow Analyzer :: User Guide
Contents
1. 6 How do I set the router time in SYNC with the NFA server Whenever the time difference between the NetFlow Analyzer Server and the router is above 10 minutes a warning icon will appear in the home page When this happens NetFlow Analyzer will stamp the flows based on the system time of the NetFlow Analyzer server In case you see this please ensure the following on the router 1 Check if the time zone and the offset in Hours and Minutes for the time zone is set properly E g PST 8 00 for PST or EST 5 00 for EST You can check this by logging into the router going into the configure terminal and typing show running config You can set the clock time zone and offset using the command clock timezone zone hours minutes E g clock timezone PST 8 00 2 After checking the time zone check if the correct time is set on your router You can check this by logging into the router and typing show clock You can set the clock time using the command clock set hh mm ss month date year There is no queueing mechanism is done on heavy periods Reporting 1 The graphs are empty Graphs will be empty if there is no data available If you have just installed NetFlow Analyzer wait for at least ten minutes to start seeing graphs If you still see an empty graph it means no data has been received by NetFlow Analyzer Check your router settings in that case What is Aggregate data and Raw data How to set Raw data As far as aggregated2. daily weekly monthly or only once o Generate report on This value determines the time when report is to the generated o Generate report for This value determines the start and the end time for the report e Email Address This is the address to which the generated reports will be sent Netflow Analyzer calculates the bandwidth utilization on the specified interfaces IP Groups every minute Based on the schedule opted for reports are generated at various time intrevals The Schedule Reports feature lets you Create new Schedules and Delete existing ones The Scheduler List page lists all existing schedules along with the Schedule details Status Report types and the Last Report Generated time The various columns displayed in the Scheduler List page are described in the table below Column N The name of the Schedule when it was created Click on the Schedule s name to see ame more information about the schedule s configuration Schedule Information on when the schedule will run Details By default all schedules are Enabled which means they are active Click the icon to disable a schedule When this is done reports will no longer be generated for that configuration Click the icon to enable the schedule again eport Type Whether it is a consolidated report are user defined Custom report This column lists the last time when this schedule was run and a report created Operations on Schedule Reports You can create n
3. Help Docuementation Configuring NDE on a Native IOS Device To enable NDE on a Native IOS device enter the configure mode on the Supervisor Engine and follow the instructions for an IOS device Then issue the following commands to enable NDE Configuring NDE Enter privileged mode on the Supervisor Engine and issue the following commands to enable NDE mls nde sender Sets the export version Version 7 is the most recent full export version version 7 supported by switches Breaks up long lived flows into 1 minute fragments This ensures that traffic set mls aging long graphs do not have spikes It is important to set this value to 1 minute in order to generate alerts and view troubleshooting data Ensures that flows that have finished are periodically exported A lower set mls aging value may result in NetFlow Analyzer reporting traffic levels that are too normal 32 iow In order to put interface an routing information into the Netflow exports issue the following commands depending on the Supervisor Engine Switch Configuration Lowest IOS MSFC Level mls flow ip interface full TBE This information is not available with IOS versions earlier than 12 1 13 E on the Supervisor Engine 2 or 720 AdventNet Inc 20 Configuring NDE on 4000 Series Switches Follow the steps below to configure NDE on a 4000 Series switches E The 4000 and 4500 series switches require a Supervisor IV with a NetFlow Services daught
4. Worms Typically worm sources don t pool the whole network but randomly try to open from time to time a single host connection One can use TCP flags and ICMP tracking When the attacker tries to open the TCP connection to an unused destination IP address the TCP SYN flag is set If the connection is successful there will be cumulative TCP flags SYN and ACK if the connection is unsuccessful only flows with SYN flag will be there Based on the count of the unsuccessful connections for every source IP address outside the network and source the attacker can be tracked the one with the most number of connection attempts If attacker is using UDP protocol and pools the whole network an excessive number of ICMP messages will then be generated AdventNet Inc 37 Top Conversations The Conversation tab shows the top conversations contributing to traffic in the selected time period Choose between IN and OUT to display the top conversations in incoming or outgoing traffic The Time Period box lets you choose between last hour last day last week last month and last quarter s traffic graphs The From and To boxes let you choose custom time periods for the graphs Use the Ei icon to select the date and time easily The time period for these graphs is based on the current system time Once you select the desired date and time click the Show Report button to display the appropriate conversation traffic report The default report view shows t
5. ect Sport 363 gt select 8443 gt lt delegate config gt lt delegate config gt lt pinding port 8080 gt lt binding port 8443 gt lt service config gt lt service config gt Verifying SSL Setup Restart the NetFlow Analyzer server Verify that the following message appears server started Please connect your client at http localhost 8443 Connect to the server from a web browser by typing https lt hostname gt 8443 where lt hostname gt is the machine where the server is running AdventNet Inc 84 SNMP Trap Forwarding The alerts generated by Netflow Anlayzer can be forwarded as a trap message to any manager application This helps in consolidating all the network alerts in a single place in the manager application The steps for the manager application to get the traps forwarded by Netflow Analyzer are 1 Configure a particular port in the manager application to listen for SNMP traps 2 In Netflow Analyzer alert profile form select alert action as SNMP Trap and specify lt Server Name gt lt Port No gt lt Community gt o lt Server Name gt The name or IP address of the server in which the manager application is running o lt Port No gt The port number at which the manager application is listening for the traps o lt Community gt The community string of the manager application After the configuration one trap is sent to the manager application for every alert generated A t
6. system time Once you select the desired date and time click the Show Report button to display the appropriate traffic report The table below the graph shows the legend along with total maximum minimum and average traffic values for this interface or IP group for the selected time period The Traffic IN Details and the Traffic OUT Details show sampled values of traffic generated over the selected time period Time Filters You can choose to see hour based data in the traffic graphs for daily and weekly reports To do this first select the Last Day Report or Last Week Report option in the top time selection bar When the respective traffic graph is displayed the table below the graph includes the 3 icon next to the Category label Click the icon to specify the hourly time interval for which you want to see traffic graphs Click the Show button to set the filter and see hour based values in the traffic graph as well as the table below Click the Reset button to turn the filter off and switch to the regular traffic graphs 95 th Percentile The 95th percentile is the number that is greater than 95 of the numbers in a given set The reason this statistic is so useful in measuring data throughput is that it gives a very accurate picture of the maximum traffic generated on an interface This is a standard measure that is used for interpreting the performance data The 95th Percentile is the highest value left when the top 5 of a numeric
7. to decide to discard a packet which requested maximal throughput because no high throughput path was available AdventNet Inc 35 TCP Flags There are 6 flags the Urgent Pointer flag ACK acknowledgement flag Push flag RST reset flag SYN synchronisation flag amp the FIN finished flag The Urgent Pointer flag identifies the incoming data as urgent The identified segments are processed immediately by being assigned high priority without waiting till all queued data is processed The ACKnowledgement flag can be used to acknowledge the successful receipt of packet s either the acknowledgement can be made for every packet received or for every n th packet received The Push flag can be used to assign the data the desired priority and is processed either at the Source or Destination In using the push flag attention need to be paid to the fact that correct data segment handling is done Also the appropriate priority needs to be set at the two ends of a connection When a segment that is not intended for the current connection has arrived the reset flag RST can be set For instance if a remote system were to send a packet to a host to establish connection and if that service is not supported by the host then the host can reject the request and then set the RST flag indicating that the host has reset the connection Connection is Established The fifth flag in the TCP Flag options the SYN flag is a highly used flag in TCP
8. APPENDIX eege 82 WOON E 83 SNMP Trap Forwarding cccccccccccseecececseeeeceseeeeeeeseeeeeeeseeeeeeeseeeceesseaeeeeseeaeeeeseaeeeeesageeees 85 AdventNet Inc 2 Introduction ManageEngine NetFlow Analyzer is a web based bandwidth monitoring tool that performs in depth traffic analysis using exported NetFlow data NetFlow technology provides granular details about network traffic that has passed through an interface NetFlow Analyzer processes this information to show you what applications are using bandwidth who is using them and when Extensive graphs and reports make this information easy to analyze and also help accelerate the troubleshooting process For more information on Cisco NetFlow visit http www cisco com go netflow This User Guide will help you install NetFlow Analyzer and get familiar with the user interface If you are unable to find the information you are looking for in this document please let us know at support netflowanalyzer com AdventNet Inc 3 AdventNet ManageEngine NetFlow Anayzer Help Docuementation What s New in this Release The latest release of NetFlow Analyzer 5 5 0 can be downloaded from the website at htto www netflowanalyzer com download html New Features in Release 5 5 0 Feature Description NBAR Network Based Application Recognition By intelligent eer Classification of traffic lets you set QoS standard Scheduling of Reports Allows setting of time int
9. After creating an IP group you can view the top applications top protocols top hosts and top conversations in this IP group alone This section will help you understand IP Groups and walk you through the steps needed to create and later delete an IP group if needed e Understanding IP Groups e Defining an IP Group e Operations on IP Groups Understanding IP Groups To further understand how the IP grouping feature can help in understanding exclusive bandwidth usage consider the following two scenarios Enterprise Network Scenario A typical enterprise setup where the main servers and databases are located at a central office and all branch offices are given appropriate access privileges to these servers Problem You need to track bandwidth used by each branch office while accessing an ERP CRM application Solution Create an IP group for each branch office along with the port and protocol of the ERP CRM application running in the central office The traffic reports for each IP group will then show details on bandwidth used by the branch office while working with the ERP CRM application This information is very useful during traffic accounting and usage based billing End Note If the IP addresses in the branch offices are NATed network address translated by the web server you can view overall bandwidth usage for the branch office but not that of individual hosts within the IP group Campus Network Scenario A typical ca
10. IN OUT Report sorts traffic based on the application i e the combination of port and protocol Click on a protocol s name to see the Top Conversations that used this protocol The Show box above this table lets you choose how many applications need to be displayed You can set the maximum value for this option from the Settings page AdventNet Inc 31 The pie chart below this table shows what percentage of bandwidth is being used by each protocol The D icon above the pie chart lets you see the pie chart enlarged in a new window From here you z can click the icon to save the pie chart as a PDF file AdventNet Inc 32 Top Hosts The Source tab shows the top source hosts contributing to traffic in the selected time period The default view shows the Top SourcelN Report The Destination tab shows the top destination hosts contributing to traffic in the selected time period The default view shows the Top DestinationIN Report Choose between IN and OUT to display the top hosts in incoming or outgoing traffic Ey When you drill down from an IP group traffic is unidirectional and hence the IN and OUT options are not available The Time Period box lets you choose between last hour last day last week last month and last quarter s traffic graphs The From and To boxes let you choose custom time periods for the graphs Use the EE icon to select the date and time easily The time period for these graphs is based on
11. Mapping list with the new application Managing IP Groups Click the IP Group Management link in the Admin Operations box to view the list of IP groups currently active Select the IP group that you want to modify and click the Modify button to edit its settings Once you are done click Add to save and activate the new changes To delete an IP group select the IP group and click the Delete button Deleting an IP group removes the IP group from the list of IP groups managed All users assigned to this IP group will not see this IP group listed on their Dashboard AdventNet Inc 60 AdventNet ManageEngine NetFlow Anayzer Help Docuementation User Management The User Management option lets you manage different users with varying access privileges You can assign different users to different device groups and IP groups and allow them to manage the assigned groups exclusively You can choose from three types of users in NetFlow Analyzer Administrator Operator and Guest You can create any number of users of each type and assign them to any number of device groups and IP groups The administrative privileges for each user are described below Ee ee Elle Operator Guest ihn a ee E ees DS Ss Modify Runtime Administration properties Je Ip Je Change otherusers passwords Ir Ip JJ Manage licensed interfaces O Jr Ip Je Apply different licenses Ir Ip Oe Create other Administrator users Ir Ip O Create other Operator user
12. Web Browsers NetFlow Analyzer has been tested to support the following web browsers and versions e Internet Explorer 5 5 and later e Netscape 7 0 and later e Mozilla 1 5 and later AdventNet Inc AdventNet ManageEngine NetFlow Anayzer Help Docuementation Prerequisites Before setting up NetFlow Analyzer in your enterprise ensure that the following are taken care of Ports Required NetFlow Analyzer requires the following ports to be free Portname Number Use Number This is the port on which you will connect to the NetFlow Analyzer Web server port 8080 server from a web browser You can change this at any time from the Settings tab This is the port used to connect to the MySQL database in MySQL port 13310 NetFlow Analyzer Changing this port requires configuration level changes Recommended System Setup Apart from the System Requirements the following setup would ensure optimal performance from NetFlow Analyzer e Run NetFlow Analyzer on a separate dedicated PC or server The software is resource intensive and a busy processor can cause problems in collecting NetFlow data e Use the MySQL pre bundled with NetFlow Analyzer that runs on port 13310 You need not start another separate instance of MySQL Changing the Default MySQL Port 1 Edit the mysql ds xml file present in the lt NetFlowAnalyzer_Home gt server default deploy directory 2 Change the port number in the following line to the desi
13. an ingress basis when you enable NetFlow data export on interface A it will only export the IN traffic for interface A and OUT traffic for interface B The AN OUT traffic for interface A will be contributed by the NetFlow data exported from interface B Even if you are interested in managing only interface A please enable NetFlow data export on A and B You may subsequently unmanage interface B from the License Management link AdventNet Inc 17 AdventNet ManageEngine NetFlow Anayzer Help Docuementation Turning off NetFlow Issue the following commands in global configuration mode to stop exporting NetFlow data This will stop exporting NetFlow cache entries to the specified destination IP address on the specified port number no ip flow export destination fhostname ip_address port_number interi eer DE Se Ce This will disable NetFlow export on the specified i cee ioe Repeat the commands for each interface RE exl P For further information on configuring your IOS device for NetFlow data export refer Cisco s NetFlow commands documentation AdventNet Inc 18 AdventNet ManageEngine NetFlow Anayzer Help Docuementation Configuring NDE on Catalyst 6000 Series Switches Follow the steps below to configure NDE on Catalyst 6000 Series switches Configuring NDE on Catalyst 6000 Series Switches Enter privileged mode on the Supervisor Engine and issue the following commands to configure NDE set mls nde
14. cnpdAllStatsEnitry 7 cnpdAllStatsEniry 8 cnpdAllStatsEnitry 9 cnpdAllStatsEntry 10 cnpdAllStatsEntry 11 cnpdAllStatsEntry 12 cnpdTopNConfigEntry 2 cnpdTopNConfigEntry 3 cnpdTopNConfigEntry 4 cnpdTopNConfigEntry 5 cnpdTopNConfigEntry 6 cnpdTopNConfigEntry 7 cnpdTopNConfigEntry 8 cnpdTopNStatsEntry 2 cnpdTopNStatsEntry 3 cnpdTopNStatsEntry 4 cnpdThresholdConfigEntry 2 cnpdThresholdConfigEntry 3 cnpdThresholdConfigEntry 4 cnpdThresholdConfigEntry 5 cnpdThresholdConfigEntry 6 cnpdThresholdConfigEntry 7 cnpdThresholdConfigEntry 8 cnpdThresholdConfigEntry 9 cnpdThresholdConfigEntry 10 cnpdThresholdConfigEntry 12 cnpdThresholdHistoryEntry 2 cnpdThresholdHistoryEntry 3 cnpdThresholdHistoryEntry 4 cnpdThresholdHistoryEntry 5 cnpdThresholdHistoryEntry 6 cnpdThresholdHistoryEntry 7 cnpdNotificationsConfig 1 cnpdSupportedProtocolsEntry 2 What is NetFlow Version 9 This format is flexible and extensible which provides the versatility needed to support new fields and record types This format accommodates new NetFlow supported technologies such as NAT MPLS BGP next hop and Multicast The main feature of Version 9 Export format is that it is template based AdventNet Inc T7 What is the memory impact on the router due to V9 The memory used depends upon the data structures used to maintain template flowsets As the implementation does not access the NetFlow cache directly the memory used is not very high Receiving non V5 V
15. gt e AdventNet Managecnaiine NetFlow Analyzer User Guide www netflowanalyzer com ntNet Inc All Rights Reserved netflow support adventnet com INTRODUCTION ia ste reciente sense em cies se eve ee ee see ee este eee dpe ceneedeeecnastes 3 What s New in this Release ccccccssscccsseecccseeeseeecesseneecceeeeseseessaeeesaeeessuseessegsessaeees 4 INSTALLATION EEN KE 6 SYSTEM Requirements cccceeeccccsseeeeeeceeeeeeeceeeeeeeeeeeeeeseeeseeseeeeeeeesseeeeeesseseeeesseeeeeeseaeeeeeeas 6 Base t 7 Iva Waler Bilan e sessies EEE EEEE EE ENN EE 8 Staing and UNINC UR le 9 Accessing the Web CIN aiiecncedccesescseecncc civecetcesatduecs ti celaarclesecbedanredeevedansbliwesaensceieecdeixectaiiies 11 License Information atcuraroiienacscretseacetingd rtiniantanrtchaote donna diybadnaba denies atetherh totes di oek ud onan ture ariegueaacein omendwtrbhand 12 CONFIGURING CISCO DEVICES 0 ee cceccceeeeneeeneeeneeeseenseenseenseenssenscesecneeenesons 13 Cisco NetFlow Device Support ssaennnnnennnnnennnosnnnnonrnrrnnnnrrenrnrrrsnrrresrnrrenenrrenrnrresnnernne 14 Configuring NetFlow Export on an IOS Device 16 Configuring NDE on Catalyst 6000 Series Switches n nn0annnoeenneoeennenennnnnnnnnnnnnnnnnnnnnne 19 Configuring NDE on a Native IOS Device cee cccecccccceseceeeeeeeeeeeceeeeeeeseeaeeeesaeeeesssaeeees 20 Configuring NDE on 4000 Series Switches ccccecccceseeeceeeseeeceeeceeeeeeseeeee
16. server port during installation Starting as Service Windows If you have chosen the Start as Service option during installation NetFlow Analyzer will run as a service on Windows Linux 1 Login as root user 2 Navigate to the lt NetFlowAnalyzer_Home gt bin directory 3 Execute the linkAsService sh file 4 Then execute the command etc init d netflowanalyzer start This starts NetFlow Analyzer as a service on Linux As far as Fedora SUSE is concerned please open the mysql ds xmli file under the server default deploy directory and change the lt connection url gt jdoc mysal localhost 13310 netflow lt connection url gt to lt connection url gt jdoc mysal 127 0 0 1 13310 netflow lt connection url gt and restart the NetFlow Analyzer server AdventNet Inc 9 Please follow the instructions below sch D U Navigate to bin folder and backup copy linkAsService sh to a safe location Open file linkAsService sh in a editor and look for the following lines code 1 f5099fc2e0 for i in 0 6 do In s f initvar etc rc i d stopwith done In s f initvar etc rc5 d startwith code 1 f5099fc2e0 Edit the above lines as follows suffixing rc d folder after etc folder code 1 f5099fc2e0 for i in 0 6 do In s f initvar etc rc d rc i d stopwith done In s f initvar etc rc d rc5 d startwith code 1 f5099fc2e0 Save the file Shutdown NetFlow Analyzer Execute linkAsService sh
17. smaller of the 2 ports source port destination port and if no match is found the bigger of the 2 ports is mapped AdventNet Inc 63 Application mappings created with specific IP address IP Range IP Network is given higher priority over applications mappings with no IP address For example assume you have 2 application mappings as below Port Protocol Address IP Range Application 80 TCP 10 10 1 0 255 255 255 0 _APP1 eo tee aw APP If a flow is received with source address 10 10 10 10 and Port as TCP 80 then it is classified as APP1 Only TCP 80 flows from non 10 10 10 0 network will be classified as APP2 Application mappings created with single port is given higher priority over applications mappings with port range For example assume you have application mappings as below IP Address IP ae 8 TOP ay If a flow is received with Port as TCP 80 then it is classified as APP1 Applications are categorised based on the source address destination address source port destination port and protocol values in the flow record The smaller of the 2 ports Source port destination port and protocol is matched with the port protocol in the application mapping list If no match is found the bigger of the 2 ports source port destination port and protocol is matched with the port protocol in the application mapping list If no match is found the smaller of the 2 ports source port destination por
18. specifies NetFlow Analyzer as the NDE collector and the configured hostname ip address Nettflow listener port as the UDP port for data export of hardware 9996 switched packets ip flow export destination fhostname ip_address 9996 Specifies NetFlow Analyzer as the NDE collector and the configured Netflow listener port as the UDP port for data export of software switched packets Breaks up long lived flows into 1 minute fragments This ensures that set mls agingtime long traffic graphs do not have spikes It is important to set this value to 1 minute in order to generate alerts and view troubleshooting data 64 Ensures that flows that have finished are periodically exported set mls agingtime 32 Ensure that the set value is not too low else NetFlow Analyzer may report traffic levels that are too low set mls d sen fuii This sets the flow mask to full flows This is required to get useful information from the switch set mls nde enable This enables NDE To monitor data and statistics about Layer 3 traffic that is switched in software by the MSFC you must specify the NDE collector and UDP port on the MSFC This requires that you enter the ip flow export destination command on the MSFC LP Use the show mls debug command to debug the NDE configuration P For more information on configuring NDE on Catalyst 6000 Series switches refer Cisco s documentation AdventNet Inc 19 AdventNet ManageEngine NetFlow Anayzer
19. that 7 How to create DBInfo log file 8 Why the interface shows 100 utilization 9 What information do need to send to NFA support for assistance 10 How to safely migrate NFA installation to different machine 11 What do do if my NFA server becomes slow or How do improve my NFA system performance 12 Why NFA says router time not is SYNC and stops collecting data 13 How do I buy NetFlow Analyzer Installation 1 When Itry to access the web interface another web server comes up How does this happen During installation NetFlow Analyzer checks if the selected port is in use by another application If at that time the other webserver was down it will not get detected Either disable the other web server change its server port or change the NetFlow Analyzer web server port 2 How can I change the MySQL port in NetFlow Analyzer from 13310 to another port Edit the mysaql ds xml file in the server default deploy directory Change the port number in the line jdoc mysal localhost 13310 netflow to the desired port number save the file and restart the server 3 Can install and run NetFlow Analyzer as a root user NetFlow Analyzer can be installed and started as a root user but all file permissions will be modified and later you cannot start the server as any other user 4 is a database backup necessary or does NetFlow Analyzer take care of this or How to back up data in NetFlow Analyzer NetFlow Ana
20. the current system time Once you select the desired date and time click the Show Report button to display the appropriate source or destination traffic report The default report view shows the IP addresses of the hosts Click the Resolve DNS link to see the corresponding DNS values The Show box above this table lets you choose how many hosts need to be displayed You can set this value from the Settings page ihe pie chart below this report shows what percentage of bandwidth is being used by each host The icon above the pie chart lets you see the pie chart enlarged in a new window From here you can click the 5 icon to save the pie chart as a PDF file AdventNet Inc 33 TOS Because the Internet by itself has no direct knowledge of optimizing the path for a particular application or user the IP protocol provides a facility for upper layer protocols to convey hints to the Internet Layer about how the tradeoffs should be made for a particular packet This facility is the Type of Service facility abbreviated as the TOS facility The TOS facility is one of the features of the Type of Service octet in the IP datagram header The Type of Service octet consists of three fields The first 3 bits 0 1 2 are for the first field labeled Precedence intended to denote the importance or priority of the datagram The second field labeled TOS denotes how the network should make tradeoffs between throughput delay reliabili
21. the spikes may not show in older reports While reports pertaining to last day is generated from tables with 10 minute granularity reports pertaining to last week is generated from tables with 1 hour granularity For example data in 10 minute table pertaining to 10 00 10 10 10 20 10 30 10 40 and 10 50 would all be aggregated and moved into hourly data tables for one data point pertaining to 10 00 While the total data volumes is correct the traffic rates will be averaged over this period So 10 00 gt volume transferred 100MBytes ten minute average rate 1 333Kbits s 10 10 gt volume transferred 1MByte ten minute average rate 13 3Kbits s 10 20 gt volume transferred 1MByte ten minute average rate 13 3Kbits s 10 30 gt volume transferred 1MByte ten minute average rate 13 3Kbits s 10 40 gt volume transferred 1MByte ten minute average rate 13 3Kbits s 10 50 gt volume transferred 1MByte ten minute average rate 13 3Kbits s When aggregated into the one hour table we get 10 00 gt volume transferred 105MBytes one hour average rate 233Kbits s The spike up to 1 333Kbits s has been lost by this averaging process as the data get aggregated into longer and longer time periods so this average value will decrease further This is the reason for the reduction in the reporting of bandwidth usage over time Which features are not supported by NBAR The following features are not supported by NBAR o More than 24 concurre
22. to recognize specific traffic Add users with different privileges assign device groups and selectively allow access NetFlow Analyzer can be installed and run in Chinese and Japanese languages with support for more languages being added frequently Check the website for the latest list of languages localized and also contribute to translation works AdventNet Inc 5 Installation and Setup System Requirements This section lists the minimum requirements for installing and working with NetFlow Analyzer Hardware Requirements The minimum hardware requirements for NetFlow Analyzer to start running are listed below e 2 4GHz Pentium 4 processor or equivalent e 1GBRAM e 10GB disk space for the database Interface Processor RAM pto 50 2 4 Ghz 50 400 2 3 4 GHz 00 1000 4 3 4 GHz NetFlow Analyzer is optimized for 1024 x 768 resolution and above GB 0 150 GB B For the device exporting NetFlow ensure that the NetFlow export version format is exactly P the same as the Cisco NetFlow version 5 or version 7 or version 9 format For information on Cisco devices and IOS versions supporting Netflow consult the Cisco NetFlow Device Support table Software Requirements Platform Requirements NetFlow Analyzer can be installed and run on the following operating systems and versions Windows 2000 Server Professional with SP 4 Windows XP with SP 1 RedHat Linux 8 0 9 0 SUSE Linux Supported
23. 0 minimize delay does not guarantee that the path taken by the datagram will have a delay that the user considers low The network will attempt to choose the lowest delay path available based on its often imperfect information about path delay The network will not discard the datagram simply because it believes that the delay of the available paths is too high actually the network manager can override this behavior through creative use of routing metrics but this is strongly discouraged setting the TOS field is intended to give better service when itis available rather than to deny service when it is not Use of the TOS Field in Routing Both hosts and routers should consider the value of the TOS field of a datagram when choosing an appropriate path to get the datagram to its destination The mechanisms for doing so are discussed in this section Whether a packet s TOS value actually affects the path it takes inside a particular routing domain is a choice made by the routing domain s network manager In many routing domains the paths are sufficiently homogeneous in nature that there is no reason for routers to choose different paths based up the TOS field ina AdventNet Inc 34 datagram Inside such a routing domain the network manager may choose to limit the size of the routing database and of routing protocol updates by only defining routes for the default 0000 TOS Neither hosts nor routers should need to have any explici
24. 0 and 7500 series RSM series MGX8800RPM series and BPx8650 series 0 4 T 2 0 4 XE Cisco 7100 series 2 0 6 S Cisco 12000 series NetFlow is also supported by these devices Cisco 800 1700 1800 2800 3800 6500 7300 7600 10000 CRS 1 and these Catalyst series switches 45xx 55xx 6xxx AN 12 0 3 T 12 0 3 S These devices do not support NetFlow Cisco 2900 3500 3660 3750 Cisco Switches NetFlow export is also supported on other Cisco switches when using a NetFlow Feature Card NFFC or NFFC Il and the Route Switch Module RSM or Route Switch Feature Card RSFC However check whether version 5 is supported as most switches export version 7 by default NetFlow Version 9 Support Supported Platforms The following platforms support NetFlow Version 9 Data Export Cisco 2600 series Cisco 3600 series Cisco 7100 series Cisco 7200 series Cisco 7300 series AdventNet Inc 14 Cisco 7400 series Cisco 7500 series Cisco 12000 series Other Vendors Some of the major vendors supporting NetFlow include Alcatel Enterasys Networks Extreme Networks Does not support input output interface octets or first and last times Foundry Networks Juniper Networks Does not support sampling interval attribute First and last times are stored in seconds rather than milliseconds Riverstone Networks no native NetFlow support However Riverstone provides a converter that translates the LFAP records from their dev
25. 7 V9 packets from the following devices Click here for further details What does this mean If you get this message on the user interface it means that NetFlow packets with versions other than version 5 7 9 are being received by NetFlow Analyzer Check your router settings to make sure that only version 5 7 9 NetFlow exports are being sent to NetFlow Analyzer This is because NetFlow Analyzer supports only NetFlow version 5 7 9 exports Is version 9 backward compatible Version 9 is not backward compatible with Version 5 or Version 8 If you need Version 5 or Version 8 then you must configure Version 5 or Version 8 What is the performance impact of V9 Version 9 slightly decreases overall performance because generating and maintaining valid template flowsets requires additional processing What are the restrictions for V9 Version 9 allows for interleaving of various technologies This means that you should configure Version 9 if you need data to be exported from various technologies Such as Multicast DoS IPv6 BGP next hop and so on How do I configure NetFlow Version 9 Please refer the following document for configuring netflow version 9 http www cisco com en US products ps6350 products_configuration_guide_chapter09186a0 0805e1b4a html Technical Information 1 How is traffic information stored in the NetFlow Analyzer database For each report NetFlow Analyzer stores traffic information in a different manner Th
26. 80 is the default web server port 3 Log into NetFlow Analyzer using the default username password combination of admin admin Once you log in you can start managing devices exporting Cisco NetFlow generate bandwidth reports and more AdventNet Inc 11 License Information NetFlow Analyzer comes in two flavors e Free Edition collect analyze and report on Netflow data from a maximum of two interfaces e Professional Edition collect analyze and report on Netflow data from a maximum of n interfaces where n is the number of interfaces for which NetFlow Analyzer has been purchased Once installed NetFlow Analyzer runs in evaluation mode for 30 days You can obtain a registered license for NetFlow Analyzer at any time during the evaluation period by contacting NetFlow Analyzer Support If you have not upgraded to the Professional Edition by the end of the evaluation period NetFlow Analyzer automatically reverts to the Free Edition Upgrading your License After obtaining the new license from AdventNet save it on your computer and follow the steps below to upgrade your NetFlow Analyzer installation Log in to the NetFlow Analyzer web client Click License Management from Admin Operations Click the Upgrade License link present in the top right corner of the screen In the License window that opens up browse for the new license file and select it Click Upgrade to apply the new license file EPDS EY The new li
27. AdventNet Inc 70 Frequently Asked Questions For the latest list of Frequently Asked Questions on NetFlow Analyzer visit the FAQ on the website or the public user forums Installation sch SE 19 When try to access the web interface another web server comes up How does this happen How can change the MySQL port in NetFlow Analyzer from 13310 to another port Can install and run NetFlow Analyzer as a root user Is a database backup necessary or does NetFlow Analyzer take care of this How do update patch in Linux Router Configuration sch Why can t add a router to NetFlow Analyzer 2 My router has been set up to export NetFlow data but still don t see it on the Dashboard 3 I ve deleted a router and all its interfaces through the License Management page but it still comes up on the Dashboard 4 What s the difference between unmanaging and deleting an interface 5 How to Configure SNMP community in router 6 How do I set the router time in SYNC with the NFA server Reporting 1 The graphs are empty 2 What is Aggregate data and Raw data How to set Raw data 3 Some of the applications are labeled as TCP_App or something similar What is that 4 Why are only the top 5 or 10 values shown in the reports What if want more detail 5 The graphs show only IN traffic for an interface although there is both IN and OUT traffic ND NBAR et wt Kee Si V9 esch flowing through that int
28. Control Protocol Session Initiation Protocol Media Gateway Control Protocol An ITU T standard for digital videoconferencing over TCP IP networks Application allowing telephone conversation over the Internet AdventNet Inc 44 3 TCP amp UDP stateful protocols FI CP File Transfer Protocol Description 7a 0 O S 2c z D V p DI p D E NM lt CO OD D hange HTTP with URL host or MIME HTTP CP classification ommands Ka ve Citrix published application Microsoft Netshow RealAudio Streaming Protocol Xing Technology Stream Works Semon UDP SE 8 SQL NET TCP UDP SQL NET for Oracle SunRPG TCP UDP TFTP UD Sun Remote Procedure Call Trivial File Transfer Protocol P VDOLI TCP UDP VDOLive streaming video 4 Non TCP amp Non UDP protocols Non UDP or Non TCP EGP IP 8 Exterior Gateway Protocol GRE IP 47 Generic Routing Encapsulation ICMP IP Internet Control Message Protocol PINIP IP 4 IP in IP IP Encapsulating Security IPsec P 50 ee Header eae Interior Gateway Routin EIGRP IP Be Protocol Well Known Port Type Number Description Protocol AdventNet Inc 45 5 TCP amp UDP static port protocols Vogel deng ze Wier aad con Destin Port Protocol DHCP Bootp o 67 6 M DNS TCP UDP 53 Domain Name Domain Name System Finger TCP 79 Finger User Information Protocol Gopher TCP UDP 70 Internet Gopher Protocol HTTP Top 80 Hy
29. Dashboard To prevent this you need to disable NetFlow export from those interfaces Licensing New Interfaces If a NetFlow packet is received from a new interface and the number of interfaces presently managed is less than that allowed in the current license this interface is listed under Router List on the Dashboard with a message saying new flows have been received You need to then click the License Management option and change this interface s status to Managed in order to include this interface in AdventNet Inc 67 the list of managed interfaces and also generate traffic graphs and reports for the same If a NetFlow packet is received from a new interface and the number of interfaces presently managed is equal to that allowed in the current license you need to either unmanage any other managed interfaces and then manage this interface or leave this interface in New status In any case graphs and reports can be generated only for managed interfaces At any time you can buy more licenses by clicking on the Buy Online image AdventNet Inc 68 Change Password The Change Password option lets you change your own password for logging in to NetFlow Analyzer This is available as a separate option in the Admin Operations menu for users logged in as Operator or Guest For Admin users the password can be changed from the User Management page itself Enter the new password confirm it and click the Update button to save your c
30. When Previous Day option is enabled then the E button permits the setting of working hours Customizing from address You can customize the From Address from the mail serever settings in settings AdventNet Inc 55 A note on emailed reports A report is generated for each interface IP Group 50 such reports are zipped in a single email and mailed In case of more than 50 interface IP Groups selected the report will be sent in multiple emails The last generated reports for all schedules will be under the folder NetFlow gt Reports Deleting Schedules Select a schedule from the Schedule List and click on Delete to delete the schedule Once a schedule is deleted no longer reports are generated at the stipulated intrevals Deleting a schedule also deletes the corresponding folder AdventNet Inc 56 Device Group Management NetFlow Analyzer lets you create device groups which consist of a set of routers A device group can contain any number of routers and a router can belong to any number of device groups The Device Group Management option lets you create manage and delete device groups Initially when no device groups have been created you will see a message that lets you start creating device groups The options visible under the Admin Operations menu depend on the user level you have BY logged in as Look up User Management to know more about user levels and the respective administrative operations allowe
31. ally sorted set of collected data is discarded It is used as a measure of the peak value used when one discounts a fair amount for transitory spikes This makes it markedly different from the average The following example would help you understand it better Consider if the data collected for CPU Utilization is 60 45 43 21 56 89 76 32 22 10 12 14 23 35 45 43 23 23 43 23 20 points This list is sorted in descending order and a single top value 89 is discarded Since 1 consitutes 5 of 20 we discarded 1 value in this case The highest value in the remaining list 76 is the 95th percentile AdventNet Inc 30 Top Applications The Applications tab shows you the top applications and top protocols for the selected time period The default view shows the Top ApplicationIN Report This report shows the distribution of incoming traffic application wise Choose between IN and OUT to display the application wise distribution of incoming or outgoing traffic respectively The Time Period box lets you choose between last hour last day last week last month and last quarter s traffic graphs The From and To boxes let you choose custom time periods for the graphs Use the icon to select the date and time easily The time period for these graphs is based on the current system time Once you select the desired date and time click the Show Report button to display the appropriate application traffic report The table below the graph shows th
32. and start NetFlow Analyzer using the command etc init d netflowanalyzer start Shutting Down NetFlow Analyzer Follow the steps below to shut down the NetFlow Analyzer server Please note that once the server is successfully shut down the MySQL database connection is automatically closed and all the ports used by NetFlow Analyzer are freed Windows Linux sch Navigate to the Program folder in which NetFlow Analyzer has been installed By default this is Start gt Programs gt ManageEngine NetFlow Analyzer 5 Select the option Shut Down NetFlow Analyzer Alternatively you can navigate to the lt NetFlowAnalyzer_Home gt bin folder and invoke the shutdown bat file You will be asked to confirm your choice after which the NetFlow Analyzer server is shut down Navigate to the lt NetFlowAnalyzer_Home gt bin directory Execute the shutdown sh file You will be asked to confirm your choice after which the NetFlow Analyzer server is shut down AdventNet Inc 10 Accessing the Web Client NetFlow Analyzer is essentially a bandwidth monitoring tool that uses Cisco NetFlow exports to analyze network traffic and determine bandwidth usage Once the server has successfully started follow the steps below to access NetFlow Analyzer 1 Open a supported web browser window 2 Type the URL address as http lt hostname gt 8080 where lt hostname gt is the name of the machine on which NetFlow Analyzer is running and 80
33. at AS for the past one hour AdventNet Inc 27 IP Groups View Information on IP groups created so far is displayed below both the Global View tabs This is also displayed when the All Groups link is clicked on the IP Groups pane on the left Initially when no IP groups have been created you will simply see a status message with the option to start creating IP groups The IP Group List shows all the IP groups that have been created so far Click the View Description link to view descriptive information on all IP groups created Alternatively you can click the View Description link against each IP group to view descriptive information on that IP group alone Click the IP Group name to view traffic graphs specific to that IP group From the traffic graph you can navigate to see the top applications top hosts and top conversations in this IP group The IN Traffic and OUT Traffic columns show the volume of incoming and outgoing traffic in the IP group generated over the past one hour You can click on the IN Traffic or OUT traffic bar to view the respective application traffic report Click the E icon to see a consolidated traffic report for the respective IP group This report shows you all the details about incoming and outgoing traffic in this IP group in a single report AdventNet Inc 28 Traffic Report Netflow Traffic Reports NetFlow Analyzer generates traffic reports in real time as soon as NetFlow data is receiv
34. at if want more detail NetFlow Analyzer shows the top 50 results in all reports by default You can see up to 100 results in each report by changing the Record Count value in the Settings page AdventNet Inc 74 5 The graphs show only IN traffic for an interface although there is both IN and OUT traffic flowing through that interface Why s that Check if you have enabled NetFlow on all interfaces through which traffic flows Since NetFlow traffic accounting is ingress by default only IN traffic across an interface is accounted for To see both IN and OUT traffic graphs for an interface you need to enable NetFlow on all the interfaces through which traffic flows Why are some interfaces labeled as Iflndex2 lflndex3 etc This happens if the device interface has not responded to the SNMP requests sent by NetFlow Analyzer Check the SNMP settings of the interface or manually edit the interface name from the Dashboard NetFlow Analyzer uses port 161 and the public community string as default SNMP values If the SNMP settings of your device are different click the E icon next to the device interface in the Dashboard Interface View to change the values If you need to change this globally enter the new values in the same fields under Settings The total bandwidth usage seems to decrease depending on the length of the report Why is that NetFlow Analyzer aggregates older data in less granular format and due to this reason some of
35. ature Description Web based interlace EE reports and perform administrative tasks from just a web rowser Support for NetFlow export As of release 4 0 2 NetFlow Analyzer includes support for NetFlow versions version 5 and version 7 exports l Simply configure NetFlow export on your router or switch and see it eine On ewan automatically added on the Dashboard y View instant graphs of bandwidth utilization per network interface as EE soon as NetFlow data is received Generate daily weekly monthly and custom time period bandwidth reports showing peak traffic patterns Historical Trend Reports AdventNet Inc 4 Bandwidth Usage Reports Consolidated Reports Autonomous Systems Reports NetFlow Devices IP Groups Application Configuration User management Localized setup AdventNet ManageEngine NetFlow Anayzer Help Docuementation View reports showing top applications top hosts and top conversations using bandwidth View bandwidth reports per interface showing all details on bandwidth usage for that interface View AS and peering information for routers configured with BGP useful for service providers Categorize devices exporting NetFlow into logical groups and monitor them exclusively Create departments based on IP addresses ports protocols or interfaces and generate specific bandwidth usage reports Identify most standard applications out of the box and configure custom applications
36. be filled o Ifyou opt for IP Address then you have to enter the address in the IP Address box o Ifyou opt for IP Network then you have to enter the IP Network and IP Netmask details o Ifyou opt for IP Range then you have to enter the Start IP End IP and IP NetmaskEnter a unique name for the application 5 The Application Name has to be entered finally by which the IP address is associated with an application AN Ensure that the combination of port number and protocol is unique If not the older application mapping will be deleted Once you are done click the Update button to save your changes Modifying an Application Select an application and click the Modify button to modify its properties Ey You can only change the name of the application If you need to change the port or the protocol you have to delete the application and add it as a new application Once you are done click the Update button to save your changes Deleting an Application Select an application and click the Delete button to delete it The application is permanently deleted the corresponding port is freed and can be assigned to another application Additional Notes on Application Mapping Applications are categorised based on the source address destination address source port destination port and protocol values in the flow record These values are matched with the list of applications in the Application Mapping The check is done first with the
37. cense is applied with immediate effect You do not have to shut down or restart the NetFlow Analyzer server after the license is applied AdventNet Inc 12 Configuring Cisco Devices This section offers a brief guide to setting up NetFlow on a Cisco router or switch For more detailed information refer the Cisco web site at http www cisco com go netflow It is recommended that only people with experience in configuring Cisco devices follow these steps Cisco devices with NetFlow support Configuring an IOS Device Configuring a Catalyst 6000 Series Switch Configuring a Native IOS Device Configuring a Catalyst 4000 Series Switch Configuring NetFlow for BGP Setting the appropriate time on the router NetFlow Analyzer stamps the flows based on the router time It is therefore important to ensure that the time on the router is set properly Netflow Analyer can handle routers from different time zones automatically provided the correct time is set Whenever the time difference between the NetFlow Analyzer Server and the router is above 10 minutes a warning icon will appear in the home page When this happens NetFlow Analyzer will stamp the flows based on the system time of the NetFlow Analyzer server In case you see this please ensure the following on the router e Check if the correct time is set on your router You can check this by logging into the router and typing show clock You can set the clock time using the command clock se
38. com for more information on purchasing options AdventNet Inc 81 Appendix 1 Working with SSL 2 SNMP Trap Forwarding AdventNet Inc 82 Working with SSL The SSL protocol provides several features that enable secure transmission of Web traffic These features include data encryption server authentication and message integrity You can enable secure communication from web clients to the NetFlow Analyzer server using SSL The steps provided describe how to enable SSL functionality and generate certificates only Depending on your network configuration and security needs you may need to consult outside documentation For advanced configuration concerns please refer to the SSL resources at http www apache org and http www modssl org Stop the server if it is running and follow the steps below to enable SSL support Generating a valid certificate 1 Generate the encryption certificate and name it as server keystore 2 Copy the generated server keystore file to the lt NetFlowAnalyzer_Home gt server default conf directory Disabling HTTP When you have enabled SSL HTTP will continue to be enabled on the web server port default 8080 To disable HTTP follow the steps below 1 Edit the server xml file present in lt NetFlowAnalyzer_Home gt server default deploy jbossweb tomcat50 sar directory 2 Comment out the HTTP connection parameters by placing the lt tag before and the gt tag after the f
39. communication the SYN flag is initialy sent when establishing the typical 3 way handshake between two hosts as shown above The Host 1 needs to establish contact with Host B using TCP as the protocol In the course of the 3 way handshake there are 2 SYN flags transmitted As the connection is set and data is transmitted between the two hosts more SYN flags will be sent and received The sixth amp final flag available is the FIN flag which appears when the last packets are exchanged between a connection When a host sends a FIN flag to close a connection it may continue to receive data until the remote host has also closed the connection A typical disconnection is shown below TCP is a Full Duplex connection so there are two directions of data flow gt Host 2 gt Host 2 Data Transfer After the data transfer is completed the Host 1 sends a packet with the FIN ACK flags set to Host 2 By this action Host 1 has acknowledged the previous data stream while simultaneously has initiated a TCP closing action to end this connection After this Host 1 s application will not receive any more data and the connection will be closed Also Host 2 in response to Host 1 s request to end the connection sends an acknowledgement back After this is completed the Host 2 sends its own FIN AdventNet Inc 36 ACK flags to end the connection Finally Host 1 acknowledges the request Host 2 made earlier and this way the connection is closed TCP amp
40. d Creating a Device Group Follow the steps below to create a new device group 1 Click the Add button to create a new device group 2 Enter a unique name to identify the device group The same name is displayed in the Device Group menu on the left and will be listed under Available device groups when managing a user 3 Use the Device Group Description box to enter useful information about the device group 4 Select the routers needed for this device group from the list of available routers displayed Once all values have been entered click the Update button to create this device group and begin generating traffic reports for the same Interface Group Interface Group allows you to combine interfaces in order to monitor traffic This can be useful for grouping multiple sub interfaces into a single logical entity Follow the steps below to create a new interface group Click the Interface Group tab at the top right of the Device Group Management page Enter a name to identify the interface group in the Interface Group Name box Use the Interface group speed box to enter the speed limit for the interface group Select the routers needed and the interfaces under them for this interface group By selecting a router Dy default all interfaces are selected You can selectively unselect the unwanted interfaces from the list 5 Click on Update to save the changes ee LY The Interface group that is created is listed in the Dashboard
41. d all its interfaces check the checkbox next to the router name To select a specific interface check the checkbox next to the interface name Once you have selected the required interfaces click the Manage button to manage these interfaces This means that flows received from these interfaces will be processed by NetFlow Analyzer and traffic graphs and reports can be generated The maximum number of interfaces that can be managed depends on the current license applied Unmanaging a router interface To select the router and all its interfaces check the checkbox next to the router name To select a specific interface check the checkbox next to the interface name Click the Unmanage button to unmanage these interfaces This means that flows received from these interfaces will be dropped by NetFlow Analyzer Once unmanaged these interfaces will not be seen on the Dashboard or be listed in device groups However they will still be listed in the Router List in the License Management page Deleting a router interface To select the router and all its interfaces check the checkbox next to the router name To select a specific interface check the checkbox next to the interface name Click the Delete button to delete these interfaces This means that these interfaces are completely removed from all screens of the NetFlow Analyzer client However if flows are still being sent from these interfaces to NetFlow Analyzer they will reappear in the
42. d for these graphs is based on the current system time Once you select the desired date and time click the Show button to display the appropriate application traffic report The table below the graph shows the distribution of traffic per application You can see what application caused how much traffic and how much of the total bandwidth was occupied by that application Click the Zei icon Supported Applications link to see the list of supported applications in a new window Viewing Top Applications Choose between IN and OUT to display the protocol wise distribution of incoming or outgoing traffic respectively CH The pie chart below shows what percentage of bandwidth is being used by each Application The icon above the pie chart lets you see the pie chart enlarged in a new window From here you can click the icon to save the pie chart as a PDF file AdventNet Inc 43 NBAR supported applications NBAR supports a wide range of network protocols The following list shows some of the supported protocols 1 Peer to Peer Protocols Peer to Type posonpton Peer Type Description Protocol BitTorrent Top File sharing application Gnutella TCP File sharing application Kazaa TCP File sharing application eDonkey Top File sharing application Fasttrack TCP File sharing application Napster TCP File sharing application 2 VolP Protocols D Protocol Type Description SCOP Top Skinny Call
43. data is concerned NetFlow Analyzer maintains the top n flows for every ten minutes slot The record count determines this n values By default it is set to 50 You may set your own criteria for this purpose you can change this from the Settings option Apart from this NetFlow Analyzer allows you to store raw data all flows not just the top n for upto one month 1 Aggregated data is stored in 5 levels of tables 10 Min Hourly 6 Hour 24 Hour and Weekly tables and reports for different periods need to access the corresponding table For example very recent reports need to access the 10 Min table and old reports need to access the Weekly table You can access the table MetaT able to determine the table which contains data for the required time period 2 Raw data is stored in dynamically created tables and data pertaining to different devices routers reside in different table for different periods of time You can access the table RawMetaTable to determine the table which contains data for the required report Some of the applications are labeled as TC App or something similar What is that If an application is labeled as TCP_App or something similar it means that NetFlow Analyzer has not recognized this application i e the combination of port and protocol is not mapped as any application Once you add these applications under Application Mapping they will be recognized Why are only the top 5 or 10 values shown in the reports Wh
44. e following tables describe the data storage pattern for the various reports generated by NetFlow Analyzer Traffic reports Time Interval Granularity within last 6 hours more than 6 hours but less than last 26 hours 10 minutes more than 26 hours but less than last 8 days more than 8 days but less than 32 days more than 32 days but less than last 92 days more than 92 days AdventNet Inc 78 EPDS CO NO Application traffic reports Application tab Application IN OUT graphs Consolidated Reports Time Interval Granularity gt within last 2 hours V more than 2 hours but less than last 8 days 1 hour more than 8 days but less than last 21 days 6 hours more than 21 days but less than last 90 days 24 hours more than 90 days 1 week Source Destination Conversation traffic reports Source Destination and Conversation tabs and IN OUT graphs Drill down graphs from Application Source Destination and Conversation reports Consolidated Reports Custom reports Time Interval Granularity within last 1 hour more than 1 hour but less than last 3 days more than 3 days but less than last 21 days more than 21 days but less than last 90 days more than 90 days How do I reset admin password Please ensure that the server is running before doing the below steps Open a command prompt Go to the mysq bin directory Type mysql u root port 13310 Type use netflow Execute the following que
45. e Destination Network Source Destination Nodes Application Port Port Range The From and To boxes let you choose custom time periods for the report Use the E icon to select the date and time easily Use the IN OUT box to display values based on IN traffic OUT traffic or both IN and OUT traffic The Show box lets you choose how many results to display You can set this value from the Settings page Once you select all the desired criteria click the Generate Report button to display the corresponding traffic report The default report view shows the IP addresses of the hosts Click the Resolve DNS link to see the corresponding DNS values You can also choose to print this report by clicking the icon or the Print link Custom Reports are different from Troubleshooting Reports You can troubleshoot only one Ey interface at a time whereas Custom Reports can be generated across interfaces Data for Troubleshooting reports is taken directly from raw data whose maximum retention period can be set from Settings But data for Custom Reports is taken from aggregated data in the database AdventNet Inc 39 Consolidated Reports Consolidated reports let you see all the traffic details for an interface or IP group at one glance You can then print this report or save it as a PDF file Click the Consolidated Report link or the icon to see all traffic details for an interface at one glance The same report can be accessed from th
46. e Global Dashboard when the E icon against an interface or IP group is clicked The Custom Selection box lets you select different time periods for the traffic data e The 1 Hour Report and 1 Day Report options show you traffic details over the past one hour and one day respectively e The 8AM to 8PM option shows you traffic details from 8 a m to 8 p m of the previous day This is a peak hour report based on the normal working hours of an enterprise Apart from these options the From and To boxes let you choose custom time periods for the report Use the t icon to select the date and time easily Once you select the desired time period click the Show Report bution to display the corresponding consolidated report The default report view shows the IP addresses of the hosts Click the Resolve DNS link to see the corresponding DNS names You can also choose to save the report as a PDF file by clicking the icon or print it by clicking the Print icon AdventNet Inc 40 AS Traffic Reports The Traffic report for autonomous systems shows the amount of incoming and outgoing traffic for that AS over the past one hour Tabs above the traffic graph let you view the graph in terms of volume of traffic soeed and number of packets received You can see traffic graphs for different time periods by choosing the appropriate values from the Time Period box Use the From and To boxes to choose custom time periods for the graphs Use t
47. e distribution of traffic per application You can see what application caused how much traffic and how much of the total bandwidth was occupied by that application The icon next to an application name indicates that that application is not identified by NetFlow Analyzer When you click on this icon a window opens up showing the port and protocol details for this application If it is a valid application you can then add it to the list of applications in the Application Mapping page The icon will be displayed next to an unknown application only in the Last Hour report Click on an application s name to see the Top Conversations that contributed to this application s traffic The Show box above this table lets you choose how many applications need to be displayed You can set the maximum value for this option from the Settings page The pie chart below this table shows what percentage of bandwidth is being used by each application CH The icon above the pie chart lets you see the pie chart enlarged in a new window From here you can click the icon to save the pie chart as a PDF file Viewing Top Protocols Click the Zei icon or the Protocol Distribution link to see the top protocols for the selected interface or IP group in a new window Choose between IN and OUT to display the protocol wise distribution of incoming or outgoing traffic respectively This report sorts traffic based on the protocol used while the Application
48. e required to store the aggregated data forever is about 150 MB per interface AdventNet Inc 65 AdventNet ManageEngine NetFlow Anayzer Help Docuementation In addition to the aggregated data NetFlow Analyzer 5 allows you to store all raw netflow data for upto 1 month The time period for which you can store this raw data Raw Data Period depends on the number of flows received by NetFlow Analyzer and the amount of free disk space available on your computer Each flow is about 60 bytes Troubleshooting and Alert reports are generated from Raw data since it provides high level of granularity NetFlow Analyzer indicates the flows received per second in the Raw Data Settings tab on the Settings link You should set the raw data period based on the calculation below Free hard disk space 150 MB No of Managed Interfaces Raw Data Period in hours 60 Bytes 3600 seconds Flows Per Second You can use the recommendation provided by the software to set you Raw data storage period The maximum raw data storage period is 1 month earlier it was 2 weeks Mail Server Settings These settings are important when e mail notifications have to be sent for alerts generated Default E Option Vawe Deseripton Se ST au We name of the outgoing SMTP server used to send e mails o Port 25 The port number on the outgoing server that is used to s
49. e settings Click this link to troubleshoot an interface You can troubleshoot only one interface at a time Note Troubleshooting results are shown directly from raw data Hence results depend on the raw data retention time period set in Settings Click this icon to see a quick report for the respective interface This report ES shows you all the details about the traffic across that interface for the past one hour Indicates that NBAR report is available for the interface before Interface Name Clicking the Stop button only means that NetFlow Analyzer will drop flows from this device To _lstop this device from exporting NetFlow statistics you need to work on the device directly See the section on Configuring Cisco Devices for more information The Interface Name column lists all the interfaces on a discovered device Click on an interface to view the traffic details for that interface The Status column indicates the current status of that interface Description The Status of the interface is unknown and no flows have been received for the past 10 minutes The interface is not responding to SNMP requests The interface is responding to SNMP requests and the link is up but no flows have been received for the past ten minutes AdventNet Inc 25 AdventNet ManageEngine NetFlow Anayzer Help Docuementation The link is up and flows are being received o r interface is responding to SNMP requests and t
50. e the following commands in normal not configuration mode to verify whether NetFlow export has been configured correctly show ip flow export Shows the current NetFlow configuration show ip cache flow TE EE commands summarize the active flows and give an indication of how enw EP aie much NetFlow data the device is exporting verbose flow A Sample Device Configuration The following is a set of commands issued on a router to enable NetFlow version 5 on the FastEthernet 0 1 interface and export to the machine 192 168 9 101 on port 9996 router enable Password router configure terminal router 2621 config interface FastEthernet 0 1 router 2621 contig i1f 1ip route cache flow ro ter 262l config ir fexirt roucer Z621 config ip flow egport destination 192 16c8 9 101 9996 router 2621 config tip flow export source FastEthernet 0 1 router 2621 config ip flow export version 5 router 2621 config ip flow cache timeout active 1 router 2621 config ip flow cache timeout inactive 15 router 2621 config Ssnmp server ifindex persist rOUTer 2621 Contig Z2 router write router show ip flow export router show ip cache flow repeat these commands to enable NetFlow for each interface Please note that NetFlow data export has to be enabled on all interfaces of a router in order to see accurate IN and OUT traffic Suppose you have a router with interface A and B Since NetFlow by default is done on
51. ed from an interface The traffic reports in NetFlow Analyzer include information on Traffic Trends Top Applications Top Hosts Top Conversations AS Traffic Reports Apart from these pre defined reports Custom Reports let you define criteria and generate specific reports on network activity Consolidated Reports show you overall traffic statistics for an interface or AS as applicable Troubleshooting Reports let you troubleshoot an interface using raw data directly Click the icon or the Troubleshoot link at the top left corner of the page to troubleshoot this interface AdventNet Inc 29 Real time Traffic Graphs NetFlow Analyzer generates traffic graphs as soon as Nettflow data is received The Traffic tab shows real time traffic graphs for incoming and outgoing traffic Depending on which link was clicked you can see traffic graphs for an interface or IP group Tabs above the traffic graph let you view the graph in terms of volume of traffic speed link utilization and number of packets received Ey The Packets tab shows the number of actual packets of traffic data received This information is included in exported Netflow data You can see traffic graphs for different time periods by choosing the appropriate values from the Time Period box Use the From and To boxes to choose custom time periods for the graphs Use the icon to select the date and time easily The time period for these graphs is based on the current
52. eek Monday s 00 00 hours till 10 00 hours Monthly By opting for the Monthly option you can set the date of the month along with the time at which the report needs to be generated every month The report could be generated for the Previous Month or for the Last 30 days By selecting Exclude Weekends the report can be made to include only data corresponding to monday through friday When Previous Month option is enabled and the report generation date is set to 5 th of every month at 10 00 hours then the report will be generated for the whole of last month first to the last day of the month When Exclude weekend option is enabled then the generated report will exclude all the intervening weekends saturday amp sunday When Last 30 Days option is enabled and the report generation date is set to 5 th of every month at 10 00 hours then the report will be generated from last month s 5 th 10 00 hours till this month 5 th s 10 00 hours When Exclude Weekend option is enabled then the generated report will exclude all the intervening weekends saturday amp Sunday Only Once If you wish to generate report only once at a specified time you can do that by opting for Only Once The date and time at which the report should be run can be specified The date amp time can be altered by using the icon ES The report could be generated for the Previous Day Last 24 Hours Previous Week Last 7 Days Previous Month or Last 30 Days
53. eeseeeeeeessaaeeees 21 CORMOURING INCTFIGW TOK EE 22 GETTING a RE 24 Dashboard Interface EE 25 PASABOG AS E 27 P OUDS VIEW E A E E E E 28 TE a ee 29 Netflow Traffic Reports cccccccceeeeceeeeceeeeeneeeeeeeesseeeseeeseeeesaaeesseeessueeseueeseaeesseeeeseneenees 29 Realtime LES GIA DNS sicciescsncdstaossinansteeiateoledsansdaeitieeladagecesteabadheddseeianseensantbecdsaecouddlqosebes 30 VO ele ele e E 31 TOP ROSIS conse ete ea tece E aan aaineayuaianeraueasegcaseueanle 33 le 34 TOP e 36 TOP CONVE aO ee ee cee een en eee nee ene ee ee 38 EE 39 COn olaaa REDON aene EE E E E E E E 40 AOTC Tee CN 41 TOUS SOO UNG E 42 AdventNet Inc 1 NBAR REPORT cetacean tee tattered pe terse csc outset eee een 43 NBAR SUPPDONSd EE ee Uerde 9 cinsas E ene eee Seen eae eee ae 44 NBAR supported platforms amp IOS Versions ccccccseeccceceeeeceeeeeeeeeseeeseeesaaeeeeesaaeeeesaaees 48 ADMIN HO a a ane LE 49 Alert Profiles Management 50 See ER RODO ana E sesendanee neces teaate as swan A E E a 53 Device Group Management 57 HP Elte Ee AG CIN A E 59 User Management nsaveecsesectsusaniananeeaseuesconndsaausnncvesduneseacenaanencasemennadse tie REAREA RED 61 ADOLTO WIAD PIG E 63 ell E 65 PIECING SIVAN aC CIM E 67 CM IIS SS WONG WEE 69 CONTACTING TECHNICAL SUPPORT cccccceeeeeeeeeseeneeenseenseeneeenecesecneeeneeens 70 FREQUENTLY ASKED QUESTIONS iesseieceieneiietacesadetinnntccudswusdeusivuusueuseeusvesiueaudceuuanivs 71
54. end e mails The default e mail address to which e mail notifications have to be sent Separate multiple e mail addresses by a comma If mail id is not optional provided then a mail is received with the From address as netflowreport localdomain com Requires Packed Sege UNCNECKE Select this checkbox if the mail server needs authentication optional The authentication user name for the mail server e The corresponding password for mail server authentication NBAR Data Storage Settings This parameter lets your decide how long you want NBAR data to be stored The maximum period is 2 months AdventNet Inc 66 License Management The License Management option lets you manage the interfaces exporting NetFlow data to NetFlow Analyzer depending on the license that you have purchased The options visible under the Admin Operations menu depend on the user level you have logged in as Look up User Management to know more about user levels and the respective admin operations allowed The status box at the top of the page indicates the type of license currently applied the total number of interfaces currently managed and the number of days remaining for the license to expire Look up Licensing to know more about upgrading your license The Router List shows all the routers and interfaces from which NetFlow exports are received and whether they are managed or not Managing a router interface To select the router an
55. er card WS F4531 and IOS version 12 1 19 EW or above to support NDE Configure this device as for an IOS device but omit the ip route cache flow command on each interface Then issue the following command ip route cache flow infer fields This command ensures routing information is included in the flows You will not enter the ip route cache flow command on each interface A Sample Device Configuration The following is a set of commands issued on a 4000 Series switch to enable NetFlow version 7 and export to the machine 192 168 9 101 on port 9996 using FastEthernet 0 1 as the source interface enable enable Switch gt Switch gt flow export destination 192 168 9 101 9996 flow export version 7 flow cache timeout active 1 route cache flow infer fields enable enable Switch gt switch gt 1p 1p switch gt enable ip flow export source FastEthernet 0 1 1P ER AdventNet Inc 21 Configuring NetFlow for BGP The Border Gateway Protocol BGP defined in RFC 1771 provides loop free interdomain routing between autonomous systems An autonomous system AS is a set of routers that operate under the same administration BGP is often run among the networks of Internet service providers ISPs In order to get AS info you need to configure your router to include AS info AS information E collection is resource intensive especially when configured for origin AS In case you are not interested in mo
56. erface Why s that Why are some interfaces labeled as Iflndex2 flndex3 etc The total bandwidth usage seems to decrease depending on the length of the report Why is that Which features are not supported by NBAR Any restrictions on where we can configure NBAR What Does NBAR Performance Depend On Is performance dependent on the number of interfaces that NBAR is enabled on Does the link speed of the interface s that NBAR is enabled am able to issue the command ip nbar protocol discovery on the router and see the results But NFA says my router does not support NBAR Why How do verify whether my router supports CISCO NBAR PROTOCOL DISCOVERY MIB What is NetFlow Version 9 What is the memory impact on the router Receiving non V5 V7 V9 packets from the following devices Click here for further details What does this mean AdventNet Inc 71 4 5 6 T7 Is version 9 backward compatible What is the performance impact of V9 What are the restrictions for V9 How do I configure NetFlow Version 9 Technical Information 1 How is traffic information stored in the NetFlow Analyzer database 2 How do I reset the admin password 3 How are ports assigned as applications in NetFlow Analyzer 4 Do lI have to reinstall NetFlow Analyzer when moving to the fully paid version 5 How many users can access the application simultaneously 6 NetFlow Analyzer logs out after a period of inactivity How do avoid
57. ervals at which network traffic reports are S P generated automatically and mailed to desired recipient s NetFlow V9 Support Basic V9 support beets IP address to associate IP address to an application in addition to port amp protocol Create Interface Groups Ability to group interfaces together and monitor traffic Reports based on TCP flags amp TOS can be generated from the Trouble ToS amp TCP_flag EE New Features in Release 5 0 Set up alerts based on link utilization and send emails or SNMP Traps Threshold based Alerting hen thresholds are exceeded Retain raw data for longer time periods up to 2 weeks to enable Troubleshooting increased visibility into traffic data for troubleshooting and alerts Support link Wide range of options to contact technical support in case of any PP problems running NetFlow Analyzer Specify whether router details need to be fetched based on IfName EE ROUER AMNIS lfAlias or IfDescription value Dashboard View Eile Filter Dashboard Interface View to display only those interfaces exceeding specific values of incoming or outgoing traffic Traffic Graph Filters Filter daily and weekly traffic graphs to show hour based traffic details Specify interfaces when creating IP groups to further filter traffic details for an IP group NetFlow Analyzer supports French German and Spanish along with OCA Wem EES Chinese and Japanese Features in Previous Releases 4 0 to 4 0 2 Fe
58. ew schedules or delete existing ones from the Schedule List page Configuring a new Schedule The steps to configure a Schedule are 1 Login to the NetFlow Analyzer client and click Schedule Reports under Admin Operations in the left panel AdventNet Inc 53 AdventNet ManageEngine NetFlow Anayzer Help Docuementation 2 Click Add to add a new Schedule Profile 3 Fill in the following details By default all managed interfaces sending NetFlow exports are selected If you want this schedule configuration to apply to certain interfaces only click the Modify Selection link In the pop up window select the required devices and interfaces and click Update to save your changes By default all IP Groups are selected If you want this schedule configuration to apply to certain IP Groups only click the Modify Selection link In the pop up window select the required devices and IP Groups and click Update to save your changes Select whether the reports that need to be generated is consolidated or a customised one The default setting is Consolidated Report To opt for Custom Report click on the radio button in front of custom report report Opting for Custom report lets you set criteria by using the Add Criteria option Any number of criterion can be set and the rule set to match all the criteria or anyone Select the report generation frequency as one from Daily Weekly Monthly and Only Once Depending on this the report
59. f your router is exporting NetFlow data to the port on which NetFlow Analyzer is listening o Check if the router is exporting NetFlow version 5 data Flows with any other version will be discarded I ve deleted a router and all its interfaces through the License Management page but it still comes up on the Dashboard This happens because NetFlow packets are still being received from that router Unless you configure the router itself to stop exporting NetFlow data to NetFlow Analyzer it will reappear on the Dashboard What s the difference between unmanaging and deleting an interface or When do unmanage a device and when do I delete it from the License Management page If you need to temporarily stop monitoring a router interface unmanage it from License Management In this case the router interface is still shown under License Management If you need to permanently stop monitoring a router interface disable NetFlow exports from the interface router and then delete it from License Management Iin this case the router interface is not displayed on any of the client screens unless new flows are sent from it How to Configure SNMP community in router For configuring SNMP follow the steps below 1 Logon on to the router 2 Enter into the global configuration mode 3 Type the command snmp server community public RO to set public as Read Only community 4 Press ctrl and Z 5 Type the command write mem AdventNet Inc 73
60. fic application protocol and or port is used Enter the threshold conditions threshold utilization no of times it can exceed and the time duration exceeding which the alert will be generated You can also specify an action to be taken during the alert creation Email to send a notification to one or more people SNMP Trap to send a trap to the manager application specify the lt server name gt lt port gt lt community gt For details on configuring trap forwarding refer to SNMP Trap Forwarding section under Appendix To add more threshold values click Add How and add values 4 Customizing from address 5 You can customize the From Address from the mail server settings in Settings page 6 After setting the required thresholds click Save The new alert profile is created and activated The system watches the utilization and raises alarms when the specified conditions are met AdventNet Inc 51 Only one alert is generated for a specified time duration For example say for a particular interface the threshold is set as 60 and number of times is set as 3 times and the time duration is set as 30 minutes Now lets assume that the utilization in that interface goes above By 60 and stays above it Then in 3 minutes the above conditions will be met and an alert will be generated The next alert will NOT be generated after 6 minutes but only in the 33rd minute if the condition persists Thus for the specified 30
61. fix this issue 1 Incase you see this please ensure the following on the router Check if the correct time is set on your router You can check this by logging into the router and typing show clock You can set the clock time using the command clock set hh mm ss month date year Check if the time zone and the offset in Hours and Minutes for the time zone is set properly E g PST 8 00 for PST or EST 5 00 for EST You can check this by logging into the router going into the configure terminal and typing show running config You can set the clock time zone and offset using the command clock timezone zone hours minutes E g clock timezone PST 8 00 2 The time sync issue may be related to high CPU load and reducing the IP group can help Each address range network will be checked seperately So 4 addresses of 10 10 10 1 10 10 10 2 10 10 10 3 and 10 10 10 4 will add more overload than creating the same as a single IP range of 10 10 10 1 to 10 10 10 4 While associating interfaces you are better off selecting All interfaces wherever appropriate since in that case no check will be done with the interface in the flow In your case since you had 180 interfaces associated the code had to check for these 180 interfaces in each flow received 13 How do I buy NetFlow Analyzer You can buy NetFlow Analyzer directly from the AdventNet Online Store or from a reseller near your location Please see the website at http www netflowanalyzer
62. hanges Enter the new password when you log in again into NetFlow Analyzer Your present session will not be terminated until you explicitly log out or your session expires AdventNet Inc 69 AdventNet ManageEngine NetFlow Anayzer Help Docuementation Contacting Technical Support Click the Support link on the top left corner of the NetFlow Analyzer client screen to see a wide range of options to contact the NetFlow Analyzer Technical Support team in case of any problems Option Description ee Cen this link to submit a form from the NetFlow Analyzer website with a Support detailed description of the problem that you encountered Click this link to create a ZIP file containing all the server logs that the Technical Support team will need to analyze your problem You can then send this ZIP file to support netflowanalyzer com or upload it to our server via FTP Create Support Information File Troubleshooting Click this link to see troubleshooting tips for common problems encountered by Tips users Click this link to go to the NetFlow Analyzer user forum Here you can discuss User Forums with other NetFlow Analyzer users and understand how NetFlow Analyzer is being used across different environments Need a Feature Click this link to submit a feature request from the NetFlow Analyzer website Tolktree Number Call the toll free number 1 888 720 9500 to talk to the NetFlow Analyzer Technical Support team directly
63. he icon to select the date and time easily The time period for these graphs is based on the current system time Once you select the desired date and time click the Show Report button to display the appropriate traffic report The table below the graph shows the legend along with total maximum minimum and average traffic values for this AS for the selected time period The Traffic IN Details and the Traffic OUT Details show sampled values of traffic generated over the selected time period AdventNet Inc 41 Troubleshooting The Troubleshoot link lets you set criteria and view specific details about the traffic across a single interface Data for Troubleshooting reports is taken directly from raw data Which means that Troubleshooting reports will be available only for the maximum time period for retaining raw data configured under Settings Click the ER icon against an interface on the Dashboard Interface View or the Troubleshoot link present above the traffic graphs for an interface to open a popup with options to set criteria for viewing reports In the pop up window that opens up click the Select Devices link to change the interface that you want to troubleshoot Under Search Criteria enter the criteria on which traffic needs to be filtered You can enter any of the following criteria to filter traffic Source Destination Address Source Destination Network Source Destination Nodes Application Port Port Range The Fro
64. he IP addresses of the hosts Click the Resolve DNS link to see the corresponding DNS names The Show box above this table lets you choose how many conversations need to be displayed You can set this value from the Settings page The Group by box lets you group conversations by source destination or application The default list shows the conversations sorted in descending order of number of bytes of traffic The pie charts below this report show the top sources destinations and conversations contributing to l traffic for the selected time period The icon above the pie chart lets you see the pie chart enlarged in a new window From here you can click the icon to save the pie chart as a PDF file AdventNet Inc 38 Custom Reports Custom Reports let you set several criteria and view specific reports This is especially useful in finding out the bandwidth utilization of a specific host or application Custom reports can also tell you details about a certain application and which hosts are using it thereby helping to troubleshoot and even detect virus activities Click the LE icon or the Custom Report link on the Dashboard to to set criteria and view custom reports In the pop up window that opens up click the Select Devices link to select the routers and or interfaces whose traffic needs to be analyzed Under Report Criteria you can specify a maximum of three filtering criteria Source Destination Address Sourc
65. he addresses of three remote routers and their autonomous systems are listed The router being configured will share information about networks 131 108 0 0 and 192 31 7 0 with the neighboring routers The first router listed is in a different autonomous system the second neighbor s remote as router configuration command specifies an internal neighbor with the same autonomous system number at address 131 108 234 2 and the third AdventNet Inc 22 neighbor s remot e as router configuration command specifies a neighbor on a different autonomous system Including AS Info in Netflow Exports If you have configured BGP on your network and want Netflow to report on autonomous systems AS info issue the following command on the router in global configuration mode Command Purpose Exports the Netflow cache entries to the specified IP address Use the IP address of the NetFlow Analyzer server and the configured Nettflow listener port The default port is 9996 ip flow export destination fhostname ip_address 9996 Exports NetFlow cache entries in the specified version format 5 or 7 If your router uses BGP you can specify that either the origin or peer ASs are included in exports it is not possible to include both ip flow export version peer as origin as AdventNet Inc 23 Getting Started Once NetFlow Analyzer has been successfully set up and started in your network the next thing to do is start receiv
66. he link is down and no flows are being received The IN Traffic and OUT Traffic columns show the utilization of IN and OUT Traffic on the respective interfaces for the past one hour You can click on the IN Traffic or OUT traffic bar to view the respective application traffic graph for that interface AdventNet Inc 26 AdventNet ManageEngine NetFlow Anayzer Help Docuementation Dashboard AS View The Autonomous System View displays information on all the autonomous systems AS to which a router belongs along with traffic details for each AS In order to get AS info in this view you need to configure your router to include AS info AS E information collection is resource intensive especially when configured for origin AS In case you are not interested in monitoring peering arrangements disabling AS collection may improve NetFlow Analyzer performance The Router List displays each router along with the AS to which it belongs Click on the AS Name to view the traffic report for that AS The Dashboard also shows the organization to which the AS belongs and the amount of incoming and outgoing traffic for the past one hour The purpose of icons and buttons in the Router List are explained below Icon Button Click this icon or on the router name to view the autonomous systems to which this router belongs Click this icon to hide the AS corresponding to a router its SNMP community string or its SNMP port 3 for th
67. ices into NetFlow AdventNet Inc 15 Configuring NetFlow Export on an IOS Device Follow the steps below to configure NetFlow export on a Cisco IOS device ear the Cisco Version Matrix for information on Cisco platforms and IOS versions supporting NetFlow Enabling NetFlow Export Enter global configuration mode on the router or MSFC and issue the following commands for each interface on which you want to enable NetFlow interface interface interface number ip route cache flow bandwidth lt kbps gt exit P In some recent IOS releases Cisco Express Forwarding has to be enabled Issue the command ip cef in global configuration mode on the router or MSFC for this This enables NetFlow on the specified interface alone Remember that on a Cisco IOS device NetFlow is enabled on a per interface basis The bandwidth command is optional and is used to set the speed of the interface in kilobits per second Interface speed or link speed value is used to later calculate percentage utilization values in traffic graphs Exporting NetFlow Data Issue the following commands to export NetFlow data to the server on which NetFlow Analyzer is running Command Purpose Exports the NetFlow cache entries to the specified IP address Use the IP address of the NetFlow Analyzer server and the configured NetFlow listener port The default port is 9996 ip flow export source Sets the source IP address of the NetFlow exports sent by the Peer
68. ile Click the icon to enable the alert again Lists the number of alerts generated for this alert profile in the last one hour Colors are used to represent the number of alerts generated with each severity level Red Critical Orange Major Yellow Warning and White All Click on each color to see the list of alerts generated with that severity Lists the total number of alerts generated for this alert profile Colors are used to represent the number of alerts generated with each severity level Red Critical Orange Major Yellow Warning and White All Click on each color to see the list of alerts generated with that severity Clear Click the icon to clear all alerts generated for this alert profile Alerts List Last Hour Alerts All Alerts The Alerts List is displayed when you click on any color against an alert profile in the Alert Profiles page or from any link in the Generated Alerts box on the left pane The list shows the alerts that were generated with the respective severity along with the device that generated the alert the time the alert was generated and an option to view more details about the alert AdventNet Inc 50 Click the Details link in the View column against an alert to view detailed information about the alert The pop up that opens up shows the traffic graph outlining traffic values ten minutes before and after the alert was generated along with details on top applications sources dest
69. inations and conversations recorded during that time interval Operations on Alert Profiles You can create new alert profiles modify or delete existing ones from the Alert Profiles page Creating a new Alert Profile AN Remember to set the active timeout value on the router to 1 minute so that alerts are generated correctly Refer the Cisco commands section for more information on router settings The steps to create an Alert Profile are 1 Login to the NetFlow Analyzer client and click Alert Profile Management under Admin Operations in the left panel 2 Click Add to add a new Alert Profile 3 Fill in the following details pe nelle Enter a unique name to identify this alert profile Name SC Enter descriptive information for this alert profile to help other operators understand Description why it was created By default all interfaces sending NetFlow exports are selected If you want this alert profile to apply to certain interfaces only click the Modify Selection link In the pop up window select the required devices and interfaces and click Update to save your changes Select whether alerts need to be generated based on incoming traffic outgoing traffic or both The default setting is for both Then select the application port for which the alert has to be generated This criteria can be very general Any application traffic can be profiled or it can be highly specific Generate the alert only when a speci
70. ing Netflow exports from routing devices on your network The Configuring Cisco Devices section contains useful information on how to configure Netflow export on different Cisco routers and switches As soon as you log in to the NetFlow Analyzer web client you will see the Global View Dashboard View This view shows you information on interfaces sending Netflow exports AS info as well as traffic information for all IP groups created so far The Dashboard is populated as soon as Netflow data is received from any interface The Global View is divided into two tabs 1 The Interface View which lists all the interfaces from which Netflow exports are received 2 The Autonomous System View which lists all the autonomous systems configured with each router Information on IP groups is displayed below the two tabs From any tab click the tat icon to return to the Global View Click the mi icon or the Custom Report link at the top left corner of the Global View page to generate a traffic report based on specific criteria across selected interfaces AdventNet Inc 24 AdventNet ManageEngine NetFlow Anayzer Help Docuementation Dashboard Interface View The Interface View tab displays information on all interfaces from which NetFlow exports are received The default Router List shows all the routers and interfaces from which NetFlow exports have been received so far along with specific details about each interface The default vie
71. llowed to exceed the threshold before an alert is raised o Duration The time period within which if the threshold is exceeded the specified number of times an alert is created Netflow Analyzer calculates the bandwidth utilization of the specified interfaces every minute If the utilization exceeds the threshold value the time when it exceeded is noted Subsequently when it exceeds the corresponding times are noted If the number of times the utilization exceeds the specified limit in the specified time duration an alert is generated When an alert is generated you can also send an email to one more people or send an SNMP trap to a manager application The Alert Profile Management option lets you create new alert profiles and manage existing ones Modify or Delete The Alert Profiles page lists all existing alert profiles along with the number of alerts generated for each profile The various columns displayed in the Alert Profiles page are described in the table below N The name of the alert profile when it was created Click on the alert profile s name ame to see more information about the alert profile Desariniion Descriptive information entered for this alert profile to help other operators p understand why it was created By default all alert profiles are Enabled which means they are active Click the Enabled Disabled icon to disable an alert profile When this is done alerts will no longer be generated for that alert prof
72. lyzer includes a database backup utility that you can use to make a backup of the database There are 2 ways of backup 1 You can execute the script backupdb bat backupdb sh which can be found under adventnet me netflow troubleshooting This will created a back up of the database in a zip format When you want to restore You have to extract the zip to the adventnet me netflow directory This is a slow process AdventNet Inc 72 2 You can copy the folder adventnet me netflow mysaql data to a different location and to restore you can copy it back to the same location This is a fast process In both the above process the version of NFA should be the same How do I update patch in Linux Please use the command sh UpdateManager sh c and follow the instructions to upgrade NetFlow Analyzer Router Configuration 1 Why can t I add a router to NetFlow Analyzer NetFlow Analyzer does not choose which routers or interfaces to monitor Devices are auto discovered All you need to do is set up your interfaces to send NetFlow data to the specified port on NetFlow Analyzer Once NetFlow Analyzer starts receiving NetFlow data you can see the device and its interfaces listed on the Dashboard My router has been set up to export NetFlow data but still don t see it on the Dashboard There are a number of things you can check here o Check if NetFlow is enabled on the device and that it has started sending flows o Check i
73. m and To boxes let you choose custom time periods for the report Use the icon to select the date and time easily Ensure that the time period selected falls within the Raw Data Retention Period set under Settings otherwise graphs will show no data Use the IN OUT box to display values based on IN traffic OUT traffic or both IN and OUT traffic The Show box lets you choose how many results to display You can set this value from the Settings page Once you select all the desired criteria click the Generate Report button to display the corresponding traffic report The default report view shows the IP addresses of the hosts Click the Resolve DNS link to see the corresponding DNS values You can also choose to print this report by clicking the icon or the Print link AdventNet Inc 42 NBAR Report The NBAR Report tab lists the various applications in your network and their percentage of the total traffic for the selected time period The default view shows the NBAR Application In Report This report shows the distribution of traffic application wise Choose between IN and OUT to display the application wise distribution of incoming or outgoing traffic respectively The Time Period box lets you choose between last hour last day last week last month and last quarter s traffic graphs The From and To boxes let you choose custom time periods for the graphs Use the EiS icon to select the date and time easily The time perio
74. minutes time duration only one alarm is generated This is designed to avoid a lot of repetitive mail traffic Modifying or Deleting Alert Profiles Select an alert profile and click on Modify to modify its settings You can change all of the alert profile s settings except the profile name There is also an option to clear all existing alerts for this profile from this page itself Once you are done click Save to save your changes Select an alert profile and click on Delete to delete the profile Once an alert profile is deleted all alerts associated with that profile are automatically cleared AdventNet Inc 52 Schedule Reports P It is a good idea to schedule reports to be run at non peak traffic hours since generation of reports is a resource hungry process especially for large interface numbers A Scheduler is configured to set the parameters for automating the generation of reports The parameters to be set for creating a Scheduler are e Source The Interfaces or IP Groups which are the source of traffic o Interfaces The list of interfaces who s bandwidth utilization must be watched One report will be generated for each interface selected o IP Groups The IP groups who s bandwidth utilization must be watched One report will be generated for each IP Group created e Report Type The type of report to be generated Consolidated or Custom e Report Generation Schedule How and when the report is to be generated e g
75. mpus network with several departments Here IP addresses are usually not NATed by the web server Problem You need to analyze bandwidth used by each department Solution Create an IP group for each department IP address or address ranges without specifying any port protocol values The traffic reports for each IP group will then show bandwidth usage by that department along with information on top talkers and top conversations within that department Defining IP Groups IP groups can be defined based on IP address and or port protocol combinations In addition you can filter IP group traffic based on interfaces The following matrix shows the different combinations possible along with a typical example usage for each combination AdventNet Inc 59 AdventNet ManageEngine NetFlow Anayzer Help Docuementation IP Address Port Protocol Interfaces View bandwidihdetails Tor View Web 80 TCP View bandwidth details across IP Address EE E 80 UDP traffic details for multiple interfaces for a range H Ja range of IP addresses of IP addresses View Web 80 TCP nae TCP Wem Web 80 TCP 80 UDP Port Protocol 80 UDP traffic details for a traffic generated across range of IP addresses generated across the multiple interfaces network View bandwidth details View Web 80 TCP across multiple interfaces 80 UDP traffic generated across multiple interfaces Not possible Creating an IP Group The IP Gr
76. nitoring peering arrangements disabling AS collection may improve NetFlow Analyzer performance Enabling BGP Routing Enter the global configuration mode and issue the following commands to enable BGP routing and establish a BGP routing process Enables the BGP routing process which places router bgp as number j h i the router in router configuration mode network network number mask network Flags a network as local to this autonomous mask route map route map name system and enters it to the BGP table Configuring BGP Neighbors BGP supports two kinds of neighbors internal and external Internal neighbors are in the same autonomous system external neighbors are in different autonomous systems Normally external neighbors are adjacent to each other and share a subnet while internal neighbors may be anywhere in the same autonomous system To configure BGP neighbors issue the following command in router configuration mode neighbor ip address peer group name St l BGP Neighbor Configuration Examples The following example shows how BGP neighbors on an autonomous system are configured to share information router bgp 109 network 131 108 0 0 network 192 31 7 0 neighbor 131 108 200 1 remote as 16 7 neighbor 131 108 234 2 remote as 109 neighbor 150 136 64 19 remote as 99 In the example a BGP router is assigned to autonomous system 109 and two networks are listed as Originating in the autonomous system Then t
77. nt URLs HOSTs or MIME type matches o Matching beyond the first 400 bytes in a URL AdventNet Inc 15 Non IP traffic Multicast and other non CEF switching modes Fragmented packets Pipelined persistent HTTP requests URL HOST MIME classification with secure HTTP Asymmetric flows with stateful protocols Packets originating from or destined to the router running NBAR O O O OOOO Any restrictions on where we can configure NBAR You can t configure NBAR on the following logical interfaces o Fast EtherChannel o Interfaces that use tunneling or encryption o VLANs o Dialer interfaces o Multilink PPP Note NBAR is configurable on VLANs as of Cisco IOS Release 12 1 13 E but supported in the software switching path only What Does NBAR Performance Depend On Several factors can impact NBAR performance in software based execution A Router Configuration 1 Number of protocols being matched against it 2 Number of regular expressions being used 3 The complexity of packet inspection logic required B Traffic Profile Packet Protocol Sequence 1 The number of flows 2 Long duration flows are less expensive than shorter duration flows 3 Stateful protocol matches are more performance impacting than static port applications Is performance dependent on the number of interfaces that NBAR is enabled on Does the link speed of the interface s that NBAR is enabled on affect performance No NBAR performance is not dependen
78. o Troubleshooting directory and execute the file DBInfo sh DBInfo bat 3 It creates a Info log file in the same folder Please send us the info log file Why the interface shows 100 utilization Please refer this link for a brief explanation of 100 utilization http forums adventnet com viewtopic php t 10908 amp highlight 100 What information do need to send to NFA support for assistance 1 Please run your logziputil bat logziputil sh under the troubleshooting folder This will create a zip file under the support folder please send us the zip file 2 Send us the err file under the Mysaql data folder 3 Also send your Machine configuration AdventNet Inc 80 9 How to safely migrate NFA installation to different machine Please follow the steps below to move your installation 1 Copy the data folder in mysal folder of the installation that you wish to move to a safe location 2 Install NetFlow Analyzer in the new location start it once and shut it down 3 Replace the data folder in mysal folder of the new installation with the data folder of the old installation 4 Start NetFlow Analyzer 10 What do I do if my NFA server becomes slow or How do improve my NFA system performance Please refer this link for a brief note on database tuning htto forums adventnet com viewtopic php 7t 9455 11 Why NFA says router time not is SYNC and stops collecting data Please follow these steps to
79. ol gt _App eg TCP_App if a flow is received with TCP protocol and unmatched source and destination ports If the protocol received in the flow is also not recognized by NetFlow Analyzer the application is listed as Unknown_App A single flow can be categorized as a single application only In case of a conflict applications with an exact match for the port number will be accounted for Do I have to reinstall NetFlow Analyzer when moving to the fully paid version No you do not have to reinstall or shut down the NetFlow Analyzer server You just need to enter the new license file in the Upgrade License box How many users can access the application simultaneously This depends only on the capacity of the server on which NetFlow Analyzer is installed The NetFlow Analyzer license does not limit the number of users accessing the application at any time NetFlow Analyzer logs out after a period of inactivity How do avoid that You can change the time out value to a higher value than the default 30 minutes by increasing the parameter session timeout lt session contig gt lt session timeout gt 30 lt session timeout gt lt session config gt under lt NFA_Home gt AdventNet ME NetFlow server default conf web xml Change the value 30 to your desired time range say 600 You will have to restart NFA server for this to take effect How to create DBInfo log file 1 Please ensure that NFA is running 2 Navigate t
80. ollowing lines lt HITP7 1 1 Connector on port STEE gt lt Connector port 8080 address S jboss bind address maxThreads 150 minSpareThreads 25 maxSpareThreads 75 enableLookups false redirectPort 8443 acceptCount 100 connectionTimeout 20000 disableUploadTimeout true gt Enabling SSL 1 Inthe same file enable the HTTPS connection parameters by removing the lt tag before and the gt tag after the following lines lt l SSL TLS Connector configuration using the admin devl guide keystore lt Connector port 8443 address S jboss bind address maxThreads 100 minSpareThreads 5 maxSpareThreads 15 scheme https secure true clientAuth false keystoreFile S jboss server home dir conf chap8 keystore keystorePass rmit tssl sslProtocol TLS gt gt AdventNet Inc 83 SE Replace the default values for the following parameters as follows Default Value New Value keystoreFile keystoreFile S41 boss server home dir S jboss server home dir conf chap8 keystore conf server keystore keystorePass rmit ssl keystorePass pqsecured Changing the web server port 1 2 Edit the sample bindings xml file present in lt NetFlowAnalyzer_Home gt server default conf directory Replace the default values for the following parameters as follows Default Value New Value lt xsl variable name portHttps lt xsl variable name portHttps sel
81. op 23 Telnet Protocol x Windows Top 6000 6003 xt 1 X Windows For more information click here AdventNet Inc 47 NBAR supported platforms amp IOS Versions Platforms amp Cisco IOS Versions that currently support CISCO NBAR PROTOCOL DISCOVERY MIB are e Cisco 1700 Series Router since Release 12 2 2 T e Cisco 2600 3600 7100 7200 Series Routers since Release 12 1 5 T e Cisco 3700 and 7500 Series Routers since Release 12 2 8 T The following Platforms also support NBAR Cisco 800 Series Routers Cisco 1800 Series Integrated Services Routers Cisco 2600XM Series Router Cisco 2800 Series Integrated Services Routers Cisco 3700 Series Multiservice Access Routers Cisco 3800 Series Integrated Services Routers Cisco 7300 Series Routers Cisco 7400 Series Routers Catalyst 6500 Family Switch with a FlexWAN card To know the supported IOS versions check here AdventNet Inc 48 AdventNet ManageEngine NetFlow Anayzer Help Docuementation Admin Operations NetFlow Analyzer lets you perform many administrative tasks typical of an enterprise network administrator such as managing a group of routers handling different users setting up alerts etc Explore the following sections to know more about the administrative options available in NetFlow Analyzer Setting Description deer Click this link to add new alert profiles or modify existing ones Management Scheduler Allows setting of time intervals at which netw
82. ork traffic reports are generated Configuration automatically and mailed to desired recipient s Device Group Click this link to set up device groups based on devices exporting NetFlow data to IP Group Click this link to create IP groups that let you view traffic details for a selected group Management of devices applications or interfaces User Click this link to create different users for logging in to NetFlow Analyzer and assign Management access privileges to each user Click this link to change default server settings for NetFlow Analyzer and also set up the mail server for sending e mail notifications Change Password Click this link to change your own password for logging in to NetFlow Analyzer AdventNet Inc 49 Alert Profiles Management An alert profile is created to set the thresholds for generating alerts The parameters to be set for creating an alert profile are e Interfaces The list of interfaces who s bandwidth utilization must be watched e Traffic pattern The traffic to be watched In Traffic Out Traffic or a Combination of both e Application Port s You can watch the traffic through all the applications or from a particular application Similarly through a single port or a range of ports e Threshold Settings It has 3 settings namely utilization no of times and duration o Utilization When the utilization exceeds this limit it is noted o No of time The number of times the utilization can be a
83. oup Management link in the Admin Operations box lets you create modify and delete IP groups Click this link and then click Create to create a new IP group Fill in the following information and click Add to add the new IP group to the current list of IP groups Field Description P Group Name Enter a unique name to identify this IP group Enter descriptive information for this IP group to help other operators understand why it was created Select whether you want to define this IP group based on IP address or port protocol combination If you want to define the IP group based on both IP address and port protocol select both options Select the IP address address range or network that this IP group is based on Use the Add Row and Remove Row buttons to specify additional IP address options This option is shown if you have selected the Port Protocol option in step 3 Enter the port numbers or port range in the Port Number field Select the protocol in the Protocol field Use the Add Row and Remove Row buttons to specify additional port protocol options See Note below Enter the interface speed in bits per second for calculating percentage of traffic for this IP group If you add a new combination of ports and protocol a popup opens stating that this combination of ports and protocol has not been mapped to any application Add the combination as a new application in the same popup and click Update to update the Application
84. pertext Transfer Protocol HTTPS TCP 443 Secured HTTP IMAP TCP UDP 143 220 Ge Message Access Protocol IRC TCP UDP 194 Internet internet Relay Chat Chat Kerberos fropupp 88 749 ghe Kerberos Network Authentication IL2TP UDP 1701 L2F L2TP Tunnel LDAP om 389 GE Directory Access Protocol 137 139 NetBIOS over IP Microsoft Windows _ over IP Microsoft Windows NetBIOS UDP 137 138 NetBIOS over IP Microsoft Windows NFS cpr 2049 Network File System NNTP TCP UDP h 19 Network News Transfer Protocol Notes TCP UDP 1352 Lotus Notes NTP TCP UDP 123 Network Time Protocol PCAnywhere TCP 5631 65301 Symantec PCAnywhere PCAnywhere UDP 22 5632 Symantec PCAnywhere POPS TCP UDP 10 Post Office Protocol PPTP TCP 1723 Point to Point Tunneling Protocol AdventNet Inc 46 i n Port Description Port Protocol RIP UDP 520 Routing Information Protocol RSVP UDP 1698 1699 Resource Reservation Protocol SFTP Top oan Secure FTP SHTTP TOP 443 Secure HTTP SIMAP TCP UDP 585 993 Secure IMAP an TCP UDP 994 Secure IRC SLDAP TCP UDP 636 Secure LDAP SNNTP TCP UDP 563 Secure NNTP SMTP Top 25 Simple Mail Transfer Protocol SNMP TCP UDP 161 162 Simple Network Management Protocol SOCKS Top 1080 Firewall security protocol SPOP3 TCP UDP 995 Secure POP3 SSH Top 22 Secured Shell STELNET TCP 992 Secure TELNET Syslog UDP 514 System Logging Utility Telnet T
85. r a Guest user you can change your password by selecting the Change Password option in the Admin Operations menu Editing User Details Click on the Ed icon against a user to edit the user s details Ay You can only modify the device groups and IP groups which have been assigned to the user You cannot modify the user name or the access level irrespective of your own access level Once you are done click the Update button to save your changes Deleting a User Click the icon against a user name to delete the respective user Once a user is deleted all details of this user are permanently deleted AdventNet Inc 62 Application Mapping The Application Mapping option lets you configure the applications identified by NetFlow Analyzer You can add new applications modify existing ones or delete them Please see the Additional Notes on Application Mapping section to understand this feature more clearly Also it is possible to associate an IP address with an application Adding an Application Follow the steps below to add a new application 1 Click the Add button to add a new application 2 Enter the port number of the new application To enter a port range separate the start and end points of the range with a hyphen eg 1400 1700 3 Choose the protocol from the list of protocols 4 Choose one of the options from IP Address IP Network IP Range Depending on what you opt a set of fields are enabled and should
86. race device to the specified IP address NetFlow Analyzer will make fier ace umber SNMP requests of the device on this address Sets the NetFlow export version to version 5 NetFlow Analyzer supports only version 5 version 7 and version 9 If your router uses BGP you can specify that either the origin or peer AS is included in exports it is not possible to include both Breaks up long lived flows into 1 minute fragments You can choose any number of minutes between 1 and 60 If you leave ip flow cache timeout it at the default of 30 minutes your traffic reports will have active 1 spikes It is important to set this value to 1 minute in order to generate alerts and view troubleshooting data Ensures that flows that have finished are periodically exported The default value is 15 seconds You can choose any number of seconds between 10 and 600 However if you choose a value greater than 250 seconds NetFlow Analyzer may report traffic levels that are too low Enables iflndex persistence interface names globally This snmp server ifindex persist ensures that the iflndex values are persisted during device reboots AdventNet Inc 16 ip flow export destination fhostname ip_address 9996 ip flow export version 5 peer as origin as ip flow cache timeout inactive 15 P For more information on BGP reporting in NetFlow Analyzer look up the section on Configuring NetFlow for BGP Verifying Device Configuration Issu
87. rap contains an OID and a system description AdventNet provides a MIB file with the OIDs and their descriptions for all the traps that can be forwarded The manager application can parse this MIB file and get meaningful messages for the forwarded traps The steps for the manager application to decode the meaning of each of the OIDs are e Copy ADVENTNET NETFLOWANALYZER MIB file from lt NetFlow Analyzer Home gt lib directory and save it in the system where the manager application is running e Load the MIB file ADVENTNET NETFLOWANALYZER MIB in the manager application e Make the required configuration in the manager application such that the OIDs are parsed and meaningful info is got AdventNet Inc 85
88. red port number lt connecti0n url gt jdbesmysql localhost 13310 nettlow lt connecti1on url gt 3 Save the file and restart the server AdventNet Inc 7 Installing and Uninstalling NetFlow Analyzer is available for Windows and Linux platforms For information on supported versions and other specifications look up System Requirements Installing NetFlow Analyzer Windows The Windows download for NetFlow Analyzer is available as an EXE file at htto www netflowanalyzer com download html Download the EXE file to your local machine and double click it to start installation Follow the instructions as they appear on screen to successfully install NetFlow Analyzer on to your machine Linux The Linux download for NetFlow Analyzer is available as a BIN file at http www netflowanalyzer com download html 1 Download the BIN file and assign execute permission using the command chmod a x lt file_name gt bin where lt file_name gt is the name of the downloaded BIN file 2 Execute the following command lt file_name gt bin During installation if you get an error message stating that the temp folder does not have enough space try executing this command with the is tempdir lt directoryname gt option where lt directoryname gt is the absolute path of an existing directory lt file_name gt bin is tempdir lt directory_name gt 3 Follow the instructions as they appear on the screen to successfully in
89. ry update AaaPassword AaaLogin AaaAccount AaaAccPassword setAaaPassword PASSWORD Ok6 FqR5WtUY5UCLrnvjQQ AaaPassword SALT 12345678 where AaaLogin LOGIN_ID AaaAccount LOGIN_ID and AaaAccount ACCOUNT_ID AaaAccPassword ACCOUNT_ID and AaaPassword PASSWORD_ D AaaAccPassword PASSWORD_ID and AaaLogin NAME admin Type quit to quit mysql Type exit to exit command prompt Login as admin admin You can change the password again if you wish How are ports assigned as applications in NetFlow Analyzer A NetFlow export contains information on the protocol source port and destination port When a flow is received NetFlow Analyzer tries to match the port and protocol in the flow to an application in the following order The smaller of the source and destination port numbers to the list of ports configured to each application in the Application Mapping list The larger of the source and destination port numbers to the list of ports configured to each application in the Application Mapping list The smaller of the source and destination port numbers to the port ranges configured to each application in the Application Mapping list AdventNet Inc 79 5 The larger of the source and destination port numbers to the port ranges configured to each application in the Application Mapping list If a matching application is still not found then depending on the protocol received in the flow the application is listed as lt protoc
90. s Ir Ip Oe Create oer Deg ies Koo Vo eo Add modify or delete Alerts Ir Jr e Enabling and Disabling Alerts Jr Jr e Add modify or delete applications O Jr Jr e Change device settings Ir Y e View traffic reports oo A lr Je Assigned to one or more device groups or IP groups O Y OY Scheduling of Reports SSS A e J NBAR Configuration lr Ip Je viewing NBAR Reports Jg Lae e only within the assigned group Adding a New User On the User Management page click the Add button to add a new user Fill in the following fields and click the Add User button to create this user Field Deseipton _ _ Enter the unique user name for the user This name will be used to log in to the NetFlow Analyzer web client Enter a password for this user The password should be at least 6 characters long and all characters are allowed AdventNet Inc 61 Click on the user name at any time on the User Management page to view the corresponding user name access level and assigned device groups and IP groups Changing User Passwords Only an Administrator user can reset the password of any other user To assign a new password to a user click on the Gi icon or the Assign New link Enter a new password confirm it and click the Update button for the new password to take effect If you have logged in as an Admin user you can change your own password in the same way as described above If you have logged in as an Operator user o
91. se the Exclude Weekend option with Previous day reports will be generated on Tuesday Wednesday Thursday Friday and Saturday These will be reports pertaining to Monday Tuesday Wednesday Thursday and Friday respectively When you choose the Exclude Weekend option with Last 24 hours reports will be generated on Monday Tuesday Wednesday Thursday and Friday Weekly When you opt for the Weekly option you have the option to specify the day and time at which the report needs to be generated The report could be generated for the Previous Week or for the Last 7 Days By additionally opting for the Exclude Weekend the report can be made to include only data corresponding to monday through friday The previous week option would generate the report for the time period Sunday 00 00 hours till Saturday 23 59 hours When Exclude Weekends is enabled the report will be generated for the time period Monday 00 00 hours till Friday 23 59 hours The Last 7 Days option would generate the report for the last 7 days from the time at which the report is to be generated Again the exclude weekend option would generate for the last 7 days with the data for the weekend saturday sunday excluded For instance if the report is to be generated at Monday 10 00 am with the rules set as last 7 days and Exclude weekend enabled then the report will be generated for the time period last week s Monday 10 00 hours to Friday 23 59 hours and from this w
92. stall NetFlow Analyzer on to your machine Uninstalling NetFlow Analyzer Windows 1 Navigate to the Program folder in which NetFlow Analyzer has been installed By default this is Start gt Programs gt ManageEngine NetFlow Analyzer 5 2 Select the option Uninstall NetFlow Analyzer 5 3 You will be asked to confirm your choice after which NetFlow Analyzer is uninstalled Linux 1 Navigate to the lt NetFlowAnalyzerHome gt _uninst directory 2 Execute the command uninstaller bin 3 You will be asked to confirm your choice after which NetFlow Analyzer is uninstalled AdventNet Inc 8 Starting and Shutting Down Once you have successfully installed NetFlow Analyzer start the NetFlow Analyzer server by following the steps below Starting NetFlow Analyzer Windows Click on Start gt Programs gt ManageEngine NetFlow Analyzer 5 gt NetFlow Analyzer 5 to start the server Alternatively you can navigate to the lt NetFlowAnalyzer_Home gt bin folder and invoke the run bat file Linux Navigate to the lt NetFlow Home gt bin directory and execute the run sh file When the server is started a command prompt window opens up showing startup information on several modules of NetFlow Analyzer Once all the modules have been successfully created the following message is displayed Server started Please connect your client at http localhost 8080 where 8080 is replaced by the port you have specified as the web
93. t and protocol is matched with the port range protocol in the application mapping list If no match is found the bigger of the 2 ports source port destination port and protocol is matched with the port range protocol in the application mapping list If no match is found the application is categorized as protocol App as in TCP_App or UDP_App In case the protocol is not available in the application mapping list the application is categorized as Unknown_App The sequence in which the mappings are checked Is as follows 1 Application mapping with specific IP address IP Range IP Network is matched 2 Application mapping with no IP address and single port number port range AdventNet Inc 64 Settings The Settings option includes several server configuration settings that you can configure from the user interface NetFlow Analyzer Settings Requires peut server Description Value restart Default The SNMP community string used to query devices sending SNMP public no C NetFlow exports ommunity The SNMP write community is used to enable disable NBAR on Re the interfaces from the User Interface If you have provided the SNMP write community during installation the field is prepopulated with the content Default l l SNMP Port e no frre SNMP port used to query devices sending NetFlow exports The port on which NetFlow Analyzer listens for NetFlow exports You need to configure devices to send NetFlow exports to
94. t hh mm ss month date year e Check if the time zone and the offset in Hours and Minutes for the time zone is set properly E g PST 8 00 for PST or EST 5 00 for EST You can check this by logging into the router and typing show running config You can set the clock time zone and offset using the command clock timezone zone hours minutes E g clock timezone PST 8 00 me enable NetFlow in an MPLS environment refer Cisco s documentation on MPLS NetFlow AdventNet Inc 13 AdventNet ManageEngine NetFlow Anayzer Help Docuementation Cisco NetFlow Device Support The following charts include information on the various vendors and devices supporting NetFlow version 5 or 7 data export Use these charts to determine if your devices are compatible with NetFlow Analyzer Cisco Routers isco IOS Software Release Version Supported Cisco Hardware Platforms 1 1CA 11 1CC Cisco 7200 and 7500 series RSP 7200 series Cisco 1720 2600 3600 4500 4700 AS5800 12 0 RSP 7000 and 7200 series UBR 7200 and 7500 series RSM series Cisco 1720 2600 3600 4500 4700 AS5800 RSP 7000 and 7200 series es uBR 7200 and 7500 series RSM series MGX8800RPM series and BPx8600 series Cisco 1720 2600 3600 4500 4700 AS5300 AS5800 RSP 7000 and 7200 series UBR 7200 and 7500 series RSM series MGX8800RPM series and BPx8650 series Cisco 1400 1600 1720 2500 2600 3600 4500 4700 AS5300 AS5800 12 0 RSP 7000 and 7200 series uBR 720
95. t knowledge of whether TOS affects routing in the local routing domain Inherent Limitations The most important of all the inherent limitations is that the TOS facility is strictly an advisory mechanism It is not an appropriate mechanism for requesting service guarantees There are two reasons why this is so e Not all networks will consider the value of the TOS field when deciding how to handle and route packets Partly this is a transition issue there will be a probably lengthy period when some networks will use equipment that predates this specification Even long term many networks will not be able to provide better service by considering the value of the TOS field For example the best path through a network composed of a homogeneous collection of interconnected LANs is probably the same for any possible TOS value Inside such a network it would make little sense to require routers and routing protocols to do the extra work needed to consider the value of the TOS field when forwarding packets e The TOS mechanism is not powerful enough to allow an application to quantify the level of service it desires For example an application may use the TOS field to request that the network choose a path which maximizes throughput but cannot use that mechanism to say that it needs or wants a particular number of kilobytes or megabytes per second Because the network cannot know what the application requires it would be inappropriate for the network
96. t on the number of interfaces that NBAR is enabled on or the link speed of those interfaces Performance is dependent on the number of packets that the NBAR engine has to inspect how deep into the packet it has to look to perform regular inspection I am able to issue the command ip nbar protocol discovery on the router and see the results But NFA says my router does not support NBAR Why Earlier version of IOS supports NBAR discovery only on router So you can very well execute the command ip nabr protocol discovery on the router and see the results But NBAR Protocol Discovery MIB CISCO NBAR PROTOCOL DISCOVERY MIB support came only on later releases This is needed for collecting data via SNMP Please verify that whether your router IOS supports CISCO NBAR PROTOCOL DISCOVERY MIB How do verify whether my router supports CISCO NBAR PROTOCOL DISCOVERY MIB a You can check CISCO NBAR PROTOCOL DISCOVERY MIB supported platforms and IOS using the follwoing link http tools cisco com IT DIT MIBS AdvancedSearch MibSel 250073 AdventNet Inc 76 V9 b Alternately you can execute show snmp mib include cnpd command at router to know the implemeted mib objects in the router If the router supports CISCO NBAR PROTOCOL DISCOVERY MIB then the above command gives the following objects cnpdStatusEntry 1 cnpdStatusEntry 2 cnpdAllStatsEntry 2 cnpdAllStatsEntry 3 cnpdAllStatsEnitry 4 cnpdAllStatsEntry 5 cnpdAllStatsEniry 6
97. this 9996 yes port In case you are exporting NetFlow from multiple routers please configure multiple listener ports You can specify upto 5 listener ports each seperated by a comma You will need to restart the NetFlow Analyzer server when you change the listener port e rm repont usod to access NetFlow Analyzer toma web brouser The default record count is 50 but the maximum number of records that can be kept in the database for all traffic data is 100 This is also the maximum value that can be selected from the Show box in all traffic reports The default period for which raw data is retained Troubleshooting and Alert Details graphs are populated from raw data Hence a higher value here means more visibility in both these graphs The maximum period for which you can store raw data is 1 month earlier it was 2 weeks Raw Data Settings NetFlow Analyzer classifies data into 2 types namely Aggregated Data and the Raw Data Aggregated Data represents the total IN and OUT traffic the top 100 application and the top 100 conversation for each interface for every 10 minute intervals Data is progressively stored in 10 minute 1 hour 6 hour 24 hour and weekly data points for older data the most recent data is available with 10 minute granularity and data older than 90 days is available in weekly granularity This mechanism of storing the top 100 is done to ensure that the database does not grow infinitely The amount of hard disk spac
98. ty and cost The last field labeled MBZ for must be zero above is currently unused The originator of a datagram sets this field to zero unless participating in an Internet protocol experiment which makes use of that bit Routers and recipients of datagrams ignore the value of this field This field is copied on fragmentation Specification of the TOS Field The semantics of the TOS field values expressed as binary numbers 1000 maximize throughput 0100 minimize delay __ 0010 maximize reliability 0001 minimize monetary cost 0000 normal service The values used in the TOS field are referred to as TOS values and the value of the TOS field of an IP packet is referred to as the requested TOS The TOS field value 0000 is referred to default TOS Because this specification redefines TOS values to be integers rather than sets of bits computing the logical OR of two TOS values is no longer meaningful For example it would be a serious error for a router to choose a low delay path for a packet whose requested TOS was 1110 simply because the router noted that the former delay bit was set Although the semantics of values other than the five listed above are not defined they are perfectly legal TOS values and hosts and routers must not preclude their use in any way Only the default TOS is in any way special A host or router need not make any distinction between TOS values For example setting the TOS field to 100
99. view in the Interface View tab The Interface group name the In Traffic amp Out Traffic for the last 1 hour can be seen in it By clicking on the interface group name it is possible to further drill down to view further details Managing a Device Group Select an existing device group and click the Modify button to modify its properties You can change all properties of the device group except its name Once you have made changes to the properties of this device group click the Update button to save your changes AdventNet Inc 57 Select an existing device group and click the Copy button to copy its settings This is useful when you need to create a new device group that includes the same routers as that of this device group This saves you the trouble of adding the routers all over again Then follow the same steps as those in creating a new device group Select a device group and click the Delete button to delete the device group When a device group is deleted it is removed from the Device Group List and the Device Group menu All users assigned to this device group will not see this device group on their Dashboard AdventNet Inc 58 IP Group Management The IP groups feature lets you monitor departmental intranet or application traffic exclusively You can create IP groups based on IP addresses and or a combination of port and protocol You can even choose to monitor traffic from specific interfaces across different routers
100. w shows the first router s interfaces alone The remaining routers interfaces are hidden Click the Show All link to display all routers interfaces on the Dashboard Click the Hide All link to hide all interfaces and show only the router names in the Router List You can set filters on the Dashboard view to display only those interfaces whose incoming or outgoing traffic values exceed a specified percentage value Click the Filter link to specify minimum percentage values for IN or OUT traffic Click the Set button for the changes to take effect The filter settings are then displayed beside the Filter link Click the sz icon at any time to clear the filter settings and display all interfaces on the Dashboard again The purpose of icons and buttons in the Router List are explained below Icon Button O ow this icon or on the router name to view the interfaces corresponding to the a router Click this icon to hide the interfaces corresponding to the router Click this icon to change the display name of the device its SNMP community A Router Istring or its SNMP port You can also choose to get the Interface Name details Name from one of 3 fields IfDesc IfName or IfAlias Click this icon before the interface name to change the display name of the interface or its link speed in bps You can also set the SNMP parameters of the router corresponding to an interface by clicking the link present in the Note included below th
101. will be generated at the After setting the required parameters click Save Custom Report Opting for custom report lets you set criteria on the basis of which the report will be generated By clicking on the Add Criteria button one can set a matching condition on Source Address Source Network Source Nodes Destination Address Destination Network Destination Nodes and Application To add more criteria click on Add Criteria again Having created all the criterions you can decide whether to make the generated report to match all of the criterions created or any of them Scheduling Report Generation The report generation schedule can be chosen from one of the following Daily When you opt for Daily you have the option to set the time at which the report should be generated Also the report could be generated for the previous day or the last 24 hours When the Previous Day option is opted the report is generated for the time period from 00 00 hours to 23 59 hours of the previous day You have the option to narrow down this time period by using the time filter 3 For instance if the maximum flow happens during your working hours from 08 00 hours to 18 00 hours you can set it in the window that pops up AdventNet Inc 54 When you opt for the last 24 hours then the report is generated for the flow in the intervening 24 hours from the time at which the report is to be generated today Exclude weekends When you choo
Download Pdf Manuals
Related Search