SevOne logo
You must be logged into the NMS to search.

Table of Contents (Start)

Enable Flow Technologies

This documentation applies to NMS version 5.4. An online version of the software can be found here.

Send Flow Data To SevOne NMS

This topic describes how to enable flow devices to send flow data to SevOne NMS. This workflow is outside of the SevOne NMS application and may not present all of the steps your network requires to enable devices to send flow data. If the following instructions are not applicable for your network please reference the device manufacturer's documentation.

This is a brief list of devices and the corresponding commands to set up flow. If your device is not in this list, it does not mean SevOne NMS does not support your device. Contact the device vendor for instructions to enable flow. Only people with Cisco or similar device configuration experience should perform flow setup.

Flow Source Flow Timeout Configuration

The typical manufacturer setting is for a router to send flow data every 30 minutes. Sometimes referred to as the flow cache timeout, this setting defines the frequency that a router sends the flow table to the collector (SevOne NMS). This implicitly is the limit to which the router allows a flow to grow before breaking the flow into a new flow.

SevOne recommends that you configure routers to send flow data every one minute in order to have the router report to SevOne NMS in a timely manner that enables the even distribution of information transfer. Should you choose to set the flow source flow timeout configuration to something other than one minutes, the router reports less frequently and sends SevOne NMS larger flow tables which results in less granular report data. To compensate for this, SevOne NMS FlowFalcon reports provide a Granularity setting that enables you to view the report at the granularity that matches your router flow timeout configuration. A flow cache timeout other than one minute is not recommended.

The SevOne NMS Cluster Manager Cluster Settings provide a Drop Long Flows option that enables you to define a time limit for what you consider to be a long flow. When you use the Drop Long Flow option, SevOne NMS hides the traffic from routers that send flows that exceed the Max Flow Duration you enter. When a router sends flows that exceed the Max Flow Duration, an administrative message appears upon log on to inform administrators that flows from a specific router have been dropped. The Drop Long Flows feature is useful when you set the router cache timeout to be shorter than the Max Flow Duration you set in SevOne NMS, because long flows would then indicate that a router is misconfigured.

The Cluster Manager Cluster Setting provides the ability to adjust the interval at which SevOne NMS writes flow data to the database. The write interval sets the time window for which raw data is to be aggregated into the minimal aggregation. The Write Interval should be set to one minute. In the rare situation where you decide to change this setting, you should consider that every hour SevOne NMS takes flow data and creates 15 minute aggregations for the top <n> flows for each interface and view. Your Write Interval setting should therefore be divisible by 15 when you intend to use aggregated flow data.

Flow Source Flow Timeout Configuration Considerations

Applicable Use Cases

Flow Source Flow Timeout Configuration

SevOne NMS FlowFalcon Report Settings

Caveats

Not Recommended

5 Minute +

On the classic FlowFalcon Reports page, in the Display Settings section, click the Granularity drop-down and select Custom. Set the granularity time span to twice the router flow timeout. On the Report Attachment Wizard, on the Settings page, FlowFalcon tab, click the Granularity drop-down and select 30 minutes.

Acceptable

2-5 Minutes

Set the Display Setting Granularity to 5 minutes

Billing AND Bursting Monitoring (Recommended)

1 Minute

Leave the Display Setting Granularity set to the default "Auto".

This is the optimal SevOne NMS setting for typical NetFlow reporting

Cisco

Cisco IOS Router

Enable Cisco Express Forwarding

Enter the following command to enable Cisco Express Forwarding which is required for flow in most recent IOS releases.

router(config)# ip cef

Start NetFlow Export

In the configuration terminal on the router, enter the following commands to start NetFlow Data Export (NDE).

The address of your SevOne NMS appliance.

router(config)# ip flow-export destination <SevOne-IP> 9996

The source interface is used to set the source IP address of the NetFlow exports sent by the router.

ip flow-export source loopback

Sets the export version number.

router(config)# ip flow-export version 5 and 9

Break Up Flows into Shorter Segments

Breaks up long-lived flows into one minute segments.

ip flow-cache timeout active 1

Ensures the flows that have finished are exported in a timely manner.

ip flow-cache timeout inactive 15

Enable NetFlow on Each Physical Interface

Enter the following commands to enable NetFlow on each physical interface from which to collect a flow (not VLANs and Tunnels because they are automatically included). This is normally an Ethernet or WAN interface. You may need to set the speed of the interface in kilobits per second especially for frame relay or ATM virtual circuits.

interface <interface>

ip route-cache flow or ip flow ingress or ip route-cache cef

Write your configuration with the write or copy run start command.

Verify

When in enabled mode, enter the following command to view current NetFlow configuration and state.

Shows the current setup

router# show ip flow export

Summarizes the active flows and displays how much NetFlow data the router exports.

router# show ip cache flow

router# show ip cache verbose flow

Cisco Switches Running CatOS (Hybrid Mode)

Non-4000 Series Catalyst Switch

Router Side

Enter the following global commands.

Ip flow-export source

ip flow-export version 5 or 9

ip flow-export destination <SevOne-IP> 9996

Ip flow-cache timeout active 1

Enter the following command on each physical interface. You must log on to each interface one at a time.

interface <interface>

ip route-cache flow

Switch Side

The address of your SevOne NMS appliance.

set mls nde <SevOne-IP> 9996

Sets the export version.

set mls nde version 9

Breaks up long-lived flows into ~two minute segments.

set mls agingtime long 128

Ensures that flows that have finished are exported in a timely manner.

set mls agingtime 64

This sets the flow mask to full flows.

set mls flow full

CatOS 7.(2) or higher is required for this command, which enables NDE for all traffic within the specified VLANs rather than just inter-VLAN traffic.

set mls bridged-flow-statistics enable

Enables NDE.

set mls nde enable

Switches Running IOS (Native Mode)

Enter the following global commands (all commands are entered in the router <enable> config option).

Sets the export version.

Ip flow-export source

ip flow-export version 9

ip flow-export destination <SevOne-IP> 9996

mls nde sender version 9

Breaks up long lived flows into one minute segments.

mls aging long 64

Ensures that flows that have finished are exported in a timely manner.

mls aging normal 64

If you have a Supervisor Engine 2 or 720 running IOS version 12.1.13(E) or higher the next two commands are required to put interface and routing information into the NetFlow exports.

mls flow ip interface-full

mls nde interface

Enter the following command on each physical interface. You must log on to each interface one at a time.

interface <interface>

ip route-cache flow

4000 Series Catalyst Running in Hybrid or Native Mode

This series requires a Supervisor Engine IV with a NetFlow Services daughter card to support NDE.

Start NetFlow Export

In the configuration terminal on the router, enter the following command to start NetFlow export.

#ip flow-export version 9

#ip flow-export destination <SevOne-IP> 9996

Enable NetFlow on Each Physical Interface

Enter the following command to enable NetFlow on each physical interface.

interface <interface>

ip route-cache flow infer-fields

Juniper

Juniper supports flow exports by sampling packet headers with the routing engine and aggregating them into flows. Packet sampling is achieved by defining a firewall filter to accept and sample all traffic, applying that rule to an interface, and then configuring the sampling forwarding option. sFlow must be sent to port 6343.

To configure inline flow monitoring, include the inline-jflow statement at the [edit forwarding-options sampling instance instance-name family inet output] hierarchy level.

In line sampling supports the version-ipfix format that uses UDP as the transport protocol. To configure in line sampling, include the version-ipfix statement at the [edit forwarding-options sampling instance instance-name family inet output flow-server address] hierarchy level and at the [edit services flow-monitoring] hierarchy level.

The following operational commands include in line fpc keywords to display in line configuration information.

  • show services accounting errors

  • show services accounting flow

  • show services accounting status

The Juniper Web Site lists all features that were added to JUNOS Release 10.2.

Configure sFlow Features from the CLI

You configure sFlow technology, designed to monitor high speed switched or routed networks, to continuously monitor traffic at wire speed on all interfaces simultaneously.

Enter the following command to configure the IP address of the SevOne NMS appliance.

[edit protocols sflow]

user@switch# set collector <SevOne-IP>

Enter the following command to configure the UDP port on the collector. The default UDP port on SevOne NMS is 6343.

[edit protocols sflow]

[edit protocols sflow] 6343

Enable sFlow technology on a specific interface.

[edit protocols sflow]

user@switch# set interfaces interface-name

You cannot enable sFlow technology on a Layer 3 VLAN-tagged interface. You cannot enable sFlow technology on a LAG interface. sFlow technology can be enabled on the member interfaces of the LAG.

Enter the following command to specify how often the sFlow agent polls the interface.

[edit protocols sflow]

user@switch# set polling-interval seconds

Enter0 (zero) to not poll the interface.

Enter the following command to specify the rate at which to sample packets.

[edit protocols sflow]

user@switch# set sample-rate number

You can also configure the polling interval and sample rate at the interface level. The interface level configuration overrides the global configuration.

[edit protocols sflow interfaces]

user@switch# set polling-interval seconds

[edit protocols sflow interfaces]

user@switch# set sample-rate number

Juniper Switch

The following configuration enables sFlow monitoring for all interfaces on a Juniper EX switch, sampling packets at 1-in-500, polling counters every 30 seconds and sending the sFlow to SevOne NMS <SevOne-IP> on UDP port 6343.

protocols {

sflow {

polling-interval 30;

sample-rate 500;

collector <SevOne-IP> {

udp-port 6343;

}

interfaces ge-0/0/0.0;

interfaces ge-0/0/1.0;

Alcatel

When you enable cflowd on an Alcatel service interface, cflowd collects routed traffic flow samples through a router for analysis. Cflowd is supported on IES and VPRN services interfaces. Layer 2 traffic is excluded. All packets forwarded by the interface are analyzed according to the cflowd configuration. On the interface level, cflowd can be associated with a filter (ACL) or an IP interface. sFlow must be sent to port 6343.

When you enable cflowd on an interface, all packets forwarded by the interface are subject to analysis according to the global cflowd configuration.

When you configure the cflowd interface option in the config>router>interface context, the following requirements must be met to enable traffic sampling on the specific interface.

  • Enable cflowd

  • Select the interface>cflowd interface option

  • To omit certain types of traffic from being sampled when the interface sampling is enabled, you can enable the config>filter>ip-filter>entry>interface-disable-sample option via an ip-filter or ipv6-filter. You must apply the filter to the service or network interface on which the traffic to be omitted is to ingress the system.

Specify cflowd Options on an IP Interface

Enter the following command.

Interface Configurations

CLI Syntax: config>router>if#

cflowd {acl|interface}

no cflowd

Depending on the option selected, either acl or interface, cflowd extracts traffic flow samples from an IP filter or an interface for analysis. All packets forwarded by the interface are analyzed according to the cflowd configuration.

Enable the acl option to enable traffic sampling on an IP filter. You must enable Cflowd (filter-sample) in at least one IP filter entry.
Select the interface option to enable traffic sampling on an interface. If cflowd is not enabled (no cflowd) then traffic sampling does not occur on the interface.

Service Interfaces

CLI Syntax: config>service>vpls service-id# interface ip-int-name

cflowd {acl|interface}

active-timeout 20

inactive-timeout 10

overflow 10

rate 100

collector <SevOne-IP>:9996 version 8

aggregation

as-matrix

raw

exit

description <SevOne NMS>

exit

collector <SevOne-IP>:9996 version 8

aggregation

protocol-port

source-destination-prefix

exit

autonomous-system-type peer

description "Neighbor collector"

exit

Troubleshoot Flow

SevOne NMS supports most flow formats.

Q. Why does my NetFlow data not exactly match my SNMP polled data?

A: There are several reasons including the following:

  • NetFlow is layer 3 and SNMP interface is layer 2 and may have non-ip traffic. Although flow is traditionally L3 only, some devices like FNF have some L2 capabilities. You generally expect your flow numbers to be lower than your SNMP numbers to account for non-IP traffic (e.g. ARP).

  • SNMP interface counts at layer 2 in frame length and NetFlow counts at layer 3 in packet size, (e.g., Ethernet usually has a 26 byte header, so the difference could be 26 /1500 = 1.7%).

  • A busy router sometimes cannot keep up with flow exports (e.g., a DDOS attack fills the flow cache). This type of flow loss causes NetFlow to report less.

  • SNMP data includes the NetFlow packets whereas NetFlow includes does not include non-flow SNMP data.

  • Long flow drop (is the router time out set to 1 minute?)

  • Does your NetFlow configuration enabled multicast or encrypted traffic?

  • UDP packets (NetFlow packets) could be lost.

Check for Traffic

If flow data does not display for the device, confirm that SevOne NMS actually receives the data via tcpdump.

Log in to the box and run one of the following commands.

Enter the following command to show all incoming flow traffic to SevOne NMS.

tcpdump -i eth0 port 9996

Enter the following command to show only flow traffic from a specific IP address.

tcpdump -i eth0 port 9996 | grep '<ip address in question>'

If data comes into SevOne NMS, you should eventually see a message similar to the following:

Example: 17:55:47.934113 IP <ip address question>.49359 > \ <SevOne>.9996: UDP, length 1464

If no data comes in from the IP address, there may be a routing issue.

Check the Version

If flow data comes in, but nothing displays, the version may be wrong.

Enter the following command to dump the first portions of the packets to the page.

tcpdump -XX -i eth0 port 9996

Something similar to the following should display.

Example:
19:55:26.326485 IP <source>.52292 > <destination>.9996: UDP, length 1416
0x0000: 0030 482d 9e1b 0011 5d24 aec0 0800 4500 .0H-....]$....E.
0x0010: 05a4 f187 0000 fb11 ce64 0aff ff0c cc1b .........d......
0x0020: 2435 cc44 270c 0590 2b9f 0005 001d cada $5.Dâ...+.......
0x0030: 5584 45a3 f32e 0cd7 dd44 8682 7d8d 0001 U.E......D..}...
0x0040: 0000 aa94 ....
19:55:26.326609 IP <source>.58101 > <destination>.9996: UDP, length 1428
0x0000: 0030 482d 9e1b 0011 5d24 aec0 0800 4500 .0H-....]$....E.
0x0010: 05b0 b449 0000 f611 810a 0a00 8f98 cc1b ...I............
0x0020: 2435 e2f5 270c 059c fa38 0007 001b cdb8 $5..â....8......
0x0030: 2bdc 45a3 f32e 11a3 844e 29a1 03b4 0000 +.E......N).....
0x0040: 0000 0a33

In the above example, the first traffic is v5 and the second is v7 as indicated in the third row's sixth column. The last two digits in the column are the version.

The following is a visual aid to help find the version as indicated by the XX.

Example:
-::.----- IP <source>.----- > <destination>.9996: UDP, length ----
0x0000: ---- ---- ---- ---- ---- ---- ---- ---- ----------------
0x0010: ---- ---- ---- ---- ---- ---- ---- ---- ----------------
0x0020: ---- ---- ---- ---- ---- --XX ---- ---- ----------------
0x0030: ---- ---- ---- ---- ---- ---- ---- ---- ----------------
0x0040: ---- ----