SevOne NMS 5.4 Quick Start Guide - Flow

Flow Source Flow Timeout Configuration

The typical manufacturer setting is for a router to send flow data every 30 minutes. Sometimes referred to as the flow cache timeout, this setting defines the frequency that a router sends the flow table to the collector (SevOne NMS). This implicitly is the limit to which the router allows a flow to grow before breaking the flow into a new flow. SevOne recommends that you configure routers to send flow data every minute in order to have the router report to SevOne NMS in a timely manner that enables the even distribution of information transfer. Should you choose to set the flow source flow timeout configuration to something other than one minutes, the router reports less frequently and sends SevOne NMS larger flow tables which results in less granular report data. To compensate for this, SevOne NMS FlowFalcon Reports provide a Granularity setting that enables you to view the report at the granularity that matches your router flow timeout configuration. A flow cache timeout other than one minute is not recommended.

The SevOne NMS Cluster Manager FlowFalcon Cluster Settings provide a Drop Long Flows option that enables you to define a time limit for what you consider to be a long flow. When you use the Drop Long Flow option, SevOne NMS hides the traffic from routers that send flows that exceed the Max Flow Duration you enter. When a router sends flows that exceed the Max Flow Duration, an administrative message appears upon log on to inform administrators that flows from a specific router have been dropped. The Drop Long Flows feature is useful when you set the router cache timeout to be shorter than the Max Flow Duration you set in SevOne NMS, because long flows would then indicate that a router is misconfigured.

The Cluster Manager Cluster Setting provides the ability to adjust the interval at which SevOne NMS writes flow data to the database. The write interval sets the time window for which raw data is to be aggregated into the minimal aggregation. The Write Interval should be set to 1 minute. In the rare situation where you decide to change this setting, you should consider that every hour SevOne NMS takes flow data and creates 15 minute aggregations for the top <n> flows for each interface and view. Your Write Interval setting should therefore be divisible by 15 when you intend to use aggregated flow data.

The following is a brief list of devices and the corresponding commands to set up flow. If your device is not listed, it does not mean SevOne NMS does not support your device. Contact the device vendor for instructions to enable flow. Only people with Cisco or similar device configuration experience should perform flow setup.

You need to set the device to send the following fields to properly monitor your flow.

Cisco

Cisco NX-OS supports the Flexible NetFlow feature that enables enhanced network anomalies and security detection. Flexible NetFlow enables the ability to define an optimal flow record for an application by selecting the keys from a large collection of predefined fields. You use the Cisco exporter that is part of a NetFlow export User Datagram Protocol (UDP) datagram to export the data that NetFlow gathers to SevOne NMS.

Juniper

Juniper supports flow exports by sampling packet headers with the routing engine and aggregating them into flows. known as sFlow. Packet sampling is achieved by defining a firewall filter to accept and sample all traffic, applying that rule to an interface, and then configuring the sampling forwarding option. sFlow must be sent to port 6343.

To configure inline flow monitoring, include the inline-jflow statement at the [edit forwarding-options sampling instance instance-name family inet output] hierarchy level.

In line sampling supports the version-ipfix format that uses UDP as the transport protocol. To configure in line sampling, include the version-ipfix statement at the [edit forwarding-options sampling instance instance-name family inet output flow-server address] hierarchy level and at the [edit services flow-monitoring] hierarchy level.

The following operational commands include in line fpc keywords to display in line configuration information.

• show services accounting errors

• show services accounting flow

• show services accounting status

The Juniper Web Site lists all features that were added to JUNOS Release 10.2.

Alcatel

When you enable cflowd on a service interface, cflowd collects routed traffic flow samples through a router for analysis. Cflowd is supported on IES and VPRN services interfaces. Layer 2 traffic is excluded. All packets forwarded by the interface are analyzed according to the cflowd configuration. On the interface level, cflowd can be associated with a filter (ACL) or an IP interface.

When you enable cflowd on an interface, all packets forwarded by the interface are subject to analysis according to the global cflowd configuration.

When you configure the cflowd interface option in the config>router>interface context, the following requirements must be met to enable traffic sampling on the specific interface.

• Enable cflowd

• Select the interface>cflowd interface option

• To omit certain types of traffic from being sampled when the interface sampling is enabled, you can enable the config>filter>ip-filter>entry>interface-disable-sample option via an ip-filter or ipv6-filter. You must apply the filter to the service or network interface on which the traffic to be omitted is to ingress the system.

Specify cflowd Options on an IP Interface

Enter the following command.

Interface Configurations

CLI Syntax: config>router>if#

cflowd {acl|interface}

no cflowd

Depending on the option selected, either acl or interface, cflowd extracts traffic flow samples from an IP filter or an interface for analysis. All packets forwarded by the interface are analyzed according to the cflowd configuration.

Enable the acl option to enable traffic sampling on an IP filter. You must enable cflowd (filter-sample) in at least one IP filter entry.

Select the interface option to enable traffic sampling on an interface. If cflowd is not enabled (no cflowd) then traffic sampling does not occur on the interface.

Service Interfaces

CLI Syntax: config>service>vpls service-id# interface ip-int-name

cflowd {acl|interface}

active-timeout 20

inactive-timeout 10

overflow 10

rate 100

collector <SevOne-IP>:9996 version 8

aggregation

as-matrix

raw

exit

description SevOne NMS

exit

collector <SevOne-IP>:9996 version 8

aggregation

protocol-port

source-destination-prefix

exit

autonomous-system-type peer

description "Neighbor collector"

exit

Cluster Level Flow Settings

Click in the cluster hierarchy on the left and select the Cluster Settings tab. Subtabs appear along the left side of the Cluster Settings tab to enable you to define cluster level settings.

The FlowFalcon subtab enables you to define how to collect and process raw flow data and aggregated flow data.

1. * Select the Store Raw Flow check box to collect and store raw flow data. Most FlowFalcon views use raw data which provides more specificity in the result set at the trade off of longer report execution times and less historical data availability.

2. * Select the Store Aggregated Flow check box to collect and store the most relevant flow data in an aggregated format that aggregated FlowFalcon views use for faster report execution times.

3. * In the Raw Flow Duration field, enter the number of days' worth of raw flow data to keep. Gigabytes of flow data can accumulate quickly.

4. * In the Raw Flow Data Size field, enter the maximum amount of disk space to allocate for raw flow data.

5. * In the Write Interval field, enter the number of seconds to collect flow data before creating a flat file and writing the data to the disk (recommend 60). A longer write interval results in fewer (but larger) flat files for raw data and smaller tables for aggregated data. See example below.

6. Select the Drop Long Flows check box and enter the maximum number of seconds to consider flow data "long" in the Max Flow Duration field. This drops flows when the flow's duration exceeds the write interval. Long flows are usually due to improper router configuration. This setting triggers an administrative message that appears upon log on to inform you to review the router configuration. Suggested Max Flow Duration is ~2x the Write Interval from the previous step.

7. Select the Enable MPLS Attribute Mapping check box and enter the number of seconds for how frequently to read the map files and to refresh the mapping in the MPLS Attribute Mapping Refresh Interval field. This enables you to map v9 NetFlow template data from core "P" routers for reports that use the following fields in FlowFalcon views: 45050: Customer Client IP, 45051: Customer Client Subnet, 45052: Customer VRF Name, 45053: Customer Application IP, 45054: Customer Application Subnet, 45055: PE Ingress IP, and 45056: PE Egress IP. Map files are customer specific. The MPLS Flow Mapping page enables you to upload the two required map files into SevOne NMS.

   Note: Map files are customer specific. The MPLS Flow Mapping page enables you to upload the two required map files into SevOne NMS.

8. * In the Aggregation TopN field, enter the number of results (50-1000) to store for each aggregation per each write interval. This consumes disk space and is the maximum number of individual results that an aggregated FlowFalcon view can display.

9. In the Hide Inactive field, enter the number of days to display data for an inactive device or interface before the device or interface is considered inactive and its information is hidden. A device or interface is considered inactive if it does not send data to SevOne NMS.

10. In the Purge Inactive field, enter the number of days to store data for an inactive device or interface. Enter 0 (zero) to never purge data.

11. In the Incoming Port field, enter the port number for SevOne NMS to use to listen for flow traffic.

12. Click the Raw Data Compressions drop-down and select the compression method for raw data files. More compression requires less storage, but more CPU is necessary to read the data. Select None, GZip, or BZip2.

13. Select the Advanced FlowFalcon Views check box to display a Metrics drop-down field on the FlowFalcon View Editor, the Object Mapping page, and for FlowFalcon Reports. The Metrics drop-down enables you to use FlowFalcon report views that monitor Medianet data in networks that use Cisco Medianet and to monitor response time metrics in networks that use Cisco NAM devices.

14. Select the Display Flow Sample Rates check box to display the sampled flow rate on FlowFalcon reports that contain split interfaces and to display an additional column on the Flow Interface Manager for sampled data. FlowFalcon reports with sampled data display a message. Interfaces that are not sampled use a sample rate of 1X.

15. Click Save to save the FlowFalcon settings.

Peer Level Flow Settings

<peer name> - Select a peer in the hierarchy on the left side of the Cluster Manager.

The FlowFalcon subtab enables you to define the retention of aggregated flow data on the peer for use in FlowFalcon reports.

1. In the Write Interval field, enter the number of days' worth of <write interval> aggregated flow data to store for calculations. You define the write interval on the Cluster Settings tab FlowFalcon subtab. See above for details.

2. In the Fifteen Minute field, enter the number of days' worth of fifteen minute aggregation data to store for calculations.

3. In the One Hour field, enter the number of days' worth of one hour aggregation data to store for calculations.

4. In the One Day field, enter the number of days' worth of one day aggregation data to store for calculations.

5. Click Save.

Flow Rules List

The list displays all flow rules by default. Click the Display drop-down to display rules for All Sources, Allowed Sources, or Denied Sources.

• Device - Displays the name of the device for which the rule is applicable. Displays New when the rule applies to new devices that have yet to send flow to SevOne NMS. Displays Unknown when you do not enable the SNMP plugin and the device name is not resolvable.

• IP Address - Displays the device IP address.

• Interface - Displays the interfaces for which the rule is applicable. Displays New when the rule applies to new interfaces that have yet to send flows to SevOne NMS.

• Direction - Displays Incoming when the rule applies to incoming traffic. Displays Outgoing when the rule applies to outgoing traffic. Displays New when the rule applies to flows that are from devices that are new in SevOne NMS.

• Permission - Displays Allow when SevOne NMS processes the flow data across the interface. Displays Deny when SevOne NMS does not process the flow data across the interface.

• Peer – Displays the name of the peer to which you define the device to send flow data.

Device Level Flows

The list displays all devices from which SevOne NMS can receive flow data. Click the Display drop-down and select to display All Sources, Allowed Sources, or Denied Sources.

Some flow devices only record data for a selection of messages that the device encounters based on a sample flow rate. The device notifies monitoring systems about only a fraction of its total traffic. The sample rate enables SevOne NMS to scale the data to compensate for the lack of notification of sampled data. The Sample Rate column appears when you select the Display Flow Sample Rates check box on the Cluster Manager Cluster Settings tab

• Device – Displays the name of the device when SNMP resolvable or displays Unknown if you do not enable the SNMP plugin on the device.

• IP Address – Displays the IP address of the device.

• Total Flows - Displays the number of flows processed per second across all interfaces on the device over the past minute. Malformed flows and flows denied by a rule are not processed. The flow rate on the Flow Interface Manager is calculated after duplication.*

• Number of Interfaces – Displays the number of interface on the device from which flow data is received.

• Allowed Direction - Displays the number of interfaces from which flow data is processed and the number of directions of flow data received. Each interface can have incoming flow and outgoing flow and you can define rules to deny flow by direction.

• Sample Rate - Displays the flow data sample rate when the interface sends sampled flow data.

  • n/a – Flow data has not been received from the interfaces.

  • 1X - Sample rate is 1-to-1 (data is not sampled).

  • <n>X – The sample rate (e.g., if 1 packet out of 100 packets is received, this column displays 100X).

• Peer - Displays the name of the peer that receives the flow data.

* The Flow Interface Manager displays the rate of flows over the past minute for each interface and direction after SevOne NMS duplicates flows that lack directional information. Since NetFlow v5 only exports information about the incoming interface, SevOne NMS duplicates the flow statistics for v5 NetFlow to factor for outgoing flows on devices that use v5 NetFlow.

Flow Template Status List Filters

Filters enable you to limit the items that appear in the device list. Filters are optional and cumulative.

• Click Filter to expand the filters section.

• In the Device Name field, enter the device name on which to filter.

• In the Device IP field, enter the device IP address on which to filter.

• Click Filter to apply the filter.

• Click Clear Filter to display all flow devices in the list.

Devices

The Devices list displays the devices you enable to send flow data to SevOne NMS. Click on a device to populate the Templates section with the flow template data the device sends. Each device can send multiple flow template identifiers (packages) and the device list displays separate rows for each flow template ID the device sends.

• Device - Displays the device name.

• Device IP - Displays the device IP address.

• Source ID - Displays the flow data source identifier.

• Template ID - Displays the flow data template identifier.

• Version - Displays the flow version. All NetFlow prior to version 9 is an inbound only technology.

• Last Seen - Displays the date SevOne NMS last received data from the device.

• Peer - Displays the name of the peer that polls the device.

Templates

The Template list displays the flow template fields received from the template ID on the device you select in the Device list. You use flow template fields to create FlowFalcon report views to include the data in FlowFalcon reports.

• Field - Displays the name of the flow template field.

• Field ID - Displays the flow template field identifier.

• Length - Displays the length of the field.

• Order Number - Displays the sequence of where the field appears within the data packet.

Create Custom FlowFalcon Views

SevOne NMS provides a starter set of FlowFalcon views to enable you to create FlowFalcon reports right out of the box and to help create FlowFalcon views that are specific to your network. Starter set views display an asterisk <*> in the View drop-down list.

1. Click the Metrics drop-down. This field appears when you select the Advanced FlowFalcon Views check box on the Cluster Manager.

   • Select Bandwidth to create a view that focuses the report on the volume of traffic.

   • Select Medianet to create a view that focuses the report on Cisco Medianet video statistics.

   • Select Response Time to create a view that focuses the report on the delays caused by various parts of the network. To use the Response Time metric views, you must select the Monitor NAM Data check box on the Edit Device page and define the NAM settings so that a Cisco NAM device sends NAM response time data to the FlowFalcon Reports page.

2. Click the View drop-down and select a view to customize or select New View to create a view from scratch.

3. Click the View Category drop-down.

   • Select an existing view category to include the view in the category you select.

   • Select New Category to create a new view category for the view. Enter the category name in the text field that appears.

4. Click the Enable Aggregation drop-down.

   • Select Disabled to create a granular view that uses raw flow data. Whenever you select Disable, a message appears to warn you that any aggregation data associated with the view will be deleted. Click OK on the message but be aware that when you click Save, all aggregated data that is associated with the view is deleted.

   • Select Enabled to create an aggregated view that uses aggregated flow data. There is a limit to the number of aggregated views your appliance can support.

5. In the New View Name field, enter the name of the view.

6. The Flow Fields section enables you to select the flow template fields to include in the view. The flow template fields you move to the Fields in View field are included in the view (use Ctrl or Shift keys to multi-select). The fields display in the report in the sequence in which they appear in the Fields in View list.

7. Click one of the following buttons.

   • When you edit a view, click Save to overwrite the original view with the changes you make. This deletes any existing aggregated data for an aggregated view.

   • Click Save as New to save the report view as a new view. This creates a copy of the original view and preserves aggregated data for the original view when you edit an aggregated view. (The new aggregated view starts out with no aggregated data.)

   • When you edit a view, click Delete to delete the view and any associated aggregated data.

8. Click FlowFalcon to return to the FlowFalcon Reports page.

Upload Map Files

Perform the following steps to upload the two files that map MPLS attributes. The first map file maps VPN 2nd Top Label ID, PE Egress Address, Customer VRF. The second map file maps Customer VRF, Source IP Address, Ingress PE Address.

1. In the Mapping 1 section, click to display the File Upload pop-up.

2. Navigate the file structure to locate and select the file that maps the VPN 2nd Top Label ID, PE Egress Address, and the Customer VRF.

3. Click Open on the pop-up to save the file locally.

4. Click Upload to move the file to the correct location and to complete the upload of the first map file.

5. Click Download to display the content of the first map file in a .csv format.

6. In the Mapping 2 section, click to display the File Upload pop-up.

7. Navigate the file structure to locate and select the file that maps the Customer VRF, Source IP Address, and Ingress PE Address.

8. Click Open on the pop-up to save the file locally.

9. Click Upload to move the file to the correct location and to complete the upload of the second map file.

10. Click Download to display the content of the second map file in a .csv format.

Manage Network Segments

You can create network segments that contain multiple subnets with the same name to group flow data. The network segments you define here appear on the Report Attachment Wizard and on the FlowFalcon Report page in the Network Segment drop-down list.

1. Click the Network Segment drop-down and select a network segment. The subnets for the segment you select appear in the list below.

2. Click the following icons to define segments.

   • - Click to display the Network Segment pop-up where you enter the name of a new network segment.

   • - Click to display the Network Segment pop-up to where you change the name of a network segment.

   • - Click to delete a network segment.

3. View the list of the subnets for the segment.

Map List

The list displays the mapping relationships between an indicator and its corresponding flow interface, the FlowFalcon view metric, the FlowFalcon view, and the FlowFalcon report filters.

• SevOne NMS Device - Displays the name of the device that contains the indicator the plugin polls.

• SevOne NMS Plugin - Displays the name of the plugin that polls the object that contains the indicator.

• SevOne NMS Object - Displays the name of the object that contains the indicator you map to a flow interface.

• SevOne NMS Indicator - Displays the name of the indicator you map to a flow interface.

• Flow Device - Displays the name of the device that contains the interface that sends flow data to SevOne NMS.

• Flow Interface - Displays the name of the flow interface to which you map the indicator.

• Flow Direction - Displays the mapping direction.

• Metric – Displays the FlowFalcon view metric the FlowFalcon Reports page uses for the FlowFalcon report. This column appears when you select the Advanced FlowFalcon Views check box on the Cluster Manager.

• View - Displays the name of the FlowFalcon view the FlowFalcon Reports page uses for the FlowFalcon report that displays the flow information for the indicator/interface.

• Filter - Displays the name of the filter you define for the FlowFalcon report.

Manage Mappings

When multiple objects rely on flow data from a single interface you can map multiple objects to a single flow interface, even if the objects are on different devices. Objects for which you define a mapping display a NetFlow button when you create an Instant Graph or when you chain an attachment from the Report Framework for the objects. The object mapping includes the designation of the FlowFalcon view and the definition of the report filters for the FlowFalcon Reports page to use to display the flow information you specify. When you click the NetFlow button on an instant graph, the FlowFalcon Reports page appears with the view, settings, and filters you define from the Object Mapping page.

Click and select Add New Mapping or select Edit to display a pop-up that enables you to define the mapping relationship.

Manage Protocols

The Protocols tab displays the flow protocols SevOne NMS discovers.

1. Click Add Protocol or click to display the Add/Edit Protocol pop-up.

2. In the Number field enter the protocol number.

3. In the Name field, enter the protocol name.

4. In the Description field, enter the protocol description.

5. Click Save.

Manage Services

The Services tab displays the flow services SevOne NMS discovers.

1. Click Add Service or click to display the Add/Update Service pop-up.

2. In the Source field, enter the IP address of the service coupled with the subnet. Enter 0.0.0.0/0 to poll for the service from any device. Enter an IP address and a subnet to poll a specific device for the service.

3. In the Port field, enter the port number the service uses.

4. In the Protocol field, enter the protocol the service uses (e.g., TCP, UDP, etc.).

5. In the Service Name field, enter the service name to appear in reports.

6. In the Description field, enter the service description.

7. Click Save.

FlowFalcon – Resources/Chaining

FlowFalcon - Time

The Time wizard page enables you to define the attachment time span.

1. Click the Time Span drop-down.

   • Custom

     • Select Specific to display fields to enable you to define a specific time span.

     • Select Relative to display a text field where you can enter a relative time span that uses natural language processing such as; past 4 hours, last week, this month, today – last week, this week – last month, past month, from last month until now, from last month until yesterday, past 4 weeks, from past 10 weeks until past 2 weeks.

     • Select Week to display a pop-up that enables you to designate a specific week in the year by number (ex. week 23), to change when the year begins, and to designate that the first day of the week is a day other than Sunday.

   • Historical

     • Select Today to display data from 12:00am today until now.

     • Select Past <n> Hours, Days, Weeks to display data from <n> hours, days, or weeks ago until now.

     • Select Yesterday to display data from 12:00am yesterday until 12:00am today.

     • Select This Week, Month, Quarter to display data from 12:00am on the first day of the week, month, or quarter until now.

     • Select Last Week, Month, Quarter to display data from 12:00am on the first day of the last completed week, month, or quarter to 11:59pm on the last day of the last completed week, month, or quarter.

2. Click the Time Zone drop-down and select a time zone.

3. Click Next.

FlowFalcon - Settings

The Settings wizard page enables you to define attachment settings including the FlowFalcon view. Views define the data to appear in the report. SevOne NMS provides starter set FlowFalcon views to enable you to create common FlowFalcon attachments. The FlowFalcon View Editor enables you to create FlowFalcon views that are specific to your network.

1. On the Settings tab on the Settings page, select the Aggregated Data check box to populate the View list with FlowFalcon views that use aggregated flow data (faster and less specific). Leave clear to populate the View list with views that use the raw flow data (slower and more specific).

2. Click the Metric drop-down. This field appears when you select the Advanced FlowFalcon Views check box on Cluster Manager Cluster Settings tab.

   • Select Bandwidth to populate the View list with views that focus the report on the volume of traffic.

   • Select Medianet to populate the View list with views that focus the report on Cisco Medianet video statistics.

   • Select Response Time to populate the View list with views that focus the report on the delays caused by various parts of the network. These views are for Cisco NAM devices.

3. Click the View drop-down and select a view. The list of views is dependent on the selections you make in the previous Settings steps.

4. Click the Network Segment drop-down and select a network segment. This enables you to resolve IP addresses into segments and to roll up results from the same segment into a single result. The Network Segment Manager enables you to create and modify network segments.

5. Select the Graph Other check box to display the flow for the top <n> results individually in the Pie visualization and the Stacked Line visualization plus a Remaining Traffic graph item that groups the flow for the remaining flow sources that meet the filter criteria. You define <n> results in the next step. Leave clear to display only the top <n> results in the Pie visualization and the Stacked Line visualization. Remaining Traffic continues to display in the Table visualization.

6. In the Result Limit field, enter the number of individual results to display in the attachment. Filters enable you to narrow the scope of the request (see the Filters section below). You can also modify the Current Resources list to limit the number of resources.

7. Click the Preferred Units drop-down and select Bits for network oriented data or select Bytes for server oriented data.

8. On the FlowFalcon tab, click the Split drop-down.

   • Select Nothing to combine all results from the same direction across the same interface to allow for greater detail in the result set.

   • Select Interfaces to separate flow data into individual interfaces.

   • Select Groups to separate flow data by device group/device type or object group depending on the resource you select. This option appears when you select Device Groups or Object Groups on the Resources page.

9. Select the Display as Rate check box to display the results as bits or bytes per second. Leave clear to display the total number of either bits or bytes.

10. Click the Granularity drop-down and select the interval between data points in the results. SevOne NMS is optimized to receive flows every one minute. If you configure the router to send flows at a different interval, this setting enables you to view the report at the granularity that matches the router flow timeout setting. A router flow cache setting other than one minute is not recommended.

    • Select Auto to use the highest applicable granularity for the best display and fastest load time based on the Time Span you select on the Time page.

    • Select a predefined interval.

    • Select Custom to enter a custom granularity. If you set the granularity to be too small for the time span, SevOne NMS adjusts the granularity.

11. On the FlowFalcon Resolution tab, click the Display DNS drop-down.

    • Select Display IP to display raw IP addresses.

    • Select Display DNS to display resolved domain names when possible.

    • Select Display Both to display both IP addresses and resolved domain names.

12. Click the Display Protocol drop-down.

    • Select Display Number to display raw protocol numbers.

    • Select Display Name to display resolved protocol names.

    • Select Display Both to display both numbers and resolved names.

13. Click the Display Port drop-down.

    • Select Display Number to see raw port numbers.

    • Select Display Name to display resolved port names.

    • Select Display Both to display both numbers and resolved names.

14. Click the Display DSCP drop-down.

    • Select Display Number to see DSCP port numbers.

    • Select Display Name to display DSCP port names.

    • Select Display Both to display both numbers and resolved names.

15. Click the Display AS drop-down.

    • Select Display Number to see AS port numbers.

    • Select Display Name to display AS port names.

    • Select Display Both to display both numbers and resolved names.

16. Click Next.

FlowFalcon - Filters

The Filters wizard page enables you to limit the results that appear in the attachment. Each filter contains one or more rules. Each filter rule applies to a specific flow field. A filter rule for a field not in the view is ignored. This enables you define filters independently from views.

When you apply a filter to an attachment that uses an aggregated view, the Remaining Traffic and Total Traffic numbers may appear inaccurate due to how data is aggregated and stored in pre-calculated buckets. If you do not receive the expected number of results after you apply a filter to an aggregated view, increase the number of aggregated results to store for each write interval on the Cluster Manager Cluster Settings tab (FlowFalcon Aggregation TopN).

1. Click the Select Field drop-down and select the field on which to define the filter. Fields that are in the view you select appear first in the drop-down list followed by every other known field from flow data.

2. Click the second drop-down (displays Equal To by default) and select a comparison operator. For each attachment, a data row displays if allowed by all filter rules with the word NOT in the operator and allowed by any other filter rule (if existent).

3. In the Enter Value field, enter the value on which to base the filter.

4. Click Add Filter to display the filter in the Current Filters list.

5. Repeat these steps to add filters to the list.

6. Click Next.

FlowFalcon - Visualizations

The Visualizations wizard page enables you to define how you want to display the report data. The visualizations you select display and when you select multiple visualizations, the attachment displays the report data in each of the visualizations you select.

• Pie - Displays the data as a pie graph.

• Stacked Line - Displays each graph line stacked above the prior graph line to better visualize how values compare as a whole.

• Table - Displays the data as a table.

For the Pie and Stacked Line visualizations, hover the cursor over the to display and click to display the following settings.

1. Select the Display Logo check box to display a logo in the attachment.

2. Select the Display Legend check box to display a legend in the attachment. When you select to display a legend in the attachment, the next check five boxes are enabled.

3. Select the Display Frequency check box to display the poll frequency in the legend.

4. Select the Display Last Poll check box to display the value of the last successful poll in the legend.

5. Select the Display Aggregation check box to display the type of aggregation you select for the calculation of the data in the legend.

6. Select the Display Average check box to display the average in the legend.

7. Select the Display Maximum check box to display the data peak point in the legend.

8. Select the Display Time Span check box to display the time span in the attachment.

9. Select the Display Outline check box to have the graph appear within an outline within the attachment. Stacked Line visualization only.

10. Select the Rounded Y Axis Value check box to round all left-hand Y axis grid line values and to round the top right-hand Y axis grid line value when you have dual Y axes. Stacked Line visualization only.

11. Select the Rounded X Axis Value check box to round the X axis grid line values. Stacked Line visualization only.

12. Select the Scale to Minimum Value check box to scale the graph from maximum down to the minimum actual value. Leave clear to scale the graph from maximum down to zero. Stacked Line visualization only.

13. Select the CSV When Mailed check box to email the attachment in a .csv format to the recipients you define on the Report Properties Delivery tab.

For the Table visualization, hover the cursor over the to display and click to display the following table settings.

1. The Columns fields enable you to define the data columns to display. Move the columns to display to the Using field on the right.

   • Fields below the Available field and the Using field enable you to search for a column.

   • Select a row and click the green arrows on the right to change the column sequence. The column with the red number one ( 1 ) is the primary sort column and the data from this column displays in the Stacked Line visualization and in the Pie visualization.

   • Within a row, click the gray up arrow or the down arrow to define the sort column and whether to display data in ascending or descending order.

   • Indicates you cannot remove this column from the table.

2. Select the User Friendly Times check box to use human readable dates when you extract the attachment data to a .csv format. Leave clear to use a UNIX time stamp in the .csv which enables further manipulation of the data.

3. Select the Abbreviate Numbers check box to abbreviate large numbers (e.g., 5000 becomes 5K). Leave clear to enter the data precision in the Precision field.

4. Select the CSV When Mailed check box to email the attachment in a .csv format to the recipients you define on the Report Properties Delivery tab.

Click Next.

FlowFalcon - Summary

The Summary wizard page enables you to view a summary of the attachment definition.

1. Click on a row to navigate to the page where you can edit the item.

2. Click Finish to display the report.

Sources

The Sources section enables you to select the interfaces, device groups, or object groups from which to present a FlowFalcon report.

1. Click the Source Type drop-down.

   • Select Interfaces to create a report for flow data from the interfaces you allow on the Flow Interface Manager.

     1. Click the Device drop-down and select a device. Select All Devices to define the report to contain all devices.

     2. Click the Interface drop-down and select an interface. Select All Interfaces to define the report to contain all interfaces on the device you select.

     3. Click the Direction drop-down and select whether to define the report to display the Incoming, Outgoing, or All Directions traffic.

   • Select Device Groups, then click the Device Group drop-down and select a device group/device type. Select All Device Groups to define the report to contain all device groups.

   • Select Object Groups, then click the Object Group drop-down and select an object group.

2. Click Add Source to add the device, interface, and direction to the Sources to Graph list.

3. Repeat to add additional sources.

Report Settings

The Report Settings section enables you to select the view and to define the report settings for the report. FlowFalcon views enable you to define the flow template fields to display in the report.

1. Click the Metric drop-down. This field appears when you select the Advanced FlowFalcon Views check box on the Cluster Manager.

   • Select Bandwidth to populate the Report View drop-down list with views that focus the report on the volume of traffic.

   • Select Medianet to populate the Report View drop-down list with views that focus on Cisco Medianet video statistics.

   • Select Response Time to populate the Report Views drop-down list with views that focus the report on the delays caused by various parts of the network. To use the Response Time metric views, select the Monitor NAM Data check box on the Edit Device page and configure the NAM settings to enable the Cisco NAM device to send response time data to FlowFalcon reports.

2. Click the Mode drop-down.

   • Select Aggregated to populate the Report View drop-down list with views that use aggregated flow data which stores the most relevant flow data for faster report creation.

   • Select Granular to populate the Report View drop-down list with views that use raw flow data to allow for more specificity in the result set at the trade off of longer report execution times and less historical data availability.

3. Click the Report View drop-down and select a view. The list of views is dependent on the selections you make from the Metrics drop-down and from the Mode drop-down. If you do not see an applicable view, the Report View field caption links to the FlowFalcon View Editor where you can create custom views.

4. Click the Time Span drop-down and select a time span. Select Custom to display a pop-up that enables you to define a custom time span.

5. Click the Time Zone drop-down and select a time zone.

6. Click the Split Sources drop-down.

   • Select Nothing to combine all results from the same direction across the same interface to allow for greater detail in the result set.

   • Select Interfaces to separate flow data into individual interfaces.

   • Select Groups to separate flow data by device group or object group depending on the source you select. This option appears when you select Device Groups or Object Groups in the Source section.

7. Click the Network Segment drop-down and select a network segment. This enables you to resolve IP addresses into segments and to roll up results from the same segment into a single result. The Network Segment caption links to access the Network Segment Manager where you manage network segments.

8. Click the Show Remaining Traffic drop-down.

   • Select Yes to display the flow data for the top <n> results individually in the pie chart and the stacked line graph plus a Remaining Traffic graph item that groups the flow for the remaining flow sources that meet your filter criteria. You define <n> results in the next step.

   • Select No to display only the top <n> results in the pie chart and the stacked line graph. Remaining Traffic continues to display in the table.

9. In the Results to Display field, enter the number of individual results to display in the report. There is no limit to the number of results but the display includes the first 200 results to optimize browser performance. Export the report to a .csv format or to a .pdf format to view the full result set of more than 200 results. Filters enable you to narrow the scope of the request (see the Filters section below). You can also modify the Selected Sources list to limit the number of sources in the report (see the Sources section above).

Advanced Report Settings

FlowFalcon reports display a table of incoming flow data that can include a variety of information that describe the flows. The Advanced Report Settings section enables you to select the data columns to include in the FlowFalcon report table.

1. Click Advanced Report Settings to expand the section.

2. In the Data Columns field, select the check box for each data column to include in the report table. You must select the check box for at least one data column. All columns are described at the end of this chapter.

3. Click the Sort Column drop-down and select the data column on which to sort the table in the FlowFalcon report. This drop-down list displays the data columns you select in the previous step. The data column you select in this step determines the data to display in the pie chart and the stacked line graph.

4. Click the Sort Order drop-down and select to sort data in either Ascending or Descending order.

Resolution Settings

The Resolution Settings section enables you to define domain name resolution settings.

1. Click Resolution Settings to display the resolution settings controls.

2. Click the DNS drop-down.

   • Select Display IP to display raw IP addresses.

   • Select Display DNS to display resolved domain names when possible.

   • Select Display Both to display IP addresses and resolved domain names.

3. Click the Protocols drop-down.

   • Select Display Number to display raw protocol numbers.

   • Select Display Name to display resolved protocol names.

   • Select Display Both to display both numbers and resolved names.

4. Click the Ports drop-down.

   • Select Display Number to display raw port numbers.

   • Select Display Name to display resolved port names.

   • Select Show Both to display both numbers and resolved names.

5. Click the DSCP drop-down.

   • Select Display Number to display DSCP port numbers.

   • Select Display Name to display DSCP port names.

   • Select Display Both to display both numbers and resolved names.

6. Click the AS drop-down.

   • Select Display Number to display AS port numbers.

   • Select Display Name to display AS port names.

   • Select Display Both to display both numbers and resolved names.

Display Settings

The Display Settings section enables you to define display settings.

1. Click Display Settings to display the display settings controls.

2. Click the Granularity drop-down and select the interval between data points in the results. SevOne NMS is optimized to receive flows every one minute. If you configure the router to send flows at a different interval, this setting enables you to view the report at the granularity that matches the router flow timeout setting. A router flow cache setting other than one minute is not recommended. This relates back to the router cache time out setting you define on the router in the Enable Devices to Send Flow Data to SevOne NMS chapter.

   • Select Auto to the highest applicable granularity for the best display and fastest load time based on the time span you select.

   • Select a predefined interval.

   • Select Custom to enter a custom granularity. There is no limit to this value, but if the granularity is too small for the time span, SevOne NMS adjusts the granularity.

3. Click the Data Units drop-down and select Bits for network oriented reports or select Bytes for server oriented reports.

4. Click the Display as Rates drop-down and select Yes to display the results as bits or bytes per second or select No to display the total number of bits or bytes.

Filters

The Filters section enables you to limit the results that appear in the report. Each filter contains one or more rules. Each filter rule applies to a specific flow field. Filter rules for a field not in the view are ignored. This enables you to define filters independently from views.

When you apply a filter to a FlowFalcon report that uses an aggregated view, the Other Traffic and Total Traffic numbers may appear inaccurate due to how the data is aggregated and stored in pre-calculated buckets. If you do not receive the expected number of results after you apply a filter to an aggregated view, increase the number of aggregated results to store for each write interval on the Cluster Manager Cluster Settings tab (FlowFalcon Aggregation TopN).

To delete a filter, click the Filter drop-down and select the filter to delete. The rules list displays the rules for the filter you select. Click Delete Filter to delete the filter.

FlowFalcon Report Interactions

A FlowFalcon report displays a pie chart, a stacked line graph, and a table. The pie chart and the stacked line graph display up to 16 colors to represent the top 16 results for the data you select as the Sort column in the Advances Report Settings section. The table displays up to 200 results. Detach the report to a .csv format or .pdf format to display more than 200 results. Detach the report to a .csv format or .pdf format to display more than 200 results. The following sections provide instructions for how to get FlowFalcon report results and how to manipulate and navigate the report to display the exact data you need.

Navigate FlowFalcon Reports

FlowFalcon reports enable you to adjust the settings for the current graph then Graph Again. FlowFalcon reports enable you to Drill Down to get more specific information about the results without having to revise the report settings.

You can perform these steps in any sequence for any FlowFalcon report to display specific data.

• Click the Refresh Rate drop-down and select a refresh rate to update the report data at the frequency you select. You should not set the refresh rate to less than the write interval. The default write interval writes flow data to the disk every 60 seconds. You can adjust the write interval on the Cluster Manager.

• Click the View drop-down below the Get Results button and select a view from a list of views that share a field with the view you used to create the report. The list includes both more specific (drill down) views and less specific (fan out) views.

  Example: When the Top Talkers is the view that appears in the Report Settings section, the views in the View drop-down list that appears in the report section share a field with the Top Talkers view.

• In the report table, click to manage the selection of the items in the table.

• Click Get Results to create a new report after you change the settings in the areas above the Get Results button.

  • Make changes in the Interfaces, Report Settings, Advanced Report Settings, Resolution Settings, Display Settings, and Filters sections.

  • Click Get Results.

• Click Drill Down to create a new FlowFalcon report with a new view and the same settings you define previously from the Interfaces, Advanced Report Settings, Resolution Settings, and Display Settings sections.

  • Click the View drop-down below the Get Results button and select a view from a list of views that share a field with the current report's view.

  • Select the check box for each item to include in the new report to drill down for a specific source device.

  • Click Drill Down.

    Example: When you click Drill Down, the Report View in the Report Settings section updates and the filter that appears in the Filters section updates to reflect the filter associated with the new view. In the report table select Select None to clear the check boxes for all rows. Select the check box for one row and click Drill Down. The report uses the settings you define above and displays a report for the new view that contains the one item you select.

• Click Graph Again to use all of the settings from above to create a new graph for the data in the rows you select in the report table.

  • In the FlowFalcon report table, click the Action icon and select Select None to clear the check boxes for all rows in the table.

  • Select the check box for one row in the table.

  • Click Graph Again.

• Click within the FlowFalcon report table to display a line graph for that data item. The results for the Top Talkers view using the default FlowFalcon settings displays a table that contains the Source IP, Bandwidth, and Packets.

  • Click on an item in the Bandwidth column.

  • A line graph of the bandwidth for the source appears.

Remaining Traffic, Total Traffic, and FlowFalcon Flow Calculation

The bottom rows of the FlowFalcon report table contain rows for Remaining Traffic and Total Traffic.

• The Remaining Traffic row displays the total of all interfaces that are not part of the top <n> results (where <n> is the number you enter in the Results field in the Report Settings section above). If there are fewer results than the number you enter in the Report Settings section, the Remaining Traffic row does not appear.

• The Total Traffic row displays the total of all interfaces in the report, regardless of whether the source appear listed individually in the list or not.

The Graph Other setting in the Report Settings section enables you to include the remaining and total traffic in the pie chart and stacked line graph. Click the Graph Other drop-down and select Yes to display a gray slice in the pie graph and a gray line in the stacked line chart that represents the remaining traffic.

FlowFalcon Table Columns

Some column definitions change when you select Split Nothing in the Split Sources field.

FlowFalcon Metrics

Bandwidth is the most common flow metric to monitor and Bandwidth views appear by default. The Cluster Manager Cluster Settings tab provides an Advanced FlowFalcon Views check box to enable you to use Medianet views for Cisco Medianet metrics and to use Response Time views for networks that use Cisco NAM devices. When you select the Advanced FlowFalcon Views check box, a Metrics drop-down field appears on the FlowFalcon Reports page, the FlowFalcon View Editor, and the Object Mapping page.

The FlowFalcon View Editor enables you to create FlowFalcon views that are specific to your network requirements.

FAQ

Q: Why does my NetFlow data not exactly match my SNMP polled data?

A: There are several reasons including the following:

• NetFlow is layer 3 and SNMP interface is layer 2 and may have non-ip traffic. Although flow is traditionally L3 only, some devices like FNF have some L2 capabilities. You generally expect your flow numbers to be lower than your SNMP numbers to account for non-IP traffic (e.g. ARP).

• SNMP interface counts at layer 2 in frame length and NetFlow counts at layer 3 in packet size, (e.g., Ethernet usually has a 26 byte header, so the difference could be 26 /1500 = 1.7%).

• A busy router sometimes cannot keep up with flow exports (e.g., a DDOS attack fills the flow cache). This type of flow loss causes NetFlow to report less.

• SNMP data includes the NetFlow packets whereas NetFlow includes does not include non-flow SNMP data.

• Long flow drop (is the router time out set to 1 minute?)

• Does your NetFlow configuration enabled multicast or encrypted traffic?

• UDP packets (NetFlow packets) could be lost.

Check for Traffic

If flow data does not display for the device, confirm that SevOne NMS actually receives the data via tcpdump.

Log in to the box and run one of the following commands.

Enter this command to show all incoming flow traffic to SevOne NMS.

tcpdump -i eth0 port 9996

Enter this command to show only flow traffic from a specific IP address.

tcpdump -i eth0 port 9996 | grep '<ip address in question>'

If data comes into SevOne NMS, you should eventually see a message similar to the following:

If no data comes in from the IP address, there may be a routing issue.