As a feature to facilitate traffic analysis on Cisco IOS enabled devices, NetFlow begins its work at the network device itself. And any device that is NetFlow-enabled, in order to communicate the traffic related data it is holding about that device, must be configured to send, push, or export that data to specific collection targets.
NTA collects NetFlow data (by default, on port 2055) only if a network device is specifically configured to send to it. As a NetFlow collector, NTA can receive exported NetFlow version 5 data and NetFlow version 9 data that includes all fields of the NetFlow version 5 template. Once it collects NetFlow traffic data, NTA analyzes device bandwidth usage in terms of the source and destination endpoints of conversations reflected in the traffic.
Prerequisites
All of these things need to be done for NTA to correctly process NetFlow data and process relevant traffic statistics:
l Each device must be configured to export NetFlow data to NTA.
l Each device that exports NetFlow data to NTA must be monitored in NPM.
Only SNMP-capable nodes whose interfaces were discovered by NPM can be added as NetFlow sources.
l Traffic from a device that is not monitored in NPM appears only in aggregate as traffic from unmonitored devices. If the device is setup to export data to NTA, but is unmonitored in NPM, the collector may receive the data without being able to meaningfully analyze it.
l The specific interface through which a device exports NetFlow data must be monitored in NPM; and interface index number for this interface in the Orion database (interface table) must match the index number in the collected flow data.
Setting Up Network Devices to Export NetFlow Data
To setup a device to export NetFlow data to NTA:
1. Log in to the network device.
2. Enable NetFlow export on the device using appropriate commands. The following example enables NetFlow on a Cisco device.
ip flow-export source <netflow_export_
interface><interface_num>
ip flow-export version 5
ip flow-export destination <Orion_Server_IP_address>
2055
ip flow-cache timeout active 1 ip flow-cache timeout inactive 15 snmp-server ifindex persist
For detailed information on configuring NetFlow on Cisco devices, search for an appropriate configuration guide on theCisco home page.
For information on enabling NetFlow for Cisco Catalyst switches, see the SolarWinds technical referenceEnabling NetFlow and NetFlow Data Export (NDE) on Cisco Catalyst Switches.
For information on enabling NetFlow on Cisco ASA devices, see the SolarWinds technical referenceUnderstanding Cisco ASA NetFlow.
Otherwise, consult these examples as apply to your device:
l Brocade (Foundry) sFlow Configuration
l HP sFlow Configuration
l Extreme sFlow Configuration
l Juniper sFlow Configuration
l Juniper J-Flow Configuration
If your network device is of a different vendor, consult that vendor’s documentation.
3. Add the device exporting NetFlow to NPM for monitoring.
If you are adding a large number of NetFlow enabled nodes, use Orion Network Sonar. For more information, see"Discovering and adding network devices"in the SolarWinds Network Performance Monitor Administrator Guide.
If you are only adding a few nodes, it may be easier to use Web Node Management in the Orion Web Console. For more information, see"Adding devices for monitoring in the Orion Web Console"in the SolarWinds
Network Performance Monitor Administrator Guide.
4. Verify that the device is exporting NetFlow data as expected and that the device is monitored in NPM.
To verify that data are exported correctly, use a packet capture tool (for example, WireShark) to search for packets sent from the network device to the Orion server.
Example
If you successfully added a NetFlow enabled device with IP address
10.199.14.2to NPM, and the device were actively exporting NetFlow data to the Orion server, you would see in WireShark a packet like the one (49) highlighted below in gray:
Setting Up Network Devices to Export NetFlow Data
As indicated and expected, we see in the packet details that10.199.14.2is its source IP address and10.110.6.113 (the Orion server) the destination.
This correlates with the node details on the device in Orion, as highlighted in yellow.
To verify that the IP address of the exporting interface on the network device is the one being monitored in Orion:
l Open a CLI, log into the network device, and typeshow runto see the device’s running configuration.
l Page down to the lines where the export source interface is defined; in this case, we seeip flow-export source Ethernet0/0.
To discover the IP address for this interface, typeshow run int
Ethernet0/0. We see that the interface’s IP address (10.199.14.2) is in fact being monitored in the Orion server.
5. In the Orion Web Console, click NETFLOW in the modules toolbar . You should see NetFlow enabled nodes listed in the NetFlow Sources resource with a recent time posted for collected flow.
To add relevant devices as NetFlow Sources, if they are not already in the list, refer to "Adding Flow Sources and CBQoS-Enabled Devices" on page 69.