| Administrator Handbook | TOC |
The Netflow collector plug-in collecte the datagram send by Cisco routers or Netflow V5 compatible routers and store it in a SQL Database.
The Netflow collector plug-in is a LoriotPro service plug-in and should be launched from the Service tab. The Netflow collector uses ODBC to access the SQL database.
To work with Netflow collector, it is required to install the SQL database and
the ODBC driver as described in chapter Using
an external Database
Queries on this database can be performed from the LoriotPro WEB remote access interface (IE5) and data extracted with multiple options. The queires tool is described in chapter Working on Netflow Table.
To work with Netflow Query tool, it is required to
install the PHP interpreter as described in chapter Adding
PHP support to LoriotPro WEB Server
A network flow is defined as a unidirectional sequence of packets between given source and destination endpoints. Network flows are highly granular; flow endpoints are identified both by IP address as well as by transport layer application port numbers. NetFlow also utilizes the IP Protocol type, Type of Service (ToS) and the input interface identifier to uniquely identify flows.
NetFlow enables several key customer applications:
Accounting/Billing
NetFlow data provides fine-grained metering for highly flexible and detailed
resource utilization accounting.
Network Planning and Analysis
NetFlow data provides key information to optimize both strategic network
planning as well as tactical network engineering decisions minimizing the total
cost of network operations while maximizing network performance, capacity and
reliability.
Network Monitoring
NetFlow data enables extensive near real time network monitoring capabilities.
Flow-based analysis techniques may be utilized to visualize traffic patterns
associated with individual routers and switches as well as on a network-wide
basis to provide proactive problem detection, efficient troubleshooting, and
rapid problem resolution.
Application Monitoring and Profiling
NetFlow data enables network managers to gain a detailed, time-based,
view of application usage over the network.
User Monitoring and Profiling
NetFlow data enables network managers to gain detailed understanding
of customer/user utilization of network and application resources.
NetFlow Data Warehousing and Mining
NetFlow data can be warehoused for later retrieval and analysis in
support of proactive marketing and customer service programs.
The NetFlow Export datagram consists of a header and a sequence of flow records.
LoriotPro Netflow Collector is designed for Netflow version 5.
Netflow V5 is available with IOS 12 and 12T on the following
Cisco Devices
| 12.0 | Cisco 2600, 3600, 4500, 4700, AS5800, 7200, uBR7200, 7500, RSP7000, RSM |
| 12.0T | Cisco 1000*,1600*,1720**, 2500*,2600, 3600, 4500, 4700, AS5800, 7200, uBR7200, 7500, RSP7000, RSM, MGX8800 RPM |
The NetFlow Export Version 5 Header Format is :
| version | Current version = 5 |
| count | The number of records in PDU |
| SysUptime | Current time in msecs since router boote |
| unix_secs | Current seconds since 0000 UTC 1970 |
| unix_nsecs | Residual nanoseconds since 0000 UTC 1970 |
| flow_sequence | Sequence number of total flows seen |
| engine_type | Type of flow switching engine (RP,VIP,etc.) |
| engine_id | Slot number of the flow switching engine |
A flow record contains the following data
| source IP address | |
| destination IP address | |
| source TCP/UDP application port | |
| destination TCP/UDP application port | |
| next hop router IP address | |
| input physical interface index | |
| output physical interface index | |
| packet count for this flow | |
| byte count for this flow | |
| start of flow timestamp | |
| end of flow timestamp | |
| IP Protocol (for example, TCP=6; UDP=17) | |
| Type of Service (ToS) byte | |
| TCP Flags (cumulative OR of TCP flags) | |
| source AS number | |
| destination AS number | |
| source subnet mask | |
| destination subnet mask | |
| flags (indicates, among other things, which flows are invalid) | |
| shortcut router IP address3 |
Enter global configuration mode on the IOS device, and issue the following commands for each interface on which you want to enable NetFlow:
interface <interface> <interface number>
ip route-cache flow
bandwidth <kbps>
exit
For each router you want to configure to send NetFlow data to the LoriotPro NetFlow Collector, you must enter the following Cisco IOS command at the config level. Use the IP address of LoriotPro on which NetFlow Colletor is running and the configured NetFlow listener port. The default port is 9996.
ip flow-export ip-address udp-port
You can set the NetFlow export version to version 5. NetFlow Collector supports only version 5.
ip flow-export version 5
Optionnaly you can sets the source IP address of the
NetFlow exports sent by the device to the specified IP address.
ip flow-export source <interface> <interface number>
Example of configuration:
!
!
interface FastEthernet0/0
ip address 12.1.1.254 255.255.0.0
ip route-cache flow
speed auto
half-duplex
!
!
ip default-gateway 12.1.1.253
ip flow-export version 5
ip flow-export destination 12.1.1.2 9996
no ip classless
ip http server
ip pim bidir-enable
!
!
To start the Neflow collector Plug-in you should access the Service tab of the workspace and click the the right mouse button to open the contextual menu. The select Netflow collector.
Select the NetflowCollector Service.
The parameters setting windows is displayed
The UPD listening port should be left at 9996 according to what Cisco define also by default
The URL should be set to link the Netflow Query tool page. You may have to change the IP address of the LoriotPro WEB server if necessary. Check the setting of the LoriotPro WEB server.
When done click the OK button, the Netflow Collector Plu-in start.
The Netflow Socket Started at UDP Port 9996 is displayed.
Soon you should see incomming packet information in the status bar of the Plug-in
You can also use the Dump Packet and Display Fields records to have a verbose mode.
The Display fileds records show each flow information received with the Source IP address and Port, the Destinatipn IP address and port.
On this screen shot we see a WEB acces from 12.1.1.2 to 12.1.1.254 that last 5725 ms.
When the Database is filled with collected data, it is time to analyze what we have. The Query tool helps you to perform queries on the Database and extract data on various criteria.
A click on the Analyze button display the Query tool. The Query tool is also available from the WEB remote console of LoriotPro under the Database button.
To work with Netflow Query tool, it is required to
install the PHP interpreter as described in chapter Adding
PHP support to LoriotPro WEB Server
The Query Tool and it utilization is describe in the Chapter Working on Netflow Table
www.loriotpro.com |
|