GETTING STARTED GUIDE NetFlow Traffic Analyzer Version 4.5 Last Updated: Monday, December 3, 2018
GETTING STARTED GUIDE: NETFLOW TRAFFIC ANALYZER 2018 SolarWinds Worldwide, LLC. All rights reserved. This document may not be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the prior written consent of SolarWinds. All right, title, and interest in and to the software, services, and documentation are and shall remain the exclusive property of SolarWinds, its affiliates, and/or its respective licensors. SOLARWINDS DISCLAIMS ALL WARRANTIES, CONDITIONS, OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON THE DOCUMENTATION, INCLUDING WITHOUT LIMITATION NONINFRINGEMENT, ACCURACY, COMPLETENESS, OR USEFULNESS OF ANY INFORMATION CONTAINED HEREIN. IN NO EVENT SHALL SOLARWINDS, ITS SUPPLIERS, NOR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY, EVEN IF SOLARWINDS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. The SolarWinds, SolarWinds & Design, Orion, and THWACK trademarks are the exclusive property of SolarWinds Worldwide, LLC or its affiliates, are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other SolarWinds trademarks, service marks, and logos may be common law marks or are registered or pending registration. All other trademarks mentioned herein are used for identification purposes only and are trademarks of (and may be registered trademarks) of their respective companies. page 2
Table of Contents NetFlow Traffic Analyzer Getting Started Guide 4 Prerequisites 4 Product terminology 5 Discovery for SolarWinds NTA 6 What protocols does SolarWinds NTA support? 7 Flow environment best practices 9 Determine where to enable flow 9 Be mindful of directionality and duplication 9 Set the retention period 10 Enable a device to send flow data to SolarWinds NTA 11 Requirements 11 Enable a device to send flow data 11 Identify consumers of interface bandwidth 12 Change the threshold for Top Talker alerts 12 Identify top talkers when the interface bandwidth utilization alert is triggered 14 Keep close track of bandwidth utilization 18 Bandwidth capacity planning and analysis 21 Generate a WAN Interfaces Last 7 Days report 22 Beyond getting started 25 page 3
GETTING STARTED GUIDE: NETFLOW TRAFFIC ANALYZER NetFlow Traffic Analyzer Getting Started Guide Welcome to the SolarWinds NetFlow Traffic Analyzer (NTA) Getting Started Guide. Ensure your long term success with SolarWinds NTA by following the guidelines described in this guide. Depending on your workload, getting started with SolarWinds NTA should take you one day or less. To get started with SolarWinds NTA, complete the following tasks. Install SolarWinds NTA. Use the SolarWinds Orion Installer to prepare the environment and install SolarWinds NTA. Populate NTA with devices. For NTA to analyze your bandwidth utilization, you need to discover the devices and add them to Orion for monitoring. Set up your flow environment. Understand what protocols NTA supports, review flow environment best practices, and enable a device to send flow data to SolarWinds NTA. Identify consumers of interface bandwidth. Change the threshold for Top Talker alerts, identify top talkers after the bandwidth utilization alert is triggered, and use the Flow Navigator for forensic analysis. Plan for interface bandwidth capacity. Use SolarWinds NTA to monitor interface-level network bandwidth and traffic patterns over the course of months, days, or minutes. Existing customers: Follow the recommendations in this guide to ensure your system capabilities are appropriate and your production environment is sized correctly. Minimum system requirements used during evaluation are not sufficient for a production environment. Access your licensed software from the SolarWinds Customer Portal. If you need implementation help, contact our Support team. Evaluators: To evaluate SolarWinds NTA, download a free 30-day evaluation. The evaluation version of SolarWinds NTA is a full version of the product, functional for 30 days. If you evaluate SolarWinds NTA on a Windows Server operating system, you can easily convert your evaluation license to a production license by obtaining and applying a license key. If you need assistance with your evaluation, contact sales@solarwinds.com. Prerequisites This getting started guide assumes that you have: page 4
Purchased or are evaluating SolarWinds Network Performance Monitor (NPM) and SolarWinds NetFlow Traffic Analyzer (NTA). Installed SolarWinds NPM and are adding SolarWinds NTA to your SolarWinds Orion Platform deployment. Completed the SolarWinds NPM Getting Started Guide. There are some very important principles and skills that you learn in the SolarWinds NPM Getting Started Guide, so SolarWinds highly encourages you to work through that content. Product terminology Orion Platform: The common backend platform used by the SolarWinds Orion suite of products, including Network Performance Monitor (NPM), Server & Application Monitor (SAM), Network Configuration Manager (NCM), NetFlow Traffic Analyzer (NTA), and more. The platform provides the backbone for navigation, settings, and common features like alerts and reports. It also provides a consistent look-andfeel across products, giving you a single pane of glass for your SolarWinds Orion monitoring tools. Orion Web Console: The web interface you see when you log in to SolarWinds Orion that is used to view, configure, and manage all of your monitored objects. Check out this video on navigating the Web Console. Orion Application Server: A Microsoft Windows server that runs the Orion Web Console and collects data from monitored objects. Also called the Orion Main Poller. Orion database Server: A Windows SQL server that should be hosted on a dedicated server in a production environment, separately from the Orion Application Server. It stores SolarWinds Orion configuration data and all collected performance and syslog data. Polling Engine: A polling engine controls polling job scheduling, data processing, and queries your monitored devices for performance metrics, such as CPU, memory, and up or down status. Additional Polling Engines can be licensed to provide additional scalability and capacity. By default, the Orion Server provides one polling engine (often referred to as the Main Polling Engine). NTA Flow Storage database: An independent Windows SQL server for storing flow data. In NTA versions 4.0 through 4.2.3, the NTA Flow Storage database runs on the FastBit database engine and must be installed before installing SolarWinds NTA. NTA 4.4 through 4.5 uses a Microsoft SQL server for the Flow Storage database. In production environments, you can co-locate the NTA Flow Storage database and the Orion database on one SQL server. For more information on deploying the NTA Flow Storage database, see NTA Flow Storage database deployment options in the NTA Administrator Guide. NetFlow collector: A server responsible for receiving, storage, and processing of flow data. CBQoS: Class-Based Quality of Service (CBQoS) is an SNMP-based, proprietary Cisco technology available on selected Cisco devices that gives you the ability to prioritize and manage traffic on your network. The system keeps collected CBQoS data in the SolarWinds Orion database. For more information about configuring class maps for your CBQoS-enabled network devices, search CBQoS at www.cisco.com. page 5
GETTING STARTED GUIDE: NETFLOW TRAFFIC ANALYZER Discovery for SolarWinds NTA For NTA to analyze bandwidth usage on your devices, you need to discover those network devices and add them to SolarWinds NPM and NTA for monitoring. If you completed the Network Performance Monitor Getting Started Guide, you discovered routers and switches that you want to manage with NTA. There is no discovery specific to NTA. If you have not discovered these types of network devices, discover your network, add discovered devices to Orion, and then return to the NetFlow Traffic Analyzer Getting Started Guide. SolarWinds recommends that you begin by discovering a limited number of core routers and switches so that you can learn how to manage them with NTA. Then you can add more devices to scale your deployment. If you are unsure if you discovered any network devices, log in to the Orion Web Console and click My Dashboards > Network > Network Summary. The All Nodes managed by NPM resource lists all network devices discovered and added to Orion for monitoring. page 6
What protocols does SolarWinds NTA support? SolarWinds NTA collects and monitors interface-level flow data, and helps you identify consumers of bandwidth. Flow data comes to SolarWinds NTA using one of many protocols. Reduce the amount of NetFlow traffic that SolarWinds NTA processes by selectively specifying monitored protocols. Specified protocols depend on the device type, as each device supports different types of protocols. Check your vendor's documentation to determine the correct protocols. Difference between sampled and non-sampled flow: Sampled flow: Collects less data and provides only a sample. This prevents the network from overloading. Non-sampled flow: Collects all data. SolarWinds NTA supports these flow-enabled devices: FLOW SUPPORTED VERSIONS SAMPLED FLOW SUPPORT NetFlow v1, v5, and v9 NetFlow version 9 is configured the same as NetFlow version 5, but uses a predefined template that is exported in separate flows. Flexible NetFlow is based on NetFlow version 9, but the fields are defined during configuration. NetFlow v9 must have an appropriate template with all required fields. v5 and v9 Some devices using IOS versions export flows without specifying that they are being sampled. SolarWinds NTA processes these flows as unsampled. sflow v2, v4, and v5 Supported J-Flow Supported Supported Some devices using JunOS versions export flows without specifying that they are being sampled. SolarWinds NTA processes these flows as unsampled. IPFIX Supports IPFIX generated by ESX 5.1 and later, for IPv4 traffic. Supported NetStream v5 and v9 Supported page 7
GETTING STARTED GUIDE: NETFLOW TRAFFIC ANALYZER FLOW SUPPORTED VERSIONS SAMPLED FLOW SUPPORT NetFlow Lite Cisco Wireless Controller NetFlow Supported on the following devices: Cisco Catalyst 2960-X Cisco Catalyst 2960-XR Cisco Catalyst 3560-CX Cisco Catalyst 2960-CX Supported on the following devices with the ipv4_ client_app_flow_record template: Cisco 2504 WLC Cisco 5508 WLC Cisco 5520 WLC Cisco Flex 7510 WLC Cisco 8510 WLC Cisco 8540 WLC Cisco WiSM2 Supported Not supported page 8
Flow environment best practices This section provides recommendations for setting your flow environment. Determine where to enable flow SolarWinds NTA can capture and store vast amounts of flow data. To make the best use of SolarWinds NTA, use the following guidelines to make decisions about where to capture enabled flow data. Understand your network and identify the types of problems you want to solve by capturing flow data. If you are unsure of where to begin, enable flow data at the core layer, let SolarWinds NTA run for a period of time (for example, a week), and review the SolarWinds NTA resources in the SolarWinds Orion Web Console to determine if the data collected is sufficient. If you need more flow data, move to the distribution layer. Due to the proliferation of duplicate data, SolarWinds recommends that you do not enable flows at the access layer. If you want to monitor internal traffic and internet traffic, enable ingress and egress interfaces. To capture the entire network conversation, enable ingress and egress on the external interfaces of a single node, or enable ingress only on all interfaces on the node. Be mindful of directionality and duplication If your devices are configured to export NetFlow on both ingress and egress interfaces, you might see duplicate traffic in the Summary resources. Duplicate flows can occur in the following cases: You have both ip flow ingress and ip flow egress applied for all interfaces on a device. You have set ip flow ingress on some interfaces and ip flow egress on other interfaces. On your serial interfaces with subinterfaces, you have NetFlow export enabled on both the physical and logical interfaces. page 9
GETTING STARTED GUIDE: NETFLOW TRAFFIC ANALYZER Set the retention period Retention period specifies the time for which flow data are stored in the database until they expire and are permanently deleted. The default retention period is set to 30 days 1. Click Settings > All Settings. 2. Under Product Specific Settings, click NTA Settings. 3. Scroll down to the Database Settings section. 4. In the Retention Period field, enter the number of days after which flow data is deleted. 5. In the Delete Expired Data list, select a frequency. 6. Click Save. page 10
Enable a device to send flow data to SolarWinds NTA To communicate the traffic-related data about a device, the device must be configured to send, push, or export the data to SolarWinds NTA. If you do not configure your device to send data, the Orion Web Console is not populated with flow data. Requirements Your interfaces must be discovered and added to the Orion database. The interface index number for an interface in the SolarWinds Orion database (interface table) must match the index number in the collected flow data. After it collects NetFlow traffic data, SolarWinds NTA analyzes device bandwidth usage in terms of source and destination endpoints of conversations reflected in traffic. It can take up to 5 minutes for data to populate in SolarWinds NTA. The image below provides an example of NetFlow-enabled nodes listed in SolarWinds NTA, with a recent time posted for collected flow. Enable a device to send flow data For a specific example, see the article Enable NetFlow export on a Cisco model 2610 router. page 11
GETTING STARTED GUIDE: NETFLOW TRAFFIC ANALYZER Identify consumers of interface bandwidth High bandwidth utilization causes many network performance issues. You can address these situations proactively with SolarWinds NTA by modifying out-of-the-box alerts. The High Receive Percent Utilization with Top Talkers and High Transmit Percent Utilization with Top Talkers alerts are triggered when the percent utilization of an interface rises above 75%. You can adjust the threshold value and configure the alert to send an email to you. The following scenario assumes that bandwidth capacity is a concern of yours, and walks you through how to identify top talkers that are consuming bandwidth. The information in these examples helps you determine if top consumers of interface bandwidth are using resources for business purposes (and therefore need to add capacity), or if you should block top talkers. For more information about alerts, see the NPM Getting Started Guide. You can also create your own alert on bandwidth utilization with custom trigger conditions and actions. For more information about creating customs alerts, see the NPM Administrator Guide. Change the threshold for Top Talker alerts The High Receive Percent Utilization with Top Talkers and High Transmit Percent Utilization with Top Talkers alerts are out-of-the-box alerts. They are sent from SolarWinds NPM and help you monitor the bandwidth utilization. For more information about alerts, see the NPM Getting Started Guide. The Top Talker alerts use a default utilization threshold of 75%. According to your internal business guidelines regarding bandwidth utilization, you want to be notified when bandwidth utilization exceeds 70%. When the utilization exceeds 70%, a configure email notification is triggered. The following example shows how to duplicate the High Receive Percent Utilization with Top Talkers alert, and change the trigger condition. 1. Click Alerts & Activity > Alerts. 2. Click Manage Alerts. 3. In the Group By field, select Trigger Actions Type. page 12
4. In the Group By field, select Email a Web Page. 5. Select the High Receive Percent Utilization with Top Talkers alert. 6. Click Duplicate & Edit. 7. Under Enabled, turn the alert On and select how often the trigger condition should be checked. 8. On Trigger Condition, change the utilization percent to 70. 9. On Time of Day, schedule when to run the alert. 10. Complete the Trigger Actions and Reset Actions panels as necessary. If there are endpoint-centric resources on the Interface Details page when it is captured for a top talker alert notification, the links to those resources are non-functional in the email. The information in the alert notification is not customizable. page 13
GETTING STARTED GUIDE: NETFLOW TRAFFIC ANALYZER 11. Review the Summary, and click Submit. Identify top talkers when the interface bandwidth utilization alert is triggered This scenario assumes that you have created an Orion alert on bandwidth utilization for a specific interface, and that the alert has been triggered when interface bandwidth utilization reached 70%. You investigate the top talkers after this alert triggered. 1. When you click the link in the alert email, you are redirected to the NetFlow Interface Details for Alerts page in the Orion Web Console, and to the interface that triggered the alert. page 14
page 15
GETTING STARTED GUIDE: NETFLOW TRAFFIC ANALYZER 2. Review the Top 5 Endpoints resource. You notice that endpoint 1e100.net (YouTube) is consuming a majority of your bandwidth. 3. In the Top 5 Endpoints resource, click on the endpoint to navigate to the details. 4. Review the Top 5 Conversations resource and identify the individuals that are consuming bandwidth. page 16
The following example shows a considerable amount of utilization on the Ethernet1 WAN (NetFlow) interface of the Internet Gateway 3725 node. page 17
GETTING STARTED GUIDE: NETFLOW TRAFFIC ANALYZER Keep close track of bandwidth utilization Use the Flow Navigator application to filter your SolarWinds NTA views and add them directly to the Views toolbar. There are many ways to filter flow data. In this example, you have already identified consumers of interface bandwidth. Now you want to create a filtered view that includes the interface so that you can keep close track of bandwidth utilization. 1. From the NetFlow Interface Details page, click Flow Navigator. 2. In Time period, select Relative Time Period > 1 month. page 18
3. In Flow Direction, select Ingress. 4. In NBAR2 Applications, select youtube. page 19
GETTING STARTED GUIDE: NETFLOW TRAFFIC ANALYZER 5. Click Submit. page 20
Bandwidth capacity planning and analysis Use SolarWinds NTA to monitor interface-level network bandwidth and traffic patterns over the course of months, days, or minutes. SolarWinds NTA converts flow data into charts and tables that quantify exactly how a network is being used, by whom, and for what purpose. This can help you to: Find the source of bandwidth use by application, protocol, and IP address group. Analyze traffic patterns over months, days, or minutes by drilling down into any network element. Specify whether network slowness caused by high bandwidth utilization is business related or private. Define whether or not you need additional bandwidth. Customize and deliver detailed network traffic and bandwidth reports. page 21
GETTING STARTED GUIDE: NETFLOW TRAFFIC ANALYZER Generate a WAN Interfaces Last 7 Days report In SolarWinds NTA, flow data are stored in the NTA Flow Storage Database and CBQoS data are stored in the SolarWinds Orion database. Over time, both databases accumulate a large amount of information. SolarWinds offers a broad array of predefined reports, and the ability for you to create custom reports. For more information about reports, see the NPM Administrator Guide. The report Average and Peak Traffic Rates - WAN Interfaces Last 7 Days displays the average and peak traffic rates for each WAN interface over the last week. Using this report helps you monitor bandwidth utilization and plan for future capacity needs. 1. Click Reports > All Reports. 2. Under Group By, select Report Category > Historical Traffic Reports. page 22
3. Select Average and Peak Traffic Rates - WAN Interfaces Last 7 Days to display the report. The report provides the following values: Average receive bps. Peak receive bps. Average transmit bps. Peak transmit bps. page 23
GETTING STARTED GUIDE: NETFLOW TRAFFIC ANALYZER MAC address. page 24
Beyond getting started You have completed the SolarWinds NTA Getting Started Guide. To learn more about SolarWinds NTA, see these additional resources: If you need implementation help, contact our Support team. Read the SolarWinds Customer Support Information article to learn how to properly open a support case and get your case the right level of visibility. SolarWinds NTA Administrator Guide. SolarWinds NTA on THWACK. SolarWinds NTA Release Notes. page 25