This document is divided into three sections. The first one describes a procedure to help you start monitoring Netflow and the two others will focus on how to customize the filters and rules to adjust for more advanced needs.
I. Starting with Netflow
1. Adding a Netflow device1. Follow the Cisco procedure in the link below to enable your Cisco Device to send netflow records to Xian NM. Most likely, your Xian NM Installation is on a single machine, use the IP address that belongs to that computer. If not, use the IP address of the machine where the Xian NM Network Manager Server service is running.
Note: Make sure that you enabled Netflow monitoring during the installation procedure.
2. Now that the device has “Netflow” enabled, you need to add it to Xian Network Manager. This is a simple procedure which can be done by clicking on the add device icon in the toolbar. Select Flow in the Select plugin menu that displays and click OK.
3. At this time, the rule wizard window appears. In the Parameters tab, click on the Add button and enter the required device parameters. Make sure to provide the correct IP Address and Port of the device. A mistake might cause the NetFlow records to not be received and processed.
4. Now the device is added and a policy template has been automatically applied to it. At present you are already monitoring the following traffic flows:
Skype incoming traffic. This rule will show you the incoming traffic aggregated towards local IP Addresses.
Source DHCP traffic. This rule will show you the IP address that are broadcasting DHCP.
SQL Server outgoing traffic. Basically shows how much SQL server traffic is being broadcasted by SQL Servers in your network.
Incoming traffic to well-known ports. This rule shows the traffic on the most common ports aggregated by Destination local IP address.
Total traffic by protocols. This shows the traffic usage aggregated by protocol.
Downloaded HTTP Traffic to local IPs: Shows traffic going over port 80 towards local IP addresses coming from public addresses. It is aggregated by the destination addresses to the local IPs
Downloaded HTTPs Traffic to local IPs: Shows traffic going over port 443 towards local IP addresses coming from public addresses. It is aggregated by the destination addresses to the local IPs
Downloaded FTP Traffic to local IPs: Shows traffic going over port 20,21 towards local IP addresses coming from public addresses. It is aggregated by the destination addresses to the local IPs
Incoming traffic inside the local network. Shows the amount of internal traffic aggregated by destination IP addresses
Outgoing traffic from local IPs to public IPs. Shows the traffic going over port 80 and 443 to public IP addresses and is aggregated by destination (public) IP addresses
HTTPs Incoming traffic. Shows the amount of traffic using port 443 that goes around your network independently if it goes or comes from a public or private IP
FTP Incoming traffic. Shows the amount of traffic using port 20 and 21 that goes around your network independently if it goes or comes from a public or private IP
HTTP Incoming traffic. Shows the amount of traffic using port 80 that goes around your network independently if it goes or comes from a public or private IP
5. Now that the first filters and rules are running, the device performance counters and alerts should be available in Operations Manager views.
II. Advanced Netflow configuration: Setting up customized filters1. To be able to monitor specific traffic flows that are not delivered out of the box by Xian NM, you can create your own filters and create rules using them. First, you need to have a clear idea of what you want to monitor. The following points will help you to define this criteria in an easy way:
- How do you want to aggregate the data? (for example by port, destination IP address, etc).
- Do you want to filter on a specific characteristic? (For example you want to check on a specific source port for an application or a protocol)
3. In the filter wizard you’ll find three tabs. Parameters, Aggregations and Filters.
Parameters: In this field you give your filter a name and a short description
Aggregation: In this field you indicate what kind of elements you want to create for monitoring. For example, if you choose Source IP it means that the elements created in operations manager will be based on the source IP. You can also create thresholds for this element. In this way, you can later on create a rule that monitors the amount of traffic for an IP address that is sending data.
Filters: This wizard will allow you to narrow down the traffic monitored. Maybe you’re only interested in port 80 traffic or only a specific protocol. (See appendix 1 for the specific Protocol numbers). Also, you can filter on a specific port which makes it possible to check out the behavior of a specific application. For example port 443 for HTTPS.
III. Advanced Netflow configuration: creating rulesThe creation of filters is not enough to start monitoring, you have to activate these filters by creating rules. This is easily done from the device properties window.
1. Go to the Active Rules tab and select a rule on the right side and click on Add.
2. Now choose if you want to add ‘bytes per second’ or ‘packets per second’
3. Now the rule wizard will appear. In the Filter tab you select the filter you want to use as a base for this rule. It can be any filter that came out of the box or one that you created yourself.
- Dynamic: This threshold is a moving average over the past N datapoints and can be set with conservative, loose or normal prediction type.
- Automatic : This is a threshold that is calculated over a number of datapoints and then set fixed (manual)
- Manual: If you opt for this threshold you have the power to decide all aspects pertaining to that threshold.
6. In the Schedule tab you define the intervals in which you want the rule to run. It is recommended not to use too low of an interval because it could cause significant decrease in the server’s performance. A good best practice is a value in between 10 to 30 minutes.
7. In the active rule options tab you have the option of defining the severity level. This is the alert level that is sent to Operations Manager. It is a good best practice to use critical only for those levels that are set with a manual threshold and warning for the automatic or dynamic ones. This is done to avoid generating false alerts.
Also, in this tab you have the choice to disable the option of sending performance data to Operations Manager. Use this option if you are only interested in the alerts above or under a certain threshold. It can reduce the load on the environment.
In the name field you have the option to add additional information to the rule name. This information is also sent with the alert to Operations Manager. This is useful if you have multiple rules with the same or similar name in order to prevent confusion.
Under normal circumstances, it is not required to make any changes to these fields and you should be able to leave them with the default values.
Also, you can define if the disable elements feature should be applied over that new element and with which limit.
If you have any questions, do not hesitate to contact our tech support team.