Transcription
WhatsUpGoldv15.0Flow Monitor User Guide
ContentsCHAPTER 1 Flow Monitor OverviewWelcome to WhatsUp Gold Flow Monitor . 1What is Flow Monitor? . 2How does Flow Monitor work? . 2System requirements . 4Flow Monitor Home . 5CHAPTER 2 Preparing network devicesDetermining which network devices to monitor . 9Manually configuring devices to export flow data to Flow Monitor. 11Configuring sFlow enabled devices to export flow data to Flow Monitor . 12About Flexible NetFlow . 16Configuring Flexible NetFlow on a Cisco device . 17About Network Based Application Recognition (NBAR) . 20Configuring NBAR on a Cisco device. 20About CBQoS. 21Configuring CBQoS on a Cisco device . 21Viewing potential Flow Monitor sources . 25Using Flow Monitor to Configure Cisco NetFlow Devices . 26CHAPTER 3 Managing Flow SourcesAbout Flow Sources . 29Configuring Flow Monitor to listen for NetFlow data . 30Viewing Flow Sources . 31Configuring a Flow Source . 33Creating an Aggregate source . 36Configuring Flow Source Access Rights . 37Configuring Flow Interface Properties . 39Creating flow sources . 41i
CHAPTER 4 Managing Flow Monitor SettingsFlow Monitor Settings . 44Configure Flow Monitor to listen for NetFlow data . 49Setting the logging level. 49Data retention strategy and tuning . 50Configuring data retention settings . 52CHAPTER 5 Configuring ApplicationsMonitoring traffic on non-standard ports. 56Configure Applications . 57Map Ports to Application . 59CHAPTER 6 Configuring Flow GroupsUsing Flow Groups . 60WUG15.0 - NF - Flow Groups . 61NF - Flow Group. 62CHAPTER 7 Configuring Type of ServiceFlow Types of Service . 63Edit Flow Type of Service . 64CHAPTER 8 Managing unclassified trafficClassifying traffic that is considered unclassified . 65Flow Unclassified Traffic . 66CHAPTER 9 Configuring Data Export SettingsFlow Export Settings . 68CHAPTER 10 Maintaining Flow DatabasesFlow Database Table Maintenance . 71Stopping or restarting the collector . 73Backing up and restoring the Flow Monitor databases . 74Using the database backup and restore backup utility for Flow Monitor. 74ii
Managing users and user rightsCHAPTER 11 Using Flow Monitor reportsAbout the Flow Monitor Reports group . 77About the Interface Details report. 78General view . 79NetFlow Interface Details . 80Managing report views . 82Selecting an interface . 82Filtering data in a view . 83Interface Details - Options. 87Flow Monitor Interface Overview report . 87Filtering report data . 89Interface Overview - Options . 90Flow Log . 91Filtering report data . 92Flow Monitor Log - Options . 94Flow Bandwidth Usage report . 94Selecting an interface . 96Filtering report data . 96Flow Interface Usage Report . 98Configure Interface Usage Report Columns . 99Interface Usage - Options . 99About the NBAR and CBQoS Reports . 100Using Scheduled Reports: printing, exporting, and emailing reports . 103iii
CHAPTER 12 Using Flow Monitor dashboard reportsUnderstanding Flow Monitor dashboard reports . 105Flow Monitor dashboard report types . 106Navigating dashboard reports . 107Using the dashboard report menu . 108Using links in Flow Monitor dashboard reports . 109Using zoom controls on line graphs. 110Using informational tooltips . 111Configuring dashboard reports . 112Filtering Flow Monitor workspace reports in WhatsUp Gold . 113Exporting dashboard report data . 114Configuring export settings . 114Linking to Flow Monitor reports from WhatsUp Gold workspace reports. 115iv
CHAPTER 1Flow Monitor OverviewIn This ChapterWelcome to WhatsUp Gold Flow Monitor.1What is Flow Monitor? .2How does Flow Monitor work? .2System requirements .4Flow Monitor Home .5Welcome to WhatsUp Gold Flow MonitorFlow Monitor collects, analyzes, and reports on NetFlow, sFlow, J-Flow (sampled NetFlow), orIP Flow Information Export (IPFIX) data from routers, switches, and other network devices,creating visible trends and patterns in network bandwidth utilization. Flow Monitor offersversatile reporting on the hosts generating and receiving traffic and the applications overwhich traffic is transmitted.This help system includes information about the features and benefits of WhatsUp FlowMonitor. For more information, use the Contents, Index, or Search to the left, or select one ofthe sections below. WhatsUp Flow Monitor OverviewLearn about the NetFlow protocol, discover how Flow Monitor works, and view systemrequirements for Flow Monitor. Configuring Flow MonitorDiscover how to configure NetFlow sources to send data to Flow Monitor, define trafficover non-standard ports, manage users, and maintain the Flow Monitor database. Navigating Flow MonitorFind out about the features of the Flow Monitor home page and learn how to search fortraffic to or from a specific host. Using ReportsLearn about the Flow Interface Details report, the Flow Interface Overview report, theFlow Bandwidth Usage report, and the Flow Log. Explore using dashboard reports in FlowMonitor and in WhatsUp Gold.1
Using WhatsUp Gold Flow MonitorWhat is Flow Monitor?WhatsUp Gold Flow Monitor is a network traffic monitor that lets you gather, analyze andreport on network traffic patterns and bandwidth utilization in real-time.WhatsUp Flow Monitor: Uses network protocols such as NetFlow, sFlow, Jflow and IPFIX to collect and analyzeinformation about the traffic on a router, switch, or other network device. Highlights overall utilization for the LAN or WAN, individual devices, or specificinterfaces, and provides information about the users, applications and protocols thatconsume network resources. Provides reports that allow you to: View network usage trends to determine when to upgrade hardware to increasenetwork capacity. Recognize and correct network configuration issues that may needlessly consumenetwork resources or expose your network to security vulnerabilities. Identify traffic which may indicate undesired network usage, such as unauthorizeduse of peer-to-peer file sharing applications or a denial-of-service attack against yourorganization. Troubleshoot and correct causes of spikes in network traffic before they becomeproblems.How does Flow Monitor work?What is Netflow?NetFlow is a protocol used to collect data about network IP traffic and is used to monitor andrecord network usage, give indications of traffic routes and provide data in support of trafficaccounting, usage-based billing and other network related activities. This data is classifiedusing the concept of a network flow.A network flow is a unidirectional sequence of packets that has the following characteristicsin common: Source IP address and port number Destination IP address and port number IP Protocol Ingress interface IP Type of Service (ToS)2
Using WhatsUp Gold Flow MonitorHow does NetFlow work?To capture, transmit and analyze NetFlow data the following NetFlow enabled componentsmust be in place: NetFlow exporter. observes packet data and creates records from the monitorednetwork traffic and transmits that data to the NetFlow collector. NetFlow collector. collects the records sent from the exporter, stores them in a localdatabase and forwards the records to an analyzer. NetFlow analyzer. analyzes the NetFlow records for information of interest, whichmay include bandwidth usage, policy adherence, and forensic research.Note: The exporter can be either an included function of the network device, such as theNetFlow export functionality on Cisco routers, or it can be an external probe configured tomonitor one or more interfaces on the device, such as the Ipswitch NetFlow Probe.How does Flow Monitor fit into the NetFlow architecture?Flow Monitor acts as a flow collector and analyzer, providing a central location for thecollection, summarization, storage and analysis of network traffic data. This network trafficdata is captured as flow data, and is delivered by network monitoring protocols implementedon network devices throughout the network. When a router or other device sends flow datato Flow Monitor, it follows the process shown below.1The router gathers information about the traffic that is passing through it andsummarizes that data into a NetFlow, sFlow, J-Flow (sampled NetFlow) or IP FlowInformation Export (IPFIX) export datagram.2 The router sends the flow export to Flow Monitor, which acts as a flow collector.Note: sFlow data is sent every x number of packets (configurable on the sFlow device),whereas all NetFlow data is collected and monitored. This means that sFlow data provides asampling of network traffic data, whereas NetFlow data provides all network traffic data.3The Flow Monitor collector stores the NetFlow, sFlow, J-Flow (sampled NetFlow) or IPFlow Information Export (IPFIX) export in the database.3
Using WhatsUp Gold Flow Monitor4When the report data is viewed on the web interface, Flow Monitor retrieves the datafrom the database and manipulates it to produce the report.Tip: Flow Monitor can collect and generate reports for Flow data from multiple devices.System requirementsWhatsUp Gold Flow Monitor has the same base system tes) as WhatsUp Gold. In addition, WhatsUp GoldFlow Monitor requires: WhatsUp Gold Standard Edition, Premium Edition, MSP Edition, or Distributed Edition One or both of the following: At least one routing device that supports NetFlow version versions 1, 5, 7, and 9, sFlowversions 2 and 5, J-flow (sampled NetFlow) or IP Flow Information Export (IPFIX). A Flow Publisher monitoring a flow source. 32-bit MS SQL Server 2005 Standard Enterprise Edition, 32-bit or 64-bit Microsoft SQLServer 2008 Standard or Enterprise Edition, or 32-bit or 64-bit Microsoft SQL ServerCluster 2005, 2008, or 2008 R2 (all editions except Microsoft SQL Server Expressedition)Note: WhatsUp Gold Flow Monitor is more demanding on the database than WhatsUp Gold.While WhatsUp Gold Flow Monitor can successfully use SQL Server 2005 Express, werecommend either 32-bit MS SQL Server 2005 Standard or Enterprise Edition or 32-bit or 64bit Microsoft SQL Server 2008 Standard or Enterprise Edition for best performance. 2 GHz dual-core processor (required) to quad-core processor (recommended) An additional 2 (required) to 4 GB RAM (recommended) 16 GB (required) to 22 GB (recommended) hard disk space for the databasesNote: If using Microsoft SQL Server 2005 or Microsoft SQL Server 2008, the database size islimited by available hard disk space.4
Using WhatsUp Gold Flow MonitorFlow Monitor HomeThe Flow Monitor Flow Sources page provides a summary of the current usage and status ofFlow Monitor sources, and acts as the Home page for the Flow Monitor plug-in. The left andright panes of the content pane display different types of data; Flow Sources on
NetFlow analyzer. analyzes the NetFlow records for information of interest, which may include bandwidth usage, policy adherence, and forensic research. Note: The exporter can be either an included function of the network device, such as the NetFlow export functionality on Cisco routers, or it can be an external probe configured to
