Support Center Home


Configuring Monitoring for NetFlow

Overview

Network traffic flow monitoring is the ability to collect IP network traffic as it enters or exits an interface. LogicMonitor can monitor network traffic flow data for any devices that support common flow export protocols.

Specifically, LogicMonitor Collectors are configured to receive and analyze exported flow statistics for a device. The statistics that a LogicMonitor Collector can report on include:

  • Top talkers
  • Top source/destination endpoints
  • Top flows
  • Top ports
  • Top applications
  • Quality of service (QoS)

System Requirements

Before assigning a LogicMonitor Collector as the recipient of a device’s exported network flows, review the following system requirements and recommended best practices.

Protocols Supported

LogicMonitor Collectors support a variety of network flow export protocols, including:

  • NetFlow versions 5, 7 and 9
  • Flexible NetFlow (requires same configurations as version 9)
  • IPFIX (sometimes referred to as NetFlow version 10)
  • sFlow version 1 and 3 (version 2 is not supported)
  • JFlow (version 5)
  • NBAR2 (only available for LogicMonitor Enterprise users)

Note: NetFlow Lite is not supported.

LogicMonitor Collector Requirements

Ensure that your Collector has the capacity to comfortably monitor network traffic flows. See Collector Capacity for a sample set of network flow capacity limits across various environments.

Requirements for NBAR2

If you intend to collect Next Generation Network based Application Recognition (NBAR2) data, you must set the netflow.nbar.enable property on the LogicMonitor Collector to TRUE (it is FALSE by default), as discussed in the Configuring the LogicMonitor Collector for Network Traffic Flow Monitoring section of this article.

Note: The ability to collect NBAR2 data within LogicMonitor is only available to LogicMonitor Enterprise users. Additionally, the LogicMonitor Collector that is collecting this data must be version 29.101 or higher.

Recommended Best Practices

  • Minimize network hops between the LogicMonitor Collector and the device. Network flow records are sent using the UDP communications protocol. Because UDP delivery is not guaranteed, try to ensure the LogicMonitor Collector has the fewest network hop as possible to the device generating network traffic flow records in order to minimize potential flow disruption due to network congestion or complexity.
  • Synchronize clocks. Network traffic data consists of detailed, real-time statistics on network traffic. Therefore, to avoid confusing discrepancies, it is critical to synchronize clocks between the transmitting device and the device that is hosting the LogicMonitor Collector. This is best accomplished via the NTP protocol. Additionally, if the devices are located in different time zones, consider using UTC or standardizing on a single timezone.
  • Eliminate port conflict. The Collector host that is collecting network traffic data must not have any other application (i.e. another network traffic analyzer) listening on the specified port. This can potentially cause contention and prevent traffic data from displaying in LogicMonitor.

Enabling Network Traffic Monitoring in LogicMonitor

Network traffic monitoring is enabled in LogicMonitor on a per-device basis. It can be enabled when first adding a device into monitoring (in expert mode) or at any point thereafter.

To enable network traffic monitoring for a device:

  1. Navigate to the Resources page and, from the Resources tree, find the device for which you want to enable network traffic monitoring.
  2. With the device selected, click the Manage button located in the header.
  3. From the Manage dialog, check the Enable Network Flow Analysis option.

  4. From the Network Flow Collector field that dynamically displays, identify the Collector that will be used to receive exported network flow data. A specific Collector must be specified; you cannot assign network flow collection duties to an Auto-Balanced Collector Group.

    Note: The Collector assigned to network traffic flow monitoring can be different than the Collector assigned to device monitoring. The ability to dedicate a Collector to network traffic flow data only allows you to better control load or to centralize all network flow activity to a few Collectors, minimizing the number of firewall ports that need to be opened on Collector hosts.

    Note: If you intend to collect NBAR2 data for a device, which requires LogicMonitor Enterprise and Collector version 29.101 or higher, you must additionally set the netflow.nbar.enable property on the LogicMonitor Collector to TRUE (it is FALSE by default). See the Configuring the LogicMonitor Collector for Network Traffic Flow Monitoring section of this article for more information.

  5. Click Save.

Note: If your network flow exporter is sending data from an IP address that is not the same as the monitored IP of the device (as configured in LogicMonitor), customize the netflow.allowips property on the device with the IP address(es) from which network flow originates. This property accepts either a single IP or a comma-separated list as its value; it does not accept a range. For more information on properties, see Resource and Instance Properties.

Configuring the LogicMonitor Collector for Network Traffic Flow Monitoring

By default, Collectors install with standard network traffic flow monitoring settings that, for most use cases, do not require modification. However, these settings are configurable, allowing you to override defaults to meet the unique needs of your monitoring environment.

Name> Type Default Details
netflow.enable Boolean TRUE If TRUE, the network flow module is enabled on Collector.
netflow.ports Integer 2055 The UDP listening port for network flow protocol data. The UDP port on the device that is sending the flow data must match the UDP port specified here. Multiple ports can be configured here if you need to support multiple protocols on multiple ports (for example, netflow.ports=2055,4739).
netflow.sflow.ports Integer 6343 The UDP listening port for sFlow protocol data.
netflow.datadir String netflow The path of the HSQL database.
netflow.datadir.maxSizeInMB Integer 10240 The maximum size (in megabytes) of the network flow data directory.
netflow.log.maxNumPerMinute Integer 5 The maximum log count allowed to be written during one minute of network flow monitoring.
netflow.netflow9.templateLife Integer 720 The expiration time (in hours) of NetFlow version 9 template.
netflow.topFlowSamples Integer 1000 The maximum sample number of top flows. Allowed range is from 100 to 2000.
netflow.ignoreTimestampValidate Boolean FALSE If TRUE, the Collector ignores network flow device time information. Currently, the only known devices that necessitate overriding the default FALSE value are SonicWalls.
netflow.nbar.enable Boolean FALSE If TRUE, the Collector begins parsing the applicationID and ApplicationType. LogicMonitor Enterprise and Collector version 29.101 or higher are required.
netflow.ipv6.enabled Boolean TRUE If FALSE, the Collector will ignore flows from with IPv6 addresses
netflow.log.largeBytesOrPackets Integer 1073741824 Logs flows in Audit Logs with packets or bytes larger than the integer specified

Network flow settings are available for editing on a per-Collector basis from the Collector’s config file. For instructions, see Editing the Collector Config Files.

Enabling Network Traffic Flow Monitoring on Your Device

In addition to enabling network traffic flow monitoring in LogicMonitor, it must also be enabled on your device. Configurations vary widely depending on the device, vendor, network topology, and protocol you are using. In fact, there are more combinations and options than can possibly be covered in this document, and you will want to review manufacturer guidelines for your specific setup.

However, we have listed some basic requirements next, as well as sample NetFlow configurations.

Basic Device Configuration Requirements

Device configurations applicable to all protocols:

  • Network flow monitoring must be enabled per interface.
  • A version number should be specified.
  • A source interface for the flow exporter must be specified.
  • The UDP port configured for the exporter must match the port specified in the Collector’s agent.conf file, as discussed in the Configuring the LogicMonitor Collector for Network Traffic Flow Monitoring section of this article.
  • The clock on the device should be synchronized with the clock on the Collector host.
  • The IP address of the destination (the LogicMonitor Collector) must be specified.

Device configurations applicable to NetFlow version 9:

  • For NetFlow version 9, additional template configuration options must be set.

Device configurations applicable to sFlow:

  • For sFlow, packet data must be provided in the enterprise=0 and format=1 packet configuration as described in RFC2233.
  • sFlow uses port 6343.

Device configurations applicable to NBAR2:

  • In order for NBAR2 application information to be collected, the option application-table and option application-attributes must be enabled on the exporter configuration of the device. See Cisco’s NBAR Configuration Guide for more information.

    Note: NBAR2 data collection requires LogicMonitor Enterprise and Collector version 29.101 or higher.

Sample Configurations

Next we’ve highlighted sample NetFlow version 9 device configurations. Because these sample configurations have the potential to become outdated as Cisco makes updates, please refer to Cisco’s NetFlow Configuration and Flexible NetFlow Configuration guides to ensure up-to-date information.

Cisco IOS 3745 router – NetFlow Version 9, Main Cache Export

Configure global settings: source interface, NetFlow version, target NetFlow Collector, and UDP port.

To begin, enter the following at the command line:

Router#conf t

Then, enter the configurations for the global settings:

Router(config)#ip flow-export source FastEthernet0/0
Router(config)#ip flow-export version 9
Router(config)#ip flow-export destination 10.0.0.10 2055

Configure global template settings: refresh-rate, timeout-rate, and options.

To begin, enter the following at the command line:

Router#conf t

Then, enter the configurations for the global template settings:

Router(config)#ip flow-export template refresh-rate 15
Router(config)#ip flow-export template timeout-rate 90
Router(config)#ip flow-export template options export-stats
Router(config)#ip flow-export template options refresh-rate 25
Router(config)#ip flow-export template options timeout-rate 120

Configure the interface settings: enable route-cache flow

To begin, enter the following at the command line:

Router#conf t

Then, enter the configurations for the global template settings:

Router(config)#interface fa0/0
Router(config-if)#ip route-cache flow

Note (Palo Alto users): There is a limited ability to customize the name of Palo Alto interfaces. According to Palo Alto, the interface name cannot be edited. However, you do have the ability to append a numeric suffix to the interface name for subinterfaces, aggregate interfaces, VLAN interfaces, loopback interfaces, and tunnel interfaces.

Note (for Barracuda users): Those using Barracuda NG Firewalls exporting IPFIX/NetFlow v9 will need to consult Barracuda documentation for proper configuration. Specifically, you will need to adjust the following settings: change “Byte Order” to “LittleEndian” and change the IPFIX template for Export to “Default without Barracuda fields”.

Viewing Network Traffic Flow Data

Network traffic flow data is displayed on the Resources page (specifically the Traffic tab) for an enabled device. For more information, see Viewing, Filtering and Reporting on NetFlow Data.

Troubleshooting

If network traffic flow data is not displaying for an enabled device, there are some troubleshooting steps that can be taken.

Launch the Collector Debug Facility

The Collector Debug Facility can be used to remotely run NetFlow debug commands on your Collector. For example, !netflow func=diagnose <deviceId> [timezone] can be used to verify clock synchronization. For more information on Collector debug operations, see Using the Collector Debug Facility or contact technical support.

Review Common Issues

Next, we have identified several issues, along with troubleshooting steps, to help you resolve common network traffic flow monitoring issues that may arise.

Issue: No traffic data

  • Ensure network traffic flow is enabled in device management
  • Ensure your device is configured to send to the correct Collector and that the port is not blocked by a firewall
  • Ensure the time between the Collector and the device is synced
  • Run a packet capture to see if cflow packets are reaching the interface of the Collector host

Issue: Missing traffic on specific interfaces

  • In LogicMonitor, ensure the interface is being monitored by a datasource name starting with “snmp64_if” or named SNMP_Network_Interfaces.
  • In the Collector Debug Facility, run !netflowfunc=listDevices to ensure the interface index is listed
  • Run a packet capture on the Collector host with the filter set to cflow.inputint == 1 (where 1 is the index of the interface in question) to see if any flows are being sent to the Collector

Issue: No egress traffic

  • Run a packet capture on the Collector host with the filter set to cflow.direction == 1; if no packets are seen, check the device to ensure it is configured to provide egress

Issue: No NBAR2 data

  • Ensure the device config is not missing the collect application setting from the flow record (Cisco)
  • Ensure the device config is not missing the option application-table setting from the flow exporter (Cisco)

Issue: NBAR2 data is missing category data

  • Ensure the device config is not missing the option application-attributes from the flow exporter (Cisco)

Issue: Inconsistent UDP port configuration

  • Verify that the UDP port(s) specified on the device match the UDP port(s) specified on the Collector (as set by the netflow.ports configuration).

Issue: Blocked/firewalled UDP port

  • Many UDP ports are automatically blocked by Windows firewalls or Linux iptables. On the Collector host, create an exception for the configured UDP port on inbound traffic to allow network traffic flow data to reach the LogicMonitor application. If there is a firewall or ACL between the device and the Collector, verify that the traffic for your configured UDP port is allowed.

Issue: Clock non-synchronization

  • As previously stated, it is crucial for the clock on the network device to be synchronized with the clock on the Collector. If the device clock is ahead or behind the Collector clock, flows may be discarded. LogicMonitor displays the Collector timestamp for the most recent flow update (LastData ReceiveTime), as well as the device timestamp for the exported flow (Timestamp In Last RawData). If these values are off by more than a minute, clock synchronization is the likely problem. It is highly recommended to use NTP to automatically synchronize the clocks to a standard and consistent time and timezone.

Issue: inconsistent flow data or misaligned data (Cisco ASA)

  • Cisco ASA devices only support NetFlow version 9. NetFlow export on the ASA platform is event driven (unlike a Cisco routing platform, the Cisco ASA does not send incremental updates). NSEL records are only sent during flow creation, teardown, or ACL deny events. Cisco ASA devices will not populate the ToS bits or the TCP flags.

In This Article