Monitoring

NetFlow

NetFlow is an industry standard network protocol for monitoring traffic. LogicMonitor supports:

  • NetFlow (versions 5, 7 and 9)
  • Flexible NetFlow (requires same configurations as version 9)
  • IPFIX (sometimes referred to as NetFlow version 10)
  • sFlow (version 1 and 3; version 2 is not supported)
  • JFlow

Note: NetFlow Lite is not supported.

NetFlow, as the industry standard, will be used throughout this document to reference all supported network traffic monitoring protocols. The capacity (measured in flows per second) across several sample environments is shown here.

Hardware that supports NetFlow collects IP traffic statistics on enabled interfaces, and exports those statistics as NetFlow records to a collector, which analyzes and displays IP traffic statistics for the device. LogicMonitor functions as a NetFlow collector, receiving and analyzing exported flows from network devices. Displayed traffic statistics include:

  • Top Talkers
  • Top Source Endpoints
  • Top Destination Endpoints
  • Top Flows
  • Top Ports
  • QoS Table

Note: In general, the top 1,000 flows are available. The top 10 show by default, but using filters you can show up to the top 100. You can also use the Search feature to find IP addresses to find/show specific flows.

Specifically, the following data is required and retained:

SRCIP, SRCPORT, DSTIP, DSTPORT, PROTO, STARTEPOCHINSEC, ENDEPOCHINSEC, TCPFLAGS, IFIN, IFOUT, INPKTS, INBYTES, OUTPKTS, OUTBYTES

This data is retained according to the following schedule:

  • Raw data is retained for up to five minutes.
  • Subsequently, the top 1000 contributors from the total received are retained for each 5 minute increment.
  • Every 30 minutes, the top 1000 flows are retained for 24 hours.
  • After 24 hours, the top 1,000 flows from the entire 24 hour period are retained for a max period of 400 calendar days.

NetFlow data is displayed in a "Traffic" tab for NetFlow enabled devices. Available information includes a Top Talkers graph and a widget that displays the top 10 ports (in table or pie chart format):


While the LogicMonitor configuration is very straightforward, the device configuration can be more complex. The following information will guide you through the process:

  1. Configuration Best Practices
  2. Enabling NetFlow in LogicMonitor
  3. Device Configuration
  4. NetFlow QoS
  5. Traffic Tab
  6. Verification & Troubleshooting
  7. IP/DNS Mapping

Configuration Best Practices

Before turning on NetFlow monitoring, there are a few best practices we recommend:

  • NetFlow records are sent using UDP. Because UDP delivery is not guaranteed, you should place the Collector as close as possible to the NetFlow device in your network, to minimize flow disruption due to network congestion or complexity.
  • NetFlow is detailed, real-time statistics on network traffic, therefore it is crucial to synchronize clocks between Devices and the Collector. NTP is the best way to accomplish this. If your device and collectors are in different time zones, consider using UTC or standardizing on a single timezone.
  • The NetFlow collector device must not have any other application (i.e. another NetFlow Analyzer) which may be listening on the specified NetFlow port. This will cause contention and may prevent traffic data from showing in LogicMonitor.

Enabling NetFlow in LogicMonitor

NetFlow configuration in LogicMonitor is straightforward - you just need to enable NetFlow for each device you want to see NetFlow monitoring for. Locate the device you want to enable NetFlow for and select the Manage button. From the manage screen, check Enable NetFlow and select a Collector that has NetFlow enabled (all Collectors have NetFlow enabled by default). The NetFlow Collector can be different than the collector used to monitor this device.

Enabling Netflow in LogicMonitor

Note that the UDP port on the device that is sending the flow data must match the UDP port specified in the Collector's configuration file - by default port 2055 is specified for NetFlow. If you wish to use a non-default UDP port for NetFlow data collection, or a non-default directory for the storage of NetFlow data, you will need to edit the Collector's configuration file. To do this, navigate to Settings | Collectors and locate the Collector you wish to use for NetFlow. Click the Manage gear icon and then select Collector Configuration from the Support dropdown:

Click the option to "Edit agent.conf"- this will enable you to make changes to the Collector's configuration. Find the '#netflow settings' section and change the netflow.ports value to specify the desired UDP port, and the netflow.datadir value to specify the desired directory. Note that netflow.enable must equal true for NetFlow to work - the default value is true, so you shouldn't need to set this value. When finished, click Save. The Collector will automatically restart and load the new configuration settings. If you need to support NetFlow on port 2055 and IPFIX on port 4739 (i.e. both), use a entry in the config file as follows:

netflow.ports=2055,4739

Note: You can add "netflow.ignoreTimestampValidate=true" to the #netflow settings section of the Collector Config file if you'd like to configure your collector to ignore netflow device time information. At this time, the only known devices that necessitate this configuration are Sonicwalls. 

Device Configuration

Once LogicMonitor configuration is complete, NetFlow must be enabled on your device. The configuration varies depending on the device, vendor, network topology, and NetFlow version you want to use. In fact, there are more combinations and options than can possibly be covered in this document, and you may need to review manufacturer guidelines for your specific setup. Basic requirements are listed below, as well as sample NetFlow Version 5 and Version 9 configurations.

The basic requirements are as follows:

  • NetFlow must be enabled per interface on a device.
  • A NetFlow version number should be specified.
  • A source interface on the device must be specified.
  • The UDP port configured on the device must match the port specified in the Collector's agent.conf file.
  • The clock on the device must be synchronized with the clock on the Collector.
  • The IP address of the target Collector must be specified.
  • For NetFlow Version 9, additional template configuration options must be set.
  • For sFlow, packet data must be provided in the enterprise=0 and format=1 packet configuration as described in RFC2233.

NOTE: sFlow requires a different port access than NetFlow. sFlow uses Port 6343. 

Sample Configurations

Cisco IOS 3745 router - NetFlow Version 5, Main Cache Export
Configure the global settings:  Source Interface, NetFlow Version, Target NetFlow Collector, UDP Port


Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#ip flow-export source FastEthernet0/0
Router(config)#ip flow-export version 5
Router(config)#ip flow-export destination 10.0.0.10 2055 

Configure the interface settings:  Enable route-cache flow

Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#interface fa0/0
Router(config-if)#ip route-cache flow

 

Cisco IOS 3745 router - NetFlow Version 9, Main Cache Export
Configure the global settings:  Source Interface, NetFlow Version, Target NetFlow Collector, UDP Port

Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#ip flow-export source FastEthernet0/0
Router(config)#ip flow-export version 9
Router(config)#ip flow-export destination 10.0.0.10 2055

Configure global template settings:  refresh-rate, timeout-rate, options

Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# ip flow-export template refresh-rate 15
Router(config)# ip flow-export template timeout-rate 90
Router(config)# ip flow-export template options export-stats
Router(config)# ip flow-export template options refresh-rate 25
Router(config)# ip flow-export template options timeout-rate 120

Configure the interface settings:  Enable route-cache flow

Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#interface fa0/0
Router(config-if)#ip route-cache flow
 

Note for Palo Alto Users: There is a limited ability to customize the name of Palo Alto interfaces. According to Palo Alto, the interface name can not be edited. But, you do have the ability to append a numeric suffix to the interface name for subinterfaces, aggregate interfaces, VLAN interfaces, loopback interfaces, and tunnel interfaces.

Note for Barracuda Users: Those using Barracuda NG Firewalls exporting IPFIX/ NetFlow v9 will need to consult this help page for proper configuration. Specifically, you will need to adjust the following settings:  change "Byte Order" to "LittleEndian" and change the IPFIX template for Export to "Default without Barracuda fields."

NetFlow Groups

When you add NetFlow-enabled devices to a group, the group level node will display a Traffic tab, as well. This will display the aggregate of NetFlow data from each device assigned to that group.

In some instances, NetFlow data is most useful as an aggregate. For instance, consider each of your office locations. Each office location may contain a few routers and switches. The individual traffic for each of those devices is likely not nearly as important as the overall traffic flow for the office. Grouping the traffic of each device into a single aggregate flow will provide insight into the latter. This feature is currently limited to 10 NetFlow capable devices in a group. If there are more than 10, then the 10 with lowest device IDs are used. Device IDs show on the 'Info' tab and are system assigned properties based on chronological order when they were added. It's recommended to put less than 10 NetFlow devices in this group.

The group level Traffic tab will display the following information:

  • Throughput for all NetFlow-enabled devices in the group
  • Top Talkers
  • Top Flows
  • Network Group Devices

NetFlow QoS

NetFlow Quality of Service (QoS) is a measurement of network performance experienced by a network's users. QoS is quanitifed by sampling each of the DSCP values passed within NetFlow. Ultimately, QoS represents the likelihood that a packet will be dropped for a designated flow.

If you have enabled NetFlow on either the group or device level, you will be able to view QoS in its own dedicated table or pie chart (see below) within the Traffic tab on your device dashboards. The table will display the raw values of sent/received packets for each DSCP type. Selecting the "switch" icon will display the overall usage of each DSCP type as a percentage in a pie chart.


 

Verification & Troubleshooting

Once you have configured your network device, and the LogicMonitor Collector and device, you should be able to see exported NetFlow data in the device's Traffic tab.

If you're not seeing NetFlow data for your device, there are a few common problem areas to check:

  • Inconsistent UDP port configuration:  Verify that the UDP port specified on the NetFlow device matches the UDP port specified on the Collector.
  • Blocked/firewalled UDP port:  Many UDP ports are automatically blocked by Windows Firewall or Linux iptables. On the Collector, create an exception for the configured UDP port on inbound traffic to allow NetFlow data to reach the LogicMonitor application. If there is a firewall or ACL between the NetFlow device and the Collector, verify that the traffic for your configured UDP port is allowed.
  • Clock synchronization:  As previously stated, it is crucial for the clock on the network device to be synchronized with the clock on the Collector. If the device clock is ahead or behind the Collector clock, flows may be discarded. LogicMonitor displays the Collector timestamp for the most recent flow update (LastData ReceiveTime), as well as the device timestamp for the exported flow (Timestamp In Last RawData). If these values are off by more than a minute, clock synchronization is the likely problem. It is highly recommended to use NTP to automatically synchronize the clocks to a standard and consistent time and timezone.
  • NetFlow Version 9 template configuration:  NetFlow V9 requires configuration of a template on the device. If you see synchronized timestamps for received data in the NetFlow tab, but the tables are not populating, there may be an issue with the template configuration. To isolate this problem, it is recommended to simplify your setup by falling back to NetFlow Version 5. Once you have V5 working properly, then add the V9 template configuration.
  • Required Fields in NetFlow Version 9: LogicMonitor requires that the flow templates used for version 9 NetFlow exports include both INPUT_SNMP and OUTPUT_SNMP interfaces (fields 10 and 14.)
  • Cisco ASA: Cisco ASA devices only support NetFlow V9. NetFlow export on the ASA platform is event driven- unlike a Cisco routing platform, the Cisco ASA does not send incremental updates. NSEL records are only sent during flow creation, teardown or ACL deny events. Cisco ASA devices will not populate the ToS bits or the TCP flags.

NetFlow setup can also be verified from the collector debug facility. Navigate to Settings | Collectors | Manage for the desired Collector and select 'Run debug command ...' from the Support as shown:

Verification & Troubleshooting

From the debug window, you can then use the !netflow command. For example, the command !netflow func=diagnose 5 EDT is used to verify clock synchronization. Contact LogicMonitor Support for details on troubleshooting from the debug window.

IP/DNS Mapping

Within the Traffic Tab for NetFlow-enabled devices, you can select the "Settings" cog in order to upload a CSV of IP addresses that are mapped to their respective DNS names. These will then be used in all NetFlow tables and reports.

The CSV file needs to reflect the format displayed below. The following CSV columns are required:

  1. start: the starting IP address of the  DHCP range.
  2. end: the ending IP address of the DHCP range.
  3. dns: the DNS name associated with the IP address

Additionally, you can add a "collector" column which can be used to configure IP-DNS mapping per Collector. This is particularly useful for establishing differentiated mappings per location or customer (if you're a service provider). 

Filters


The Filters feature allows you to filter traffic stats based on interfaces, source and destination IP addresses, direction, protocol, and/or port(s). In this example, the top 100 flows are shown between the Tokyo office (which is 10.9.8.0/16) and headquarters (52.52.0.0/16) for all protocols, all ports, and both directions.

Additional Resources