How to use Cisco Netflow monitoring in Xian Network Manager 2012

Transcription

1 How to use Cisco Netflow monitoring in Xian Network Manager 2012 Last update: August 31, 2012 Xian Network Manager 2012 for Microsoft System Center Operations Manager 2012 and 2007 allows users to monitor Cisco Netflow. The Xian NM architecture is intended to make it easy for people new to Netflow, but also give extended functionality to those users that want to control and configure every aspect to fit their needs. This document is divided into two sections. The first one describes a procedure to help you start monitoring NetFlow and the second part will focus on how to customize the filters and rules to adjust for more advanced needs. 1. Starting with Netflow 1. Adding a Netflow device 1. Follow the Cisco procedure in the link below to enable your Cisco Device to send netflow records to Xian NM. Most likely, your Xian NM Installation is on a single machine, use the IP address that belongs to that computer. If not, use the IP address of the machine where the Xian NM Network Manager Server service is running. Note: Make sure that you enabled Netflow monitoring during the installation procedure. 2. Now that the device has Netflow enabled, you need to add it to Xian Network Manager. This is a simple procedure which can be done by clicking on the add device icon in the toolbar. Select flow from the menu that appears and click OK.

2 3. At this time, the rule wizard window appears. In the Parameters tab, click on the Add button and enter the required device parameters. Make sure to provide the correct IP Address and Port of the device. A mistake might cause the NetFlow records to not be received and processed. 4. Now the device is added and a policy template has been automatically applied to it. At present you are already monitoring the following traffic flows: Skype incoming traffic. This rule will show you the incoming traffic aggregated towards local IP Addresses. Source DHCP traffic. This rule will show you the IP address that are broadcasting DHCP. SQL Server outgoing traffic. Basically shows how much SQL server traffic is being broadcasted by SQL Servers in your network. Incoming traffic to well-known ports. This rule shows the traffic on the most common ports aggregated by Destination local IP address. Total traffic by protocols. This shows the traffic usage aggregated by protocol. Downloaded HTTP Traffic to local IPs: Shows traffic going over port 80 towards local IP addresses coming from public addresses. It is aggregated by the destination addresses to the local IPs Downloaded HTTPs Traffic to local IPs: Shows traffic going over port 443 towards local IP addresses coming from public addresses. It is aggregated by the destination addresses to the local IPs

3 Downloaded FTP Traffic to local IPs: Shows traffic going over port 20,21 towards local IP addresses coming from public addresses. It is aggregated by the destination addresses to the local IPs Incoming traffic inside the local network. Shows the amount of internal traffic aggregated by destination IP addresses Outgoing traffic from local IPs to public IPs. Shows the traffic going over port 80 and 443 to public IP addresses and is aggregated by destination (public) IP addresses HTTPs Incoming traffic. Shows the amount of traffic using port 443 that goes around your network independently if it goes or comes from a public or private IP FTP Incoming traffic. Shows the amount of traffic using port 20 and 21 that goes around your network independently if it goes or comes from a public or private IP HTTP Incoming traffic. Shows the amount of traffic using port 80 that goes around your network independently if it goes or comes from a public or private IP 5. Now that the first filters and rules are running, the device performance counters and alerts should be available in Operations Manager views. 2. Advanced Netflow configuration: Setting up customized filters 1. To be able to monitor specific traffic flows that are not delivered out of the box by Xian NM, you can create your own filters and create rules using them. First, you need to have a clear idea of what you want to monitor. The following points will help you to define this criteria in an easy way: How do you want to aggregate the data? (for example by port, destination IP address, etc). Do you want to filter on a specific characteristic? (For example you want to check on a specific source port for an application or a protocol) 2. To create a filter, right click on the device icon and select properties from the contextual menu, then click on the Filters tab. Here you can see the filters that come out of the box and the ones you manually created. Now click on Add to create your own Filter.

4 3. In the filter wizard you ll find three tabs. Parameters, Aggregations and Filters. Parameters: In this field you give your filter a name and a short description Aggregation: In this field you indicate what kind of elements you want to create for monitoring. For example, if you choose Source IP it means that the elements created in operations manager will be based on the source IP. You can also create thresholds for this element. In this way, you can later on create a rule that monitors the amount of traffic for an IP address that is sending data.

5 Filters: This wizard will allow you to narrow down the traffic monitored. Maybe you re only interested in port 80 traffic or only a specific protocol. (See appendix 1 for the specific Protocol numbers). Also, you can filter on a specific port which makes it possible to check out the behavior of a specific application. For example port 443 for HTTPS. 3. Advanced Netflow configuration: Creating rules The creation of filters is not enough to start monitoring, you have to activate these filters by creating rules. This is easily done from the device properties window. 1. Go to the Active Rules tab and select a rule on the right side and click on Add. 2. Now choose if you want to add bytes per second or packets per second 3. Now the rule wizard will appear. In the Filter tab you select the filter you want to use as a base for this rule. It can be any filter that came out of the box or one that you created yourself.

6 4. After you choose the filter, go to the Thresholds tab. If the filter has been running for an extended period of time, it is possible that there are visible elements as you can see in the screen below. However, if not, you can still set up thresholds for the elements that are going to appear. You have the option to set up three kinds of thresholds: Dynamic: This threshold is a moving average over the past N datapoints and can be set with conservative, loose or normal prediction type. Automatic : This is a threshold that is calculated over a number of datapoints and then set fixed (manual) Manual: If you opt for this threshold you have the power to decide all aspects pertaining to that threshold.

7 5. In the Disable elements tab you have the option to discard elements if the traffic reaches a certain low point. This prevents you from receiving counters and alerts on element that you are not interested in and would only mean a larger work load for Operations Manager and SQL server.

8 6. In the Schedule tab you define the intervals in which you want the rule to run. It is recommended not to use too low of an interval because it could cause significant decrease in the server s performance. A good best practice is a value in between 10 to 30 minutes.

9 7. In the active rule options tab you have the option of defining the severity level. This is the alert level that is sent to Operations Manager. It is a good best practice to use critical only for those levels that are set with a manual threshold and warning for the automatic or dynamic ones. This is done to avoid generating false alerts. Also, in this tab you have the choice to disable the option of sending performance data to Operations Manager. Use this option if you are only interested in the alerts above or under a certain threshold. It can reduce the load on the environment. In the name field you have the option to add additional information to the rule name. This information is also sent with the alert to Operations Manager. This is useful if you have multiple rules with the same or similar name in order to prevent confusion.

10 8. The data optimization tab contains the settings you can use to reduce the amount of data sent to Operations Manager. It is based on an algorithm that identifies a counter that hasn t changed its value for a determined customizable lapse of time, so Xian NM won t send this counter repeatedly until the value changes. Instead of sending it every time, it will use the value under performance data heartbeat to send data once every that value. It will only go into this mode if the past number of Reference counters is within the tolerance change (as defined in the tolerance range field). Under normal circumstances, it is not required to make any changes to these fields and you should be able to leave them with the default values.

11 9. In the device update tab you define what which will be the thresholds for newly discovered elements. If you opt for monitoring new elements, it will use the threshold type which you are using for that rule. Also, you can define if the disable elements feature should be applied over that new element and with which limit.

12

13 Appendix 1 Protocol numbers 0 HOPOPT IPv6 Hop-by-Hop Option 1 ICMP Internet Control Message 2 IGMP Internet Group Management 3 GGP Gateway-to-Gateway 4 IP IP in IP (encapsulation) 5 ST Stream 6 TCP Transmission Control 7 CBT CBT 8 EGP Exterior Gateway Protocol 9 IGP any private interior gateway (used by Cisco for their IGRP) 10 BBN-RCC-MON BBN RCC Monitoring 11 NVP-II Network Voice Protocol 12 PUP PUP 13 ARGUS ARGUS 14 EMCON EMCON 15 XNET Cross Net Debugger 16 CHAOS Chaos 17 UDP User Datagram 18 MUX Multiplexing 19 DCN-MEAS DCN Measurement Subsystems 20 HMP Host Monitoring 21 PRM Packet Radio Measurement 22 XNS-IDP XEROX NS IDP 23 TRUNK-1 Trunk-1 24 TRUNK-2 Trunk-2 25 LEAF-1 Leaf-1 26 LEAF-2 Leaf-2 27 RDP Reliable Data Protocol 28 IRTP Internet Reliable Transaction 29 ISO-TP4 ISO Transport Protocol Class 4 30 NETBLT Bulk Data Transfer Protocol 31 MFE-NSP MFE Network Services Protocol 32 MERIT-INP MERIT Internodal Protocol 33 SEP Sequential Exchange Protocol 34 3PC Third Party Connect Protocol 35 IDPR Inter-Domain Policy Routing Protocol 36 XTP XTP 37 DDP Datagram Delivery Protocol 38 IDPR-CMTP IDPR Control Message Transport Proto 39 TP++ TP++ Transport Protocol 40 IL IL Transport Protocol 41 IPv6 Ipv6 42 SDRP Source Demand Routing Protocol 43 IPv6-Route Routing Header for IPv6

14 44 IPv6-Frag Fragment Header for IPv6 45 IDRP Inter-Domain Routing Protocol 46 RSVP Reservation Protocol 47 GRE General Routing Encapsulation 48 MHRP Mobile Host Routing Protocol 49 BNA BNA 50 ESP Encapsulating Security Payload 51 AH Authentication Header 52 I-NLSP Integrated Net Layer Security TUBA 53 SWIPE IP with Encryption 54 NARP NBMA Address Resolution Protocol 55 MOBILE IP Mobility 56 TLSP Transport Layer Security Protocol using Kryptonet key management 57 SKIP SKIP 58 IPv6-ICMP ICMP for IPv6 59 IPv6-NoNxt No Next Header for IPv6 60 IPv6-Opts Destination Options for IPv6 61 any host internal protocol 62 CFTP CFTP 63 any local network 64 SAT-EXPAK SATNET and Backroom EXPAK 65 KRYPTOLAN Kryptolan 66 RVD MIT Remote Virtual Disk Protocol 67 IPPC Internet Pluribus Packet Core 68 any distributed file system 69 SAT-MON SATNET Monitoring 70 VISA VISA Protocol 71 IPCV Internet Packet Core Utility 72 CPNX Computer Protocol Network Executive 73 CPHB Computer Protocol Heart Beat 74 WSN Wang Span Network 75 PVP Packet Video Protocol 76 BR-SAT-MON Backroom SATNET Monitoring 77 SUN-ND SUN ND PROTOCOL-Temporary 78 WB-MON WIDEBAND Monitoring 79 WB-EXPAK WIDEBAND EXPAK 80 ISO-IP ISO Internet Protocol 81 VMTP VMTP 82 SECURE-VMTP SECURE-VMTP 83 VINES VINES 84 TTP TTP 85 NSFNET-IGP NSFNET-IGP 86 DGP Dissimilar Gateway Protocol 87 TCF TCF 88 EIGRP EIGRP 89 OSPFIGP OSPFIGP 90 Sprite-RPC Sprite RPC Protocol

15 91 LARP Locus Address Resolution Protocol 92 MTP Multicast Transport Protocol 93 AX.25 AX.25 Frames 94 IPIP IP-within-IP Encapsulation Protocol 95 MICP Mobile Internetworking Control Protocol 96 SCC-SP Semaphore Communications Sec. Protocol 97 ETHERIP Ethernet-within-IP Encapsulation 98 ENCAP Encapsulation Header 99 any private encryption scheme 100 GMTP GMTP 101 IFMP Ipsilon Flow Management Protocol 102 PNNI PNNI over IP 103 PIM Protocol Independent Multicast 104 ARIS ARIS 105 SCPS SCPS 106 QNX QNX 107 A/N Active Networks 108 IPComp IP Payload Compression Protocol 109 SNP Sitara Networks Protocol 110 Compaq-Peer Compaq Peer Protocol 111 IPX-in-IP IPX in IP 112 VRRP Virtual Router Redundancy Protocol 113 PGM PGM Reliable Transport Protocol 114 any 0-hop protocol 115 L2TP Layer Two Tunneling Protocol 116 DDX D-II Data Exchange (DDX) 117 IATP Interactive Agent Transfer Protocol 118 STP Schedule Transfer Protocol 119 SRP SpectraLink Radio Protocol 120 UTI UTI 121 SMP Simple Message Protocol 122 SM SM 123 PTP Performance Transparency Protocol 124 ISIS over IPv4 125 FIRE 126 CRTP Combat Radio Transport Protocol 127 CRUDP Combat Radio User Datagram 128 SSCOPMCE 129 IPLT 130 SPS Secure Packet Shield 131 PIPE Private IP Encapsulation within IP 132 SCTP Stream Control Transmission Protocol 133 FC Fibre Channel 134 RSVP-E2E-IGNORE Unassigned 255 Reserved

16

17 Appendix 2 other usefull links