Community
- Command Central
- MVP Program
- Monthly Mission
- Blogs
- Groups
- Events
- Media Vault
Products
- Observability
- Network Management
- Application Management
- IT Security
- IT Service Management
- System Management
- Database Management
Content Exchange
- SolarWinds Platform
- Server & Application Monitor
- Database Performance Analyzer
- Server Configuration Monitor
- Network Performance Monitor
- Network Configuration Manager
- SQL Sentry
- Web Help Desk
Free Tools & Trials

Pre-filter or Drop traffic in NTA

Is there a way to Pre-Filter or drop traffic on the NTA? Good example will be to drop the tunneling between the WLCs and APs?

We are doing a 30 day demo of NTA. We are hoping to use it to see what kind of traffic that is being used on the wireless and see why our Cisco Nexus 9504 are suffering some random CPU spikes. (The spiking issue seems to be resolved with an upgrade of the OS on the Nexus and optimization of our Aruba Wireless Controllers to limit broadcast and multicast traffic). We are forced to use SFlow due to the Nexus line card limitations so we cannot just monitor the wireless client VLAN so we are monitoring the uplinks to the WLCs which includes a bunch of unwanted WLC to AP traffic which is encapsulated. I do not care what is in the encapsulation because we are seeing the wireless client VLAN entering/exiting the same interface.

Maybe we are trying to leverage NTA incorrectly. If we were to monitor the uplinks going to the internet firewall then we would not see any broadcast or multicast traffic on the wireless client VLAN because the SVI is on the Nexus.

Find more posts tagged with

Accepted answers

stibi

Hi @rjrothwell ,

Your idea with monitoring just interfaces that goes to WAN could be a one way to do it and probably the simplest one.

NTA has only few mechanism that allows to drop the traffic and I am not sure if they would be usable for you:

Dropping based on protocols. If you will navigate to NTA Settings -> Monitored Protocols and uncheck there some specific protocol the flows using this protocol will be dropped. It could be used if the encapsulation is using specific protocol.
Dropping based on unmanaged interfaces. Can be set on NTA Settings page when you uncheck "Allow monitoring of flows from unmanaged interfaces". Here we will store the traffic if both interfaces (input and output) are managed by NPM and flow processing is enabled on at least one of them. Other traffic is dropped. If you know specific interface from which you don't want to see traffic then just remove it from NPM and we would drop all communication passing through this interface in both directions.
This one can be tricky as the flows can be configured in a way that they collect only single interface and other is always 0. Such configuration would not be processed with the setting uncheck.
Dropping based on ports. Again can be set in NTA Settings "Allow monitoring of flows from unmonitored ports". Works only for UDP and TCP traffic... ports that does not have defined application are dropped.

All comments

stibi

Hi @rjrothwell ,

Your idea with monitoring just interfaces that goes to WAN could be a one way to do it and probably the simplest one.

NTA has only few mechanism that allows to drop the traffic and I am not sure if they would be usable for you:

Dropping based on protocols. If you will navigate to NTA Settings -> Monitored Protocols and uncheck there some specific protocol the flows using this protocol will be dropped. It could be used if the encapsulation is using specific protocol.
Dropping based on unmanaged interfaces. Can be set on NTA Settings page when you uncheck "Allow monitoring of flows from unmanaged interfaces". Here we will store the traffic if both interfaces (input and output) are managed by NPM and flow processing is enabled on at least one of them. Other traffic is dropped. If you know specific interface from which you don't want to see traffic then just remove it from NPM and we would drop all communication passing through this interface in both directions.
This one can be tricky as the flows can be configured in a way that they collect only single interface and other is always 0. Such configuration would not be processed with the setting uncheck.
Dropping based on ports. Again can be set in NTA Settings "Allow monitoring of flows from unmonitored ports". Works only for UDP and TCP traffic... ports that does not have defined application are dropped.

rjrothwell

Thank you! I was able to setup some of these settings before being beaten up by a Hurricane and then our Demo running out. Sorry for not responding sooner with an update since my attention was elsewhere and in many other places, ha!