Comments
-
Go to "Download your Software" section and click on the download button next to the "Netflow Traffic Analyzer v3" section. v3.1 will actually be downloaded
-
Netflow is a layer 3 technology. Layer 3 traffic that is switched at layer 2 will be the only traffic captured when the following command is configred " ip flow ingress layer2-switched" if the IOS allows it. Also with the 4500 it depends on the sup engine. Sup IV and V (require the Netflow service card) Sup V-10G (embedded…
-
This is across the board for all lower end switches. Below is a list of Cisco devices that support Netflow Table 1. NetFlow Recent Cisco Device Support Matrix Device Supported Cisco 800, 1700, 2600 Yes Cisco 1800, 2800, 3800 Yes Cisco 4500 Yes Cisco 6500 Yes Cisco7200, 7300, 7500 Yes Cisco 7600 Yes Cisco 10000, 12000,…
-
The best way to troubleshoot this issue is to perform a Wireshark capture to investigate the flow packets. Also noticing some commands that are missing. They might not be preventing data from being collected but will give you more accurate data collection. Below are commands: Global Configurations mls ip multicast…
-
I meant to add the following: What do you mean by unmonitored traffic?"I meant traffic from unmonitored Ports"No, not keeping flows from unmanaged interfaces."Unless you are monitoring all the interfaces in Orion for these devices I recommend to enable this setting. This setting is designed to keep traffic when at least…
-
It appears that you are missing the mls portion of the configuration. This portion captures layer 3 switch traffic at layer 2. The command that accomplishes this is "ip flow ingress layer2-switched vlan xxx,xxx" and list out the VLANs that you would like to capture traffic from. Below is a sample config for the Cisco 6500…
-
Roselyn, It is best practice to always specify a source ( interface with IP address Orion NPM is managing device by) If a source is not specified the device will choose one and it is not always the one with IP address in Orion NPM for the device
-
You are correct on all your points. Very informative and detailed. The SNMP bandwidth utilization shown in "Traffic In" and "Traffic Out" The article sent only discusses possible reasons why the data will be lower than SNMP interface stats. There is another article that covers the point on why data would be more in Netflow…
-
The ASA firewalls keep track of traffic different than a router. ASA traffic is tagged from where the connections was initiated from. Routers and switches use unidirection, flows are exported in one direction, A >B ( 300KB) and the return traffic B>A (100KB). With bidirection both are added and will show in the direction…
-
This is usually caused by having both "ip flow ingress" and 'ip flow egress" configured on the interfaces. This causes the same flow to be sent out twice ( duplicate flows). To resolve this only apply the "ip flow ingress" command on the interfaces. Egress traffic will still be captured. When a flow is received it contains…
-
If this is a Cisco device you could run the following command in enable mode and this should display the interfaces and the associated ifindex numbers. Look for the interface with 127 as the index number Hostname#show snmp mib ifmib ifindex
-
By default long lived Netflow cache data is exported every 30 minutes. This will cause some high peaks in the graphs since the flow data is exported at one time. The following commands will help to reduce the peaks: ip flow-cache timeout active 1 ( Breaks up long-lived flows into 1 minute fragments and smooths out the…
-
Your best bet is to look at the "Interface Details" page in NPM. There are two charts that will shine some light on bandwidth utilization: Min/Max/Average bps In/Out Percent Utilization You can also setup an alert based on bandwidth or percent utilization to send out an email when the threshold is met.
-
kristian_tomol13, This should be configured with the interface that has the IP Address that NPM is managing the device with. When the flow is received the NTA collector will compare the IP Address in the flow packet header with the Nodes table to see if the IP Address exist in the database. If there is not a match the flow…
-
This issue can resolved in two ways: 1. Change the IP address Orion is managing the device by to match the IP address the flow is coming from. In this case 192.168.2.1. 2. Change or enter the following command with the interface that contains the IP address Orion NPM is managing the device by " ip flow-export source…
-
Based on the screen shot it appears that your resources are missing for this view. You can verify this by going to Setting > Manage Views > Select "Netflow Conversation" > Edit. You should see " Total Bytes Transferred" and "Conversation Traffic History" in the Resources in Column 1 section. I recommend opening a support…
-
Majority of the time this is caused by not having the active timeout command configured on the Netflow sources. Check to see if the commands below are configured. The commands below are for Cisco devices but most other vendors also have this command available. By default most network devices export long-lived flows every…
-
There are a few reasons that can cause this issue. The article in the link below provides some things to check and verify. https://support.solarwinds.com/Success_Center/Netflow_Traffic_Analyzer_(NTA)/Netflow_shows_less_bandwidth_than_NPM_charts Hope this helps
-
Netflow is not supported on 3750 switches. The only Cisco switches that support Netflow are the 4500 and 6500 series switches. Netflowo is also supported by all routers
-
John, Cisco does not support Netflow on lower end switches. They start their support on higher end 4500 and up. If possible you could test on a lower end router. Here is link for a Cisco document on Netflow and supported devices: www.cisco.com/.../prod_white_paper0900aecd80406232.html Thanks, Joseph
-
The wording can a bit confusing. All this means is that the database size includes all the data that the retention period is set for. If the size of the database did not include all the data for days the retention period is set for the message would like the screenshot below. There is only 15 days worth of data in the…
-
Duplicate flows will be created if both ip flow ingress and ip flow egress are configured on multiple interfaces causing data to show double of actual bandwidth utilization. If using Flexible Netflow this would be or ip flow monitor MONITOR_NAME input and ip flow monitor MONITOR_NAME output. Take a look at the article in…
-
NTA does support Netflow on the 6500 series switches. There are some additional configuration that need to be included. Below is a link that will assist on the configuration for either Native IOS or Hybrid. www.cisco.com/.../products_configuration_example09186a0080721701.shtml Thanks
-
By default Cisco and other vendors will exports long lived packets every 30 minutes, which explains what you are eperiencing. By adding the following command should resolve your issue and level off the peaks and valleys: ' ip flow-cache timeout active 1'. This command will ensure all flows are exported every 1 minute. To…
-
Have you installed SP1? If not install SP1 for Netflow 3.1 and this should resolve the issue
-
roselyn, It is recommended to only enable Netflow on the Multilink interace and not the member interfaces. Also is this router performing NAT? If it is then you would want to capture Netflow form the LAN interface in order to see the internal private IP addresses. Hope this helps.
-
There are a few reasons why this would happen. Can you provide the device make and model? Netflow configuration on the device? Are you keeping unmonitored traffic? Are you keeping flows form unmanaged interfaces? Thanks
-
Here is a link to a Cisco document that goes through the steps for configuring Netflow on 6500 series swtches, both hybrid and native IOS. They key command to monitor layer 2 is "ip flow ingress layer2-switched vlan xxxx". Also verify the NDE version is version 5, by default version 7 is configured.…
-
NTA can successfully accept Netflow data from Cisco ASA 8.2 and higher. Cisco uses Netflow v9 NSEL template. This sends the information in two parts, Template information and data. The most common issues are that the devices is not sending one or the other. The best way to identify which is the issue is by performing a…
-
You can use "Search by Endpoint" resource to find the conversations for a specific IP address
