Comments
-
I completely agree with all of ecklerwr1's points. For example, why doesn't the "TopN Conversations" view have the full layer 4 conversation details immediately available?
-
When you set bgp origin-as export on a Cisco router it uses 0 for the router's local AS.
-
I agree--this would be a great feature to have and a nice topic for a free tool. I would also like to see a raw-packet to NetFlow exporter from Solarwinds. There are other commercial and open-source tools out there that do this and it's an important part of a complete solution.
-
You can't do flow-to-username correlation today. See this thread:
-
I'm pretty sure the only way to change a password via SNMP is to use SNMP writes to TFTP new commands into the running config, and NCM doesn't support configuration transfers via the SNMP/TFTP combination. You could do this with any tool that allows you to do arbitrary SNMP writes, however (assuming the device allows SNMP…
-
Usually NTA listens for NetFlow on port 2055 rather than 9996. Also, you shouldn't need "ip route-cache flow" on the interface with any reasonably recent code.
-
Agreed. In addition, the headers should clearly show the source and destination ports for the flow (not some junk like "random high port"). The lack of this information today is extremely irritating.
-
I was told by a PM that the new database originated with the open source FastBit database project, but has been so heavily rewritten that it's not compatible with native FastBit tools. From the FAQ: Q: My DBA wants to know more about this NTA Flow Storage database, how does it work? The NTA Flow Storage database is a…
-
1. Netflow does not have any application-layer information, so you cannot use it to get stuff that's contained only in HTTP transactions. 2. Netflow is not a capture technology, so if I understand your question correctly the answer is no. However, there are tools that will take a SPAN session and export information about…
-
That web page says that their software can convert DNP3 alarms to SNMP traps. SNMP traps can be monitored with NPM.
-
If this is a Cisco router, you need to export NetFlow from the tunnel interfaces themselves, not the underlying physical interface. For example: interface FastEthernet0/0 ip address 1.1.1.1 255.255.255.0 ip flow ingress interface Tunnel1 ip address 10.1.1.1 255.255.255.0 tunnel source FastEthernet0/0 tunnel destination…
-
I agree with Andy about this being a HR problem, but if you need to find the traffic with your Cisco routers, the easiest way would be with NBAR. I haven't tested it, but something like this should work: class-map match-all CM_BITTORRENT match protocol bittorrent policy-map PM_DROP_BT class CM_BITTORRENT drop <-- note that…
-
You might try using the post-NAT address in your ACL. I can't remember how older ASA code handles this (I know you're running something older because of the "static" syntax), so no guarantees that it'll work: access-list NETFLOW extend permit udp host 196.20.66.145 host 10.13.67.79 eq 2055
-
It sounds like you are receiving NetFlow export from a device in front of the proxy. If you want to see details of devices behind the proxy, you need to configure your infrastructure devices behind the proxy for NetFlow export to NTA.
-
You can't get more than the top XX flows in any current version. However, you can increase the top XX to a maximum of 100 by clicking the Edit button on the appropriate flow resource.
-
Some types of IM traffic can be identified by domain name. Skype traffic is extraordinarily difficult to identify. I believe that in most cases it's only possible with a packet inspection engine that can do pretty advanced statistical heuristics. Not possible with NTA
-
This seems like it's outside the scope of Network Configuration Manager, and it's a huge question. The first thing you want to do is define which features you might need in which parts of the network. For example, it looks like you are asking specifically about your ISP-uplink block. You'll probably need features here that…
-
The biggest thing I want is performance over larger data sets. Right now searching more than 2 hours in the past is extremely slow to nonfunctional. After that, I want the ability to search for conversations between two arbitrary hosts. Next, the ability to search for conversations between arbitrary groups of hosts,…
-
I'm not from SW, but I'm curious to know what rules you would use to differentiate the two--most Cisco switches (everything from the 3560 up) can also route, and most routers can contain switch modules. Or maybe I'm missing something about what you're trying to achieve?
-
I've never worked with a Nexus 6K, but a couple of things I'd check: 1) If it's a L2 port channel, it will only support an L2 flow config. It will be something like "layer2-switched monitor ....". If it's a L3 port channel, you should be able to configure a L3 flow monitor. 2) Make sure you're running recent code that has…
-
In FCoE, the Fibre Channel traffic is encapsulated directly on top of Ethernet, without any IP headers. You would need the L2 export capabilities of Flexible NetFlow to see this type of traffic in NetFlow data export. I don't believe the current version of Solarwinds NTA supports this feature.
-
See this thread.
-
You could use SPAN with nProbe; that's cheap to free depending on how you do it. If you search the forums for nProbe there's some info on how to set it up.
-
Speaking for Cisco routers: there is a CISCO_BGP4-MIB:cbgpRouteTable object in the MIB, but any attempts to query it with a NPM universal device poller result in "OID not supported". It is a SNMP "sequence" datatype, and I don't know whether NPM supports those. In any case, I would be more than a little worried CPU…
-
I think I understand what you're trying to do, and I haven't been able to get it to work either. The closest thing I've found is this: use Flow Navigator to create an interface detail view for an interface near your internet edge, limit it by IP address group, and look at the "Top N Conversations" pane. This doesn't give…
-
The only Cisco 2900 series switches that have any NetFlow support are the 2960-X series. If you're using earlier versions, they don't do NetFlow.
-
Some IOS feature sets only support acting as an IP SLA responder; they cannot act as a probe. Check your platform and code version using the Cisco feature navigator: http://www.cisco.com/go/fn
-
I couldn't get anything to work right on the 6509 (very similar to 7609) until I changed the mls export to version 5 with "mls nde sender version 5".
-
I'd add to this that if I look in the "Today" view in NPM, it shows that I've transferred several hundred megabytes across the serial link, but the NTA interface detail shows less than 2 megabytes transferred. Something doesn't add up here...
-
One non-technical thing you can do is make sure that if you have separate NOC and security teams, that they are somewhat cross-trained and talk to each other a lot. My experience has been that security tools often illuminate network operational problems, and vice versa. From a technical perspective, two of your most…
