jswan

The Catalyst 3560 doesn't support NetFlow at all, so you're not going to have much luck getting it to work...

Run Wireshark on the NTA collector to sniff UDP port 2055 from the IP address of your Loopback1 interface, just to make sure you're getting NetFlow packets from the 6506 exporter. If that's the case, my first guess would be that your template doesn't match one of NTA's built-in templates exactly. Check the NTA…

By default, all traffic on Riverbed Steelheads is proxied with the IP addresses of the in-path interface on the Steelhead, so that's all NetFlow sees. To fix this, you need to change your Riverbeds to "Full Transparency" mode. On the Steelhead, you go to Configure > Optimization > In-Path Rules, and add a new Auto Discover…

Is there now any ability to exclude certain usernames from tracking? The absence of this feature makes UDT unusable for us.

This is not a NTA issue, it's a flow collection issue. You just need to collect your flow export data from a device or interface behind the one doing the NAT onto the public IP address. It sounds like you're collecting from the outside interface of your Internet edge router, which will show everything coming from the…

NetFlow is the protocol that a router uses to export information about traffic that moves through it. The CBQoS views and reports in NTA are a particular view of that NetFlow export data that shows you information about the QoS classes that were used to prioritize traffic on that device.

There is no way to do this without enabling SNMP write, and as far as I know this type of copy operation is not supported in NCM.

Please see: Why NetFlow Isn't a Web Usage Tracker 1e100.net is one of Google's content distribution networks. Google owns YouTube. Thus if you need more detail than this you need to look at an HTTP-based utilization tracker, rather than traditional NetFlow.

Put your excluded hosts and/or subnets in an IP Address Group, use Flow Navigator to exclude it from the view you want, then save that view.

Last time I checked, IOS wouldn't export NetFlow over a raw IPSec VPN. You had to use IPSec/GRE instead. It's been probably two years since I looked at this (we are all IPSec/GRE), so you might want to check the latest IOS versions to see if this has changed.

You need to update the NetFlow data export IP address on the routers that are exporting to your collector. See the threads at the top of the forum for detailed instructions on configuration NetFlow. In IOS, the command is: ip flow-export destination <ip of Orion collector> 2055

I don't think this is going to work; it looks like you're running a Supervisor 1A/MSFC2. That supervisor went end-of-life in 2004 and end-of-support in 2010. I'm pretty sure NetFlow v5 requires at least a Supervisor2/MSFC2.

You can build custom monitoring scripts for Cisco routers with Embedded Event Manager and Embedded Resource Manager, and generate syslog messages with Embedded Syslog Manager: Docs for 12.4T are here: www.cisco.com/.../nm_12_4t_book.html It does require some aptitude with scripting.

I would use a node detail view on the core switch, limited by IP address group. Constrain it to the IP address groups involving the servers and the end user subnets, and go from there.

There's another thread going on this right now. The simple answer is that your NetFlow exporter needs to be configured to see the client-side traffic, and NPM needs to be configured to monitor those interfaces. If you go onto your switch and issue the "show ip cache flow" command (assuming it's Cisco), do you see the…

There's Java sample code already included in the Solarwinds SDK. Install the SDK and look in C:\Program Files (x86)\SolarWinds\Orion SDK\Samples\JavaClient.

You should be able to do this just by running a country report in Flow Navigator. You shouldn't need BGP ASN export either.

When you select the view type in Flow Navigator, use a "Detail" report instead of a summary report. There you can choose either a specific node or a node and specific interface with which to restrict the report. Once you select the node or the interface, add your IP Address Group restriction on top of that.

No, NetFlow isn't designed to replace syslog. The closest thing would probably be Cisco's NSEL feature that exports ASA firewall and NAT log data via a proprietary Flexible NetFlow extension.

Is the exporter a Cisco device? If so, what's the interface flow configuration look like? What does the flow cache ("show ip cache flow") have to say about the same flows?

Detailed configuration policy auditing is very weak in current versions of NCM Policy Reporter. I was told by a PM at Cisco Live that they are actively working on this, but I didn't get any details about exactly what features would be forthcoming. Any PMs out there who can comment? I really need this type of feature too.

Anybody have an answer to this? I have the latest version of NTA with all ports monitored under Admin->Netflow Settings->Manage Applications and Service Ports, and I still see this "Random Port" stuff all the time.

You need "ip flow ingress" and/or "ip flow egress" on every interface for which you want to export flow statistics.

You can do this with NTA (use Flow Navigator to build and interface detail view filtered by IP Address Groups), but it would be a lot easier to just look at the routing table!

Solarwinds NTA automatically recognizes NetFlow v5 and v9, so I don't understand what you mean when you say that you've installed NTA version 9.

Is the node a Cisco router or an end station? I don't have any ideas if it's the latter, but if it's a router you could do this with IP SLA. You don't even need the Solarwinds IP SLA product to do this and monitor it, although that would certainly make it easier.

You can't. I have asked Solarwinds about fixing this in the past, but so far it's been a no go. I would like to see the following feature improvements in this area: * Ability to see all conversations on one page. * Ability to see "paged" conversations; i.e. "next 25 conversations" or "next 100 conversations" like you can…

NetFlow doesn't capture HTTP header data. If you have a web-content filtering system, it will often have enough of the HTTP request to figure out what was going on. If not, one free tool that can do this is httpry.

No, Netflow has no packet sniffing capability. You might want to look at the new IOS embedded packet capture functionality in 12.4(20T) and later: supportwiki.cisco.com/.../Tech_Insights:Utilizing_the_New_Packet_Capture_Feature

Use Windows Performance Monitor to track the Solarwinds Netflow performance object with the "PDU Per Second" counter.