I'm afraid I can't answer your netflow-lite question but this community has a good few NetFlow geeks so you should get an answer shortly.
An alternative to nprobe is a commercial application called LANGuardian. You can connect it to a SPAN or mirror port and use SolarWinds Orion to query the results. The video below shows an example of it in action.
A quick look at Netflow-lite looks like it should work with NTA, I believe its only on the 2960X switches, not all 2960's though. It looks like it uses a flexible netflow type of configuration, which should work with most Netflow software.
That being said, it appears to take an interesting approach that might not be what you wanted either. Most netflow implementations monitor all packets going through the device, it looks like the best Netflow-lite does is 1 out of every 32 packets. This sample can either be random, in which it will take a random packet out of every 32, or deterministic which would take every 32nd packet. Of course this value of 32 can be adjusted too, up to 1022.
Personally I wouldn't like this sampling approach vs. 100% of packets being monitored. I'd always wonder what it was missing! But if you're on a budget...
So, one question I'd have is that most routers do Netflow quite well, usually monitoring your WAN links is pretty sufficient for capturing the traffic that you want to see, unless for some reason you want to capture the local LAN traffic going to your servers. In that case I'd question the use of 2960 switches also, I would think 3850 switches or something more appropriate would work better.
Link to an interesting article on 2960 netflow - https://www.plixer.com/blog/netflow-lite-2/cisco-2960-x-netflow-lite-configuration/
Thanks for the reply. Our company wants to go down to the user level and find out which user, which application is consuming the most bandwidth and focus mostly on WAN traffic including the firewall. NPM installed initially was giving basic details about interfaces and CPU etc. but NTA was not showing any such information reason being non net flow switches. We have VPN which serves the purpose of connecting to multiple sites not actual routers. So we are planning a new switch which could provide netflow feature and be compatible with Solarwinds.
The user name association is an interesting one. As far as I know you wont get this from NPM or NTA. Packet analysis will give you more accurate info too, this is especially true if you are monitoring Internet traffic. Data extracted from HTTP headers can be gold dust when it comes to troubleshooting.
See demo at link below to getting a better idea of what I am talking about. You will see usernames and if you click on them you can drill down to see what they are doing. Covered in this video too
But, as Craig mentioned above if you are all out of budget you may need to work something out using the NetFlow data
NTA will give you insight into what traffic is traversing your network quite well, and without having to do Netflow on end-user switches. Normally you would install netflow at points in your network that all the traffic you want to monitor will traverse. If all of your traffic goes through a single core router or firewall, it could be this one single point. Or, if you have a pair of core routers that handle all the traffic it could be those two. Usually organizations will choose to monitor all routers though, but very rarely will they choose to do end-user switches. The thing you have to remember about NTA is it will show you the traffic for different IP addresses that traverse a device. So it doesn't relate this information to "users", if that is important you will also need a product called UDT or Universal Device Tracker.
UDT takes information it gathers from end-user switch ports, routers, and your Active Directory servers and correlates that information so it knows what user was on what IP address at any given point in time. The integration of these 3 products allows you to view this IP address information and easily get the user information from it also. UDT is licensed on a per-port basis, so you would have to monitor all of the ports your users were on, in addition to the routers (for their ARP table information)..
From what you're telling me, I would ditch the plans to get Netflow information from end-user switches and concentrate on your WAN links. This should be all that you need to get the information you're describing. You could just do your core routing devices, but I'd recommend going ahead and monitoring all your routers or firewalls that connect your network together. If you want to relate this to usernames, you'll also need UDT. If you're ok with only getting IP addresses of where the traffic is coming to/from, you can skip that product.
Let me know if this makes sense.
Hi Craig, Sorry for having a limited knowledge about all these. So far, from what i did after installing solarwinds on a windows server, I added two non netflow cisco switches, one firewall, one ESX host and some PC's. The NTA doesn't seem to provide any information. there are no routers, only VPN to connect to multiple sites. Our tech support company says its because of the non netflow switches that it is not providing any information.
Ok, one thing you have to remember is that Netflow is a completely different than NPM in terms of how it works. With NPM you poll the devices every X minutes for some basic traffic counters and other things. So NPM is actively going out and querying the device to see what is going on with it. All you need to do to get this working is to have an SNMP community on the device and put that into Solarwinds.
NTA uses netflow, which could be described as a "push" technology. So when you bring up Netflow in Solarwinds, it starts up a collector that listens for Netflow packets and records those in the database. Most layer-3 devices these days support netflow, like routers. But, you have to program every device you want to get Netflow from to send the packets to NTA's netflow collector. If you don't have the devices configured, or configured correctly, to send the netflow packets, Orion doesn't see them. On most Cisco router's the configuration is pretty straight-forward. I recommend a configuration like this:
ip flow-cache timeout inactive 45
ip flow-cache timeout active 1
ip flow-export source Loopback0
ip flow-export version 9
ip flow-export destination 10.11.12.13 2055
This is assuming your netflow collector (ie: Orion) is at 10.11.12.13 and that Orion NPM has the device managed using the IP address of your Loopback0 interface. Change these to fit your specifics.
If you want to monitor a firewall, the configuration is probably a bit trickier, and many devices want to use flexible-netflow also which will look quite different also. Depending on the type of firewall, it may or may not do Netflow. It's also possible it might do J-Flow or S-Flow, which can work with NTA, but it depends on the device.
If I knew more specifics I might be able to help a bit more.
If you're using Cisco ASA firewalls, check out this link:
For more Netflow configuration examples for other Cisco devices, check out this link.
cnorborg Craig has alluded to, but you might not be quite clear is: Netflow is originated by Layer 3 devices - routers, switches that can route, firewalls that can route. Some layer 3 Cisco switches can send netflow data, not all. Your results will vary by family, model, version, IOS version, and sometimes, accessories/add on modules. And, as I said, your topology will matter - the traffic will need to be routed between subnets (vlans) on the switch, for the switch to originate the netflow, if it can.
You may be able to send netflow from an older 4510-R switch (I have ), but the newer ones work better/easier. I don't think you can from older 3750's at all, and limited on 3750-X. I think you can from 3850-X and 3650-X. You may need add on network modules.
NTA is an aggregation system - a reporter if you will. It will receive the netflow data and report on it. Several systems can do it, but I like NTA because it does it easily, and well.
Your best bet is to get the netflow from your routers, like Craig said, but it really depends on your topology. Getting it to work from switches - with Cisco - your results will vary. Best bet, and the design stage, is to consult with your Cisco account exec's and/or reseller engineers to give you a good, better, best proposal.
cnorborg and pseudocyber have provided you with all the details you need for monitoring Netflow. I just wanted to add one additional component...IF user specific details about layer 2 switch ports is a requirement, invest some time is looking at User Device Tracker (UDT) for that information. It can provide which device is connected to which port, and can also provide usernames on those ports (if it's a domain device).
I have several hundred 2960's that do NOT support Netflow.
Future Cisco deployments that will leverage their latest security solution require full NetFlow analysis for use with SourceFire/Firepower/ACI/etc. Be certain to know your security needs for the next five to ten years--as best as you can predict. If you buy low-cost switches now, Murphy's Law predicts you will not be able to use them with a new Cisco security policy that uses Cisco's newest solutions. And that puts you in the awkward position of having to replace new switches only a year or three down the road with ones that support full NetFlow.
LOL rschroeder. So true. I'm looking at replacing a collapsed core/distribution/access 4510 with 2 cores, 2 access stacks/chassis. I've had several discussions with our vendor's sales exec and sales engineer - and we've looked at 6500's, 6800's, 45K's, 5K&2K, 7K's, 9K solutions. I decided on 3850-X's because I required:
- Split control planes for cores.
- Hardware fault tolerance & resiliency for data plane.
- Netflow required.
- Medianet and BFD nice to haves.
- And of course the benjamins are a concern (aka $$$).
Performance (pps) isn't as much a concern in my situation as optional "features".
Perfect--as long as you're future-proofed and not caught in the bind of buying the least expensive switch ports today, at the risk of having incompatible equipment that must be replaced to support tomorrow's technologies.
I use dual 3850's for HA Distribution Switches at my medium sites; they do a nice job.