The Historical Playback feature in the Flow device-level view replays the historical Flow data collected over the previous 24-hour period. This feature has access to all the Flow data collected by LiveNX, and all the filtering options are available. Device-level flow playback can be shown in 10-second, 30-second, 1-minute, 5-minute, 30-minute, or 1-hour frames.
To open the flow historical playback feature, click Flow > Historical Playback.
NOTE: Historical Playback may cause flows to be dropped.
Below is an example of the Historical Playback display:
Create ACLs based on Flows
Access Control Lists can be created directly from the system flow view. Right click on a flow (not merged) in the topology view and select Create ACL based on flow.
The resultant ACL Extended rule menu will appear with the relevant source IP, destination IP and port information already filled in.
For additional details about managing Access Control Lists, please see Chapter 11 – Tools.
The Flow buffer status indicators will display the states of the Flow buffers.
- Green = normal
- Red = buffer overflow
The buffers will, under normal operating circumstances, remain green. If the indicator turns red, this indicates that the flow buffer has been exceeded. For Cisco devices, decreasing the number of devices utilizing NetFlow Collector mode will help remedy the situation.
The limitation of the flow buffer is determined by the performance of the Server or Node on which LiveNX is installed.
Flow Data Status
LiveNX also provides a report showing the status of flow data collection. To open the Flow Data Status dialog, select Flow > Data Status Report
Click Execute Overflow Status to view overflow, packet rate, and drops.
Click Execute Flow Counts to view current statistics for flow collection. Use the combo box to select 1, 6, 12, or 24 hours of data. The total flows and flows per second statistics are for the chosen duration. The flow count is the aggregate of flows overall flow technology types.
Database File Size
Over time, collecting Flow and QoS historical data can consume a considerable amount of disk space. To view and modify the database storage settings, select Options from the Tools menu, and then click Database.
The IP Mapping feature allows the mapping of an IP address or hostname to a user-defined label. This feature only affects the labeling within LiveNX and does not affect any actual DNS or hostname configurations.
The IP Blacklist feature allows the identification of IP addresses or hostnames that will appear in red in the topology, device, flow table, and historical views. This is a method of identifying quickly and visually any known anomalies. Alerts can be configured to notify the users when blacklisted IP addresses occur in the flow data.
See Chapter 11 – Tools for information about configuring Alerts.
LiveNX is able to receive NetFlow from an array of different network devices. These devices mainly consist of Cisco, but LiveNX can also receive flow data from several different vendors. The following will describe mostly Cisco routers and switches.
Cisco Device and NetFlow Version Support
LiveNX NetFlow currently works with most Cisco routers and some Cisco switches.
NOTE: See http://www.cisco.com/go/fn for more information on required hardware for these platforms
LiveNX NetFlow Process Overview
The diagram below shows the LiveNX NetFlow components and how they fit into the process.
Collector Polling Modes
Cisco devices can provide NetFlow data in one or two different modes. LiveNX supports only Collector mode polling.
LiveNX stores raw flow data in the flow store database to generate flow topology views, short-term reports and flow related alerts. The raw flow data gets aggregated every 15 minutes and stored in the long-term store database to generate the flow dashboard and the long-term reports. Long-term reports include scheduled reports with durations of greater than 4 days and ad hoc reports based on the flow dashboard. Custom flow reports (i.e., flow reports created using user-defined fields) regardless of duration length are generated using the raw flow store database.
Device and Display Filters
To make it easier to isolate and view specific flow information, LiveNX provides extensive filtering options that can be applied to both real-time and historical displays. Device filtering allows you to collect specific flow data from the devices and to reduce the amount of NetFlow information LiveNX processes.
Real-Time and Historical Displays
The real-time display gives you current NetFlow data, plus live visualizations at the topology-, device-, and interface-level views. The historical display review allows you to recall and visually examine detailed device-level information from the database.
Cisco NetFlow Collector Commands
The software will set up the NetFlow commands automatically on the device. Users can also manually change or add settings to adjust the behavior and performance of the device. The following table shows some of the NetFlow commands that are available. The Image below also shows the relationship between a flow in the network device and when NetFlow Collector data is sent back to LiveNX NetFlow. Additional information on NetFlow is available on the Cisco website.
NOTE: Various timers and their effects as a new traffic flow starts and ends, traversing the network device.
Based on a timer, the network device will forward a notification to the software, which will then display data on the screen.
NOTE: Some Cisco devices may not support egress export, and LiveNX will indicate the egress commands that failed. Unless the ingress commands also show up in the failed list, they will have been applied successfully. See http://www.cisco.com/go/fn for more information on supported platforms.
Flexible NetFlow (FNF)
Flexible NetFlow allows user-configurable NetFlow record formats, selecting from a collection of fields:
- Key, non-key, counter, timestamp
- User-defined NetFlow key fields
- Tailor a cache for specific applications not covered by the existing 21 NetFlow features in traditional NetFlow
- Different NetFlow caches (e.g., per subinterface, per direction [ingress, egress], per sampler)
- Better scalability, since flow record customization for a particular application, reduces the number of flows to monitor
Features for Tracking
- Layer 2 for switching environments
- Layer 3 and Layer 4 for IP info (more so than with traditional NetFlow)
- Up to Layer 7 with deep packet inspection (NBAR integration in IOS 15.0.)
- Medianet Performance Monitoring
See http://www.cisco.com/go/fn for more information on supported platforms. Beginning with Cisco IOS Release 12.4(20)T, traditional NetFlow for IPv6 is being replaced by Flexible NetFlow for IPv6. Cisco Express Forwarding (CEF) or distributed CEF (dCEF) is required.
The Configure Flow feature allows each device to get configured for either standard or Flexible NetFlow. Click Flow > Configure Flow or by right-clicking on a device in the device view and then selecting Flow > Configure Flow. This capability is available to Admin and Full-Config user roles.
After clicking on Flow > Configure Flow, LiveNX displays a Flow Configuration summary table listing all the devices discovered by LiveNX as well as its properties including Type, IP Address, Description, Tags, and several Flow Configuration Options.
The Type drop-down field is used to determine the device series. Default is standard. Other options are the Catalyst 3850 (two flow monitors for monitoring an interface: ingress and egress), Catalyst 4500 (only allows monitoring in the ingress direction) and Catalyst 6500. LiveNX takes a best guess at the device type; the drop-down selection allows you to change the Type as needed.
The IP Address is the IP Address of the device.
The Description is the description field retrieved from the device. It should match the Description field that is shown in the LiveNX system device expanded view.
The Tags are the compilation of the labels, capacities, WAN, Sites, and Tags that you defined for that device. Creating labels, capacities, WAN, Sites & Tags are covered in Chapter 12- Reports.
The Traffic Statistics (FNF), Application Response Time (AVC), Voice/Video Performance (Medianet), Traditional NetFlow and Custom (Flexible NetFlow settings not set by LiveNX) flow configuration options summarize the device’s capability to support the various flow configuration options, as well as to show the flow configuration currently configured on that device.
- A green LED indicates the flow technology that is configured on that device.
- A white LED indicates the flow technology that is supported on the device, but is not currently configured.
- The LED with the strikeout marking indicates a flow technology that is not supported on that device.
In the example shown above, the 2921-Demo-67_112 device has Traffic Statistics (FNF), Application Response Time (AVC) and Voice/Video Performance flow technologies configured, while Traditional NetFlow and Custom NetFlow are supported, but not configured.
Hover over an entry in the flow configuration columns to get additional details about the flow configuration by the interface.
Type in an alphanumeric string next to the magnifying glass to filter the flow configuration table.
Configure or modify your device’s flow configuration by clicking on the leftmost checkbox and clicking on Configure Selected. After loading in the device configurations, LiveNX will expand the device entries in the Flow Configuration table to include the managed interfaces.
Click on a checkbox to toggle the various flow configuration options. A hyphen mark in a flow technology entry indicates a flow technology which is unsupported by that device. Once a new selection is made, the Save to Devices, Preview CLI and Revert buttons will be enabled.
- Preview CLI – click on Preview CLI to review the commands that LiveNX will send to the device to re-configure flows on the selected interfaces. Use the device table on the left to select a device in the list.
- Revert – click on the Revert button to return your flow configuration settings back to the initial state prior to any “Save to Devices” command.
- Back – click on the Back button to return to the device the only view of the flow configuration table.
- Close – close the flow configuration table.
- Save to Devices – LiveNX will ask you to confirm that you would like to configure the devices. If confirmed, LiveNX will modify the flow configuration for the selected interfaces on the device. A message will be generated to indicate successful re-configuration of that device or to indicate details on the errors encountered during the flow configuration.