tag:blog.tmcnet.com,2012-01-03:/advanced-netflow-traffic-analysis//164 2012-07-13T00:06:51Z tag:blog.tmcnet.com,2012:/advanced-netflow-traffic-analysis//164.49660 2012-07-12T23:54:14Z 2012-07-13T00:06:51Z

Michael Patterson http://blog.tmcnet.com/advanced-netflow-traffic-analysis/ Flexible NetFlow configuration where I created a TCP class that includes all TCP traffic. I don't normally recommend this as typically I would identify the business applications that I want to track with performance monitor and create classes for monitoring each. If all TCP latency is desired, this should work fine. Also, this FnF configuration is based on IOS 15.2(2)T and includes Cisco NBAR configuration details as well. If an earlier IOS is being used, ignore the error when creating the flow records. Reports should still work well if of course you have the best NetFlow reporting solution.


!define  standard FnF record
flow record nbar-mon
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface input
match interface output
match flow direction
match application name
collect datalink dot1q vlan input
collect datalink dot1q vlan output
collect datalink mac source address input
collect datalink mac source address output
collect datalink mac destination address input
collect datalink mac destination address output
collect routing destination as
collect routing next-hop address ipv4
collect ipv4 dscp
collect ipv4 id
collect ipv4 source prefix
collect ipv4 source mask
collect ipv4 destination mask
collect transport tcp flags
collect counter bytes
collect counter packets
collect timestamp sys-uptime first
collect timestamp sys-uptime last
!


!define specific record for TCP flows
flow record type performance-monitor TCP
match ipv4 protocol
match ipv4 source address
match ipv4 source prefix
match ipv4 destination address
match ipv4 destination prefix
match transport source-port
match transport destination-port
collect routing forwarding-status
collect routing next-hop address ipv4
collect ipv4 dscp
collect ipv4 ttl
collect ipv4 source mask
collect ipv4 destination mask
collect transport round-trip-time
collect transport event packet-loss counter
collect interface input
collect interface output
collect counter bytes
collect counter packets
collect counter bytes rate
collect timestamp interval
collect application name
collect application media bytes counter
collect application media packets rate
collect application media event
collect monitor event
!
!Define record for VOIP flows
flow record type performance-monitor RTP
match ipv4 protocol
match ipv4 source address
match ipv4 source prefix
match ipv4 destination address
match ipv4 destination prefix
match transport source-port
match transport destination-port
match transport rtp ssrc
collect routing forwarding-status
collect routing next-hop address ipv4
collect ipv4 dscp
collect ipv4 ttl
collect ipv4 source mask
collect ipv4 destination mask
collect transport packets expected counter
collect transport packets lost counter
collect transport packets lost rate
collect transport event packet-loss counter
collect transport rtp jitter mean
collect transport rtp jitter minimum
collect transport rtp jitter maximum
collect interface input
collect interface output
collect counter bytes
collect counter packets
collect counter bytes rate
collect timestamp interval
collect application name
collect application media bytes counter
collect application media bytes rate
collect application media packets counter
collect application media packets rate
collect application media event
collect monitor event

!define exporter
flow exporter export-to-scrutinizer
description FNF v9
destination x.x.x.x
source XXXXXXX !interface
transport udp 2055
option interface-table
option application-table

!create VOIP flow monitor
flow monitor type performance-monitor RTP
description RTP stats
record RTP
exporter export-to-scrutinizer
!
!create TCP flow monitor
flow monitor type performance-monitor TCP
description TCP stats
record TCP
exporter export-to-scrutinizer

 
!Standard FnF Monitor
flow monitor nbar-mon
description app traffic analysis
exporter export-to-scrutinizer
cache timeout active 60
record nbar-mon

!create access list to filter TCP only
access-list 100 permit tcp any any

!create class to match voice traffic. "Cisco-Phone" usually means standard RTP voice traffic. Those 3 items should catch all the voice and video.
class-map match-any realtime
  match protocol rtp audio
  match protocol rtp video
  match protocol cisco-phone

!use TCP ACL to create a class map
class-map match-any TCP-class
  match access-group 100

 
policy-map type performance-monitor RTPMON
!Apply monitors to perfotmance monitor Policy-Map
class realtime
   flow monitor RTP
   monitor parameters
    interval duration 10
    flows 100
class TCP-class
   flow monitor TCP
   monitor parameters
    flows 1000

!Apply ingress/egress monitors to an interface. Egress (output) commented out unless needed.
interface XXXXXX
service-policy type performance-monitor input RTPMON
!service-policy type performance-monitor output RTPMON
ip flow monitor nbar-mon input
!ip flow monitor nbar-mon output
 
If you are looking for the best flexible NetFlow reporting tool, you will find the leader in NetFlow within the "Medianet 2.2 Deployment Guide".  Our NetFlow Analyzer can be found on page 7,8,10 & 11. 

 

Our company is a Cisco NetFlow partner for Medianet also known as Performance Monitoring because our system provides flexible filtering and sorting with Customizable Reports on the latest flow exports (e.g. Jitter , latency).   Please let me know is you have any questions about the above configuration.


]]> tag:blog.tmcnet.com,2012:/advanced-netflow-traffic-analysis//164.48831 2012-02-19T07:41:55Z 2012-02-19T08:43:34Z

Three years ago I was listening to John Chambers - CEO of Cisco Systems, proclaim that video was going to be the rage. I snickered and though it would be long time before anyone will be monitoring video performance with...

Michael Patterson http://blog.tmcnet.com/advanced-netflow-traffic-analysis/

Reporting on Skype with NetFlow
During a Skype connection with my daughter who was in my wife's car, my daughter wanted to show me her sneakers and then her book:



I noticed a big difference from when we just talked over the telephone.  Seeing my face made her realize that I was fully engaged in what she had to say.  She then put her jacket and shoes on and took the mobile phone outside to show me the fort she had built using scraps of wood.  I couldn't believe it. She moved the camera in close for me to see things. She then brought be inside and put the phone in front of the dog so that I could say hello to 'Charlie'.

I have to admit, I liked the video especially since I was in London, England and my daughter was in Maine. What I didn't like was the jitter.  I'm glad there are tools in our NetFlow traffic analyzer called Scrutinizer to monitor this.

Three years later at Cisco Live 2012 in London I was listening to Chief Cisco Futurist David Evans about the future of networking. I learned that video and data in general over the internet will continue to explode.  This time I BELIEVE!

Cisco Performance Monitoring
Plixer was the first Cisco NetFlow Partner to become certified for Cisco Medianet Performance monitoring reports. Check out the VoIP jitter or lost packets in the network monitoring report below. 



The above is VoIP with our Asterisk server.  Skype traffic uses both TCP and UDP. We can measure the TCP latency during the connection setup with NetFlow Performance monitoring to look at Skype traffic as well. Today, customers can monitor cloud services with NetFlow. The example report below is filtering for the Cisco NBAR detected application: Skype.



Next Generation NetFlow
Keep in mind that these reports require the use of Flexible NetFlow which doesn't use the command ip route-cache flow. Make sure you are running IOS 15.2(2)T or more recent for the most capable Flexible NetFlow exports. The latest version provides even more network latency details than what is displayed above. I'm talking about Cisco IP SLA. 

Performance Routing NetFlow
Cisco Performance Routing (PfR) can export IP SLA details using Flexible NetFlow. When a router determines that a connection is a bit congested, it will evaluate existing flows and reroute traffic over different connections ensuring priority to time sensitive traffic. By using PfR and Cisco Performance Monitoring together with Flow Hopper, administrators gain end to end network visibility on a link by link, hop by hop basis all with NetFlow. 

The bottom line: Network traffic monitoring with NetFlow is at a whole new level from just two years ago. Join NetFlow Developments on Linkedin and stay on top of the future of NetFlow.

]]>