Submit a ticketCall us
Home > Success Center > Netflow Traffic Analyzer (NTA) > NTA 4.2.2 Administrator Guide > Get started with NTA > Set up network devices to export NetFlow data

Set up network devices to export NetFlow data

As a feature to facilitate traffic analysis on Cisco IOS enabled devices, NetFlow begins work at the network device. To communicate the traffic-related data about a device, the device must be configured to send, push, or export that data to specific collection targets.

SolarWinds NTA collects NetFlow data, on port 2055 by default, only if a network device is specifically configured to send to it. As a NetFlow collector, SolarWinds NTA can receive exported NetFlow version 5 data and NetFlow version 9 data that includes all fields of the NetFlow version 5 template. Once it collects NetFlow traffic data, SolarWinds NTA analyzes device bandwidth usage in terms of the source and destination endpoints of conversations reflected in the traffic.

Requirements

  • Each device must be configured to export NetFlow data to SolarWinds NTA.
  • Each device that exports NetFlow data to SolarWinds NTA must be monitored in SolarWinds NPM. Only SNMP-capable nodes whose interfaces were discovered by SolarWinds NPM can be added as NetFlow sources.
  • Traffic from a device that is not monitored in SolarWinds NPM appears only in aggregate as traffic from unmonitored devices. If the device is setup to export data to SolarWinds NTA, but is unmonitored in SolarWinds NPM, the collector may receive the data without being able to meaningfully analyze it.
  • The specific interface through which a device exports NetFlow data must be monitored in SolarWinds NPM. The interface index number for this interface in the SolarWinds Orion database (interface table) must match the index number in the collected flow data.

Set up a device to export NetFlow data to SolarWinds NTA

  1. Log in to the network device.
  2. Enable NetFlow export on the device using appropriate commands. The following example enables NetFlow on a Cisco device:
    ip flow-export source <netflow_export_interface><interface_num>
    ip flow-export version 5
    ip flow-export destination <Orion_Server_IP_address> 2055
    ip flow-cache timeout active 1
    ip flow-cache timeout inactive 15
    snmp-server ifindex persist
  3. Add the device exporting NetFlow to SolarWinds NPM for monitoring.

    If you are adding a large number of NetFlow enabled nodes, use Orion Network Sonar. For more information, see Discovering and Adding Network Devices in the SolarWinds Network Performance Monitor Administrator Guide.

    If you are only adding a few nodes, it may be easier to use Web Node Management in the Orion Web Console. For more information, see Adding Devices for Monitoring in the Orion Web Console in the SolarWinds Network Performance Monitor Administrator Guide.

  4. Verify that the device is exporting NetFlow data as expected and that the device is monitored in SolarWinds NPM.

    To verify that data are exported correctly, use a packet capture tool, such as WireShark, to search for packets sent from the network device to the Orion server.

    Example

    If you successfully add a NetFlow enabled device with IP address 10.199.14.2 to SolarWinds NPM, and the device is actively exporting NetFlow data to the Orion server, you will see in WireShark a packet like the one (49) highlighted below in gray:

    File:Success_Center/New_Articles/NTA-Mindtouch-CHM/D80/03000026_440x210.png

     

    As expected, we see in the packet details that 10.199.14.2 is its source IP address and 10.110.6.113 is the destination, which is the Orion server. This correlates with the node details on the device in Orion, as highlighted in yellow.

    To verify that the IP address of the exporting interface on the network device is the one being monitored in Orion:

    • Open a command line interface, log into the network device, and then type show run to see the running configuration of the device.
    • Page down to the lines where the export source interface is defined. In this case, we see ip flow-export source Ethernet0/0.

    To discover the IP address for this interface, type show run int Ethernet0/0. We see that the IP address of the interface, 10.199.14.2, is being monitored by the Orion server.

  5. Click My Dashboards > NetFlow > NTA Summary.

    Under NetFlow Source, verify the NetFlow-enabled nodes listed with a recent time posted for collected flow.

 
Last modified
06:28, 13 Apr 2017

Tags

Classifications

Public