When we first started the journey of introducing traffic analysis into Opsview, we looked at what the main protocols available in the market place today – and we came to the conclusion that NetFlow would be the best protocol to start with as it is the market leader, widely used and runs on a host of industry leading hardware such as Cisco routers, switches, etc and also is supported in VMware vSphere 5 onwards.
What is NetFlow?
NetFlow in its simplest form allows an administrator or NOC engineer a view into how their network is performing. At its most basic level it allows you to where network links are being heavily used, using a graph or value such as below:
For most users this is fine, as it allows you to spot network anomalies as they are happening, see when and how much the throughput is, and be alerted on it via SMS and email, etc.
However, some administrators and companies require more granular views – i.e why was it so busy on July 11th at 4pm? Using a protocol like NetFlow with Opsview's new Network Analyzer, you can find out by having a multitude of different views such as:
- Top 10 Host Transmitters
- Top 10 Host Receivers
- Top 10 Port Transmitters
- Top 10 Port Receivers
- Top 10 Transfers
- Sources Summary
- Sources History
These views allow you to look at a single switch, router, firewall, etc or combine a number together, to view which users are downloading the most data, which servers may need QoS’ing in your environment, which website is having the most visits, which protocol is most used (NNTP for example!).
Using ‘sources summary’, you can see the current throughput ‘at a glance’ for each NetFlow enabled device. This view makes it really easy to see how groups of devices are performing. For example if you have 20 Cisco 3750 switches, using the sources summary view you can have all 20 switches in the table and quickly see how busy each switch is, such as below:
You can also “troubleshoot” the network using the “sources history” dashlet in Opsview’s Network Analyzer. This allows you to look at your device / group of devices and see exactly what was happening on the network at that time and date as below:
Step 1: Find the point in time.
Step 2: Investigate!
You can also step-through time using the above investigation console, i.e. “step back 10 minutes” and see what was happening at that time, or minute by minute, etc. It really is an excellent analysis tool.
So how does it work?
NetFlow is a protocol that collects data, statistics, etc and will send them to a NetFlow Collector, such as Opsview’s ‘Network Analyzer’. This is configured on the Cisco device, VMware server, etc as below (Cisco IOS):
ip flow-export source Ethernet0/0
ip flow-export version 5
ip flow-export destination 192.168.15.152 9997
Where “192.168.15.152” is your Opsview server (You can also use the DNS name i.e. opsview.example.com providing you have your DNS server configured in IOS!).
What you are effectively doing here is pointing the NetFlow device (known as a source) at Opsview.
You then configure Opsview to listen out for the traffic and not to discard it:
..and that’s the configuration done (it really is that simple!). Another thing worth highligting here is where that code snippet came from. In Network Analyzer you also have the ability to backup and compare copies of previous configurations from Network devices in two simple steps:
Step 1: Enable collection of the config’s
Step 2: Investigate!
This simple scenario shows a comparison between our current configuration, and changes that have been made to it (a great auditing tool, and it also allows you to get back online very quickly should something disastrous happen to one of your devices – as a copy of the configuration is the first thing a field engineer will need from you!).
So, bringing that all together gives you a scenario similar to below:
Here we have a nice big, well designed network (with no distribution layer, I ran out of space!), and the Opsview Network Analyzer is keeping an watchful eye on it all – from your NetFlow traffic analysis, to your SNMP Traps, backing up network device configurations, doing SNMP polling (create your own custom checks too!), etc.
Opsview’s ‘Network Analyzer” provides a great view into your network health and performance, providing:
- Link speed data
- Link throughput data
- SNMP Traps
- SNMP Polling
- Configuration collection and analysis
- NetFlow collection and analysis
This can take a NOC from “you know its busy, lets run wireshark, tcpdump etc and you’ll see if you see anything” to “we knew it was busy as you got an alert on the bandwidth usage, we investigated the router and found that a single server was downloading a high amount of patches in a loop, so we added QoS to it and now all should be functioning well again”.
A perfect job!
Opsview Network Analyzer is available now as an add-on module to any Opsview Enterprise subscription.