Get smart - use NetFlow Analyzer for sFlow from HP ProCurve !

Nov 05 2009 06:23:17 AM Posted By : Praveen Kumar V
Comments (1)

NetFlow Analyzer, though the name says NetFlow, can work with quite a number of flow formats like sFlow, jFlow, NetStream, IPFIX etc. This blog will give you a brief idea on sFlow technology and also guide you on how to use NetFlow Analyzer with sFlow from HP Procurve devices.

What is sFlow?

sFlow is a monitoring technology which allows you to capture the traffic data from a switched or routed network to give complete visibility into the use of network bandwidth. This data helps in performance optimization, accounting/billing for usage, defense against security threats, capacity planning and much more.

sFlow datagrams are exported based on sampling due to which impact on the device CPU/Memory and available bandwidth is minimal. Based on a defined sampling rate, 1 out of N packets (where N is the sampling rate) is captured and sent to the NetFlow Analyzer for traffic analysis by the device. Though, this type of sampling does not provide 100% accurate statistics, it does provide a result with quantifiable accuracy.

sFlow analysis with NetFlow Analyzer:

NetFlow Analyzer can work with any devices which are capable of exporting NetFlow, sFlow and other compatible flow which are completely vendor dependent. You can check out the list of flow formats and devices with which NetFlow Analyzer can work from here.

HP Procurve and sFlow:

Just like Cisco has NetFlow and other vendors have thier flow formarts, some vendors use a technolgy called sFlow. HP Procurve devices are capable of exporting sFlow datagrams which can be used for bandwidth monitoring and traffic analysis. NetFlow Analyzer is capable of analyzing the sFlow datagram exported from the HP Procurve to give you the traffic statiscs on each active ports.

sFlow export on the HP procuve device can be configured using two different methods, We can enable sFlow on the HP device either by logging in to the router and configuring them for sFlow export. But this is available only in the older device models or OS.

On the new HP devices, sFlow can be enabled only through SNMP. To make the sFlow configuration on HP device a simple task, NetFlow Analyzer provides scripts to enable and disable the sFlow export. So, lets see how we can use the script and enable sFlow.

sFlow Enable utility:

The script to enable sFlow, named as sFlowEnable.bat (for Windows and .sh for Linux),  is present under <\AdventNet\ME\NetFlow\troubleshooting> directory.

The usage for the script is as follows:

SFlowEnable.bat switchIp snmpPort snmpWriteCommunity collectorIP collectorPort samplingRate

Example:-

C:\AdventNet\ME\NetFlow\troubleshooting>sFlowEnable.bat 192.168.188.30 161 private 192.168.133.1 9996 4096    



Once sFlow is enabled on the HP devices, NetFlow Analyzer server will receive the packets and the product will capture the packets to automatically generate the reports. You also need to ensure that no access control lists (ACLs) or firewalls block the NetFlow packets (on UDP 9996) and that even the software firewalls on the server are allowing the packets to reach the NetFlow Analyzer installation.

After enabling the sFlow on the HP devices, we need ensure a few points to get the accurate traffic statistics about the device in NetFlow Analyzer.

The first and foremost is the sampling rate. We suggest setting the sampling rate to 4096. We have observed from various setups and from our existing customers feedback that the sampling rate of 4096 gives the most accurate traffic statistics in NetFlow Analyzer.Most of the other sFlow collectors in the market suggest the sampling rate to 256 which means more number of exported sFlow datagrams. With a sampling rate of 4096, you get the additional benefit that the device is not being overloaded by sampling large number of datagrams and exporting to the NetFlow Analyzer.

Next point we need verify is the "sFlow receiver timeout". This determines how long sFlow remains active on the exporting device. When the value has expired, sFlow also gets disabled on the device forcing you to re-enable sFlow export. Due to this, we recommend setting the sFlow Receiver Timeout to the maximum possible value, which is 2147483647 seconds which is 68 years ! The command to be used on the HP device for setting the sFlow receiver timeout is:

setmib sFlowRcvrOwner.1 -D NetFlow Analyzer IP sFlowRcvrTimeout.1 -i 2147483647

sFlow Disable Utility:

Of course. We have thought about that too. Just in case you want to export sFlow to different server or stop the flows for some time or whatever be the reason, NetFlow Analyzer provides you the script to disable sFlow export on the HP device.

The disable can be done using the script sFlowDisable.bat (for Windows and .sh for Linux) and the file is present under <\AdventNet\ME\NetFlow\troubleshooting > directory. The usage of the script is as below:

SFlowDisable.bat switchIp snmpPort snmpWriteCommunity

Example :-

C:\AdventNet\ME\NetFlow\troubleshooting>sFlowDisable.bat 192.168.188.30 161 private



Go ahead and try our 30 day trial to see for yourself on how well NetFlow Analyzer works with sFlow and HP devices.

Thanks

Praveen Kumar



Download | Interactive Demo | Product overview video | Twitter | Customers

Posted Under : General
Tags : NetFlow sFlow configuration sFlow datagram sFlow trend analysis sFlow sFlow export on HP procurve sFlow and traffic analysis sFlow and jFlow sFlow on HP Procurve NetFlow and sFlow sFlow analysis
Share this article: Tweet this  Connect with Facebook  Bookmark in Delicious  Add to Digg  Stumble it
Permalink TrackBack

Erratic spikes in bandwidth utilization graphs? Resolve it in 4 quick steps !

Oct 20 2009 10:43:23 AM Posted By : Praveen Kumar V
Comments (0)

We have posted a number of blogs to share information on how to use NetFlow technology and NetFlow Analyzer to manage your network better. Those blogs will definitely continue to give you more ideas to put the product to better usage but we will also discuss about some of the common issues that you may have come across in the product and how they can be resolved.

NetFlow Analyzer generates traffic reports based on the NetFlow packets exported from the router. Based on the information in the NetFlow packets, the product displays the traffic passing through the interfaces of the exporting device.

One issue that is frequently reported is that the traffic utilization shown in NetFlow Analyzer is more than the actual traffic on the interface. Reports showing more than actual utilization or more than 100 % utilization can be resolved quickly by checking a few points on the exporting device and the product.

Incorrect active timeout:

The traffic reports in NetFlow Analyzer is shown with a 1 minute granularity, ie. NetFlow Analyzer shows details of the traffic for each minute. By default, the active timeout on the NetFlow exporting devices is 30 minutes, which means that the information about the traffic that passed through the interface in the previous 30 minutes is exported at the 30th minute.

Since NetFlow Analyzer reports traffic every minute, the export of 30 minutes information all at once leads to the product's reports showing a spike every 30 minutes. The incorrect traffic details for that minute leads to showing incorrect speed which thus leads to worng utilization calculation. To avoid this, simply check if the active timeout on the router is set to 1 minute using the command "ip flow-cache timeout active 1""

Multiple NetFlow commands:

NetFlow can be enabled on the router using any one of the three commands:

ip route-cache flow   : -  This command can be applied on all main interfaces and will automatically enable NetFlow on the sub interfaces too. This command accounts for the IN traffic across an interface.

ip flow ingress           :-  Some of the newer IOS supports this command which also accounts for the IN traffic across an interface. The difference is that this command needs to be applied on a sub-interface level

ip flow egress            :-  The same as 'ip flow ingress' but this command accounts for the OUT traffic across an interface.

NetFlow can be enabled on the interfaces of the router by applying any one of the above mentioned command, but most of the netwrok admin  enable either "ip flow ingress" or "ip route-cache flow" on the interfaces for traffic accounting. When all these commands are applied on the interfaces, it causes the same traffic to be counted multiple times again causing the product to show incorrect traffic stats and thus incorrect utilization reports.

Incorrect link speed in NetFlow Analyzer:

NetFlow Analyzer calculates the utilization based on the link speed. For example, if the link has capability to handle 1 Mbps and the actual traffic passing through an interface is about 512 Kbps, the utilization graph in NetFlow Analyzer displays the traffic percentage as 50 %. Here is the  formula which explains the utilization calculation on NetFlow Analyzer.

Utilization = Actual Speed/Link Speed * 100

So, if the link speed is not updated properly in NetFlow Analyzer, the utilization shown in NetFlow Analyzer will be different than the actual. NetFlow  Analyzer can determine the interface speed if you set the appropriate SNMP Port and Community for the router on NetFlow Analyzer. This can be  done from the 'Set SNMP Parameters' icon on the 'Interface View' right next to the router name or you can set the interface speed  manually for each interface on NetFlow Analyzer (from the Edit Settings icon on the 'Interface View' next to the interface name). You can refer to this blog for more details.

Non dedicated burstable bandwidth:

Certain ISPs allows you to use over the allocated bandwidth depending on the other customers sharing that link. So, even though the max bandwidth is 2Mbps, the ISP may allow you to use even more based on availability. This also affects the accurate reporting on NetFlow Analyzer causing incorrect bandwidth utilization values and even more than 100%.

ESP and GRE traffic:

This is another reason for traffic to get double counted in NetFlow Analyzer. With NetFlow data, the tunnel traffic will be accounted as the normal traffic before encryption and again as the encrypted traffic. NetFlow Analyzer have an option to filter this kind of encrypted  tunnel traffic from the reports. This option is availble under Product Settings - Advance Settings - ESP or GRE Filter.

To know more about the about ESP and GRE traffic double count, check this link.

If none of the above resolves the issue, please find the technical explanation on what could still be causing this:

Any analyzer tools calculates the OUT traffic of an interface based on the IN traffic of the interface that sends traffic to it. When traffic is passing from higher speed interface to lower speed interface, the calculation of OUT traffic from a higher speed IN traffic causes incorrect traffic utilization to be shown on the OUT traffic.

The above reason for more than 100 % utilization on OUT traffic can be resolved by enabling only "ip flow egress" on all the interfaces.

If you have any further queries on this, kindly send us a email at netflowanalyzer-support@manageengine.com.

Thanks
Praveen

Download | Interactive Demo | Product overview video

Posted Under : General
Tags : netflow bandwidth monitoring netflow link usage IPSEC netflow netflow utilization issue netflow 100 percent utilization netflow over vpn tunnel traffic more than 100 percent utilization incorrect netflow utilization netflow collector burstable bandwidth ingress traffic utilization issue
Share this article: Tweet this  Connect with Facebook  Bookmark in Delicious  Add to Digg  Stumble it
Permalink TrackBack

Search Post
 
Latest Posts
Authors
Categories
BlogRoll
© 2009 Corp. All rights reserved. Trademarks | PrivacyPolicy | Site Map | Contact Us | Careers