The distributed flow collection and reporting engine gives the
Enterprise edition capability to monitor up to 20,000 interfaces and
flow rate in the range of even 60,000 flows per second. This rules out
scalability and performance related issues that might have other wise
come up with a integrated application trying to handle a large number
of interfaces and high flow rate. The features available in this
edition are also exactly what a distributed setup needs.
Tree view for devices helps group devices based on their locations (or
your preferred criteria) for easier selection by users. This way, users
do not have to search through the complete list of devices to find the
one for which bandwidth metrics are needed. Timezone based view lets
the users see reports in the time zone the device is at rather than
based on the time where the product is installed. Administrators can
also create multiple user accounts, assign devices or IP Groups to them
and also set what timezone the users view the reports in. Do visit here
to view the complete list of features available in Enterprise edition.
You can also leave behind your worries about exported NetFlow packets
using a large volume of the Internet bandwidth. The NetFlow data is
compressed using Java technology before being send from the collector
to the central server. This brings down the volume of the exported
NetFlow data to less than 20% of the actual size and helps save your
valuable Internet bandwidth for critical applications. Moreover, since
data is send over HTTPS connection, the NetFlow data is secure and even
the GUI of both the collector and central server have HTTPS enabled by
default.
Now with the central console, reports from the branches and DR sites
spread geographically are at hand. There is no more need to login into
different installations and have reports generated from each one of
them separately. You also have the option to select the interfaces
displayed in the dashboard and so at a single glance the network team
gets to see the status of highly utilized links or the status of
critical links.
All enterprises preferred uninterrupted monitoring and reporting of
critical links, applications or servers. But when the need comes to
shut down the central server for maintenance or if the central server
is down inadvertently, what can be done? The failover is the
perfect feature for this. The data stored in the central server is replicated to
a secondary central server and any time the primary server goes down,
the secondary is automatically activated after a fixed time. Thus the
fail over gives you a automatic backup and redundancy of data.
With all these features and its scalability, NetFlow Analyzer
Enterprise edition is the best suitable solution for bandwidth
monitoring and traffic analysis. Do download the Central server and
Collector from here and start your 30 day evaluation with free
technical support from our team.
With the branches of an enterprise extending to various locations and connectivity between the branches being a top priority, monitoring traffic between specific sites to ensure uptime and priority for business critical traffic is also very important.
The Site to Site option under IP Groups in ManageEngine NetFlow Analyzer lets you monitor traffic between two specific sites based on IP Address or IP Network. This comes in handy to analyze who contributed to the traffic between the sites, if critical applications are indeed the ones utilizing the bandwidth and if the provided bandwidth does meet the requirement.
To explain how to use this feature and on how to interpret the data shown in the reports pertaining to the IP Group, we will make use of a simple example scenario.
Consider a network where you have a central office whose router is being monitored with NetFlow Analyzer. There are multiple branches, A, B and C, all of which communicate with one another through the main office router. Your requirement is to track the traffic specifically between Site A (192.16.1.82) and Site B (10.15.8.47).
[caption id="attachment_3371" align="alignnone" width="300" caption="Branched network"]
[/caption]
In such a circumstance, you can make use of the Site to Site option under IP Groups.
For this, create an IP Group and select the Between Sites option. Here, add the Site A (192.168.1.82) under the 'From' field and Site B (10.15.8.47) under the 'To' field. You can add additional filter options like Port/Protocol and/or DSCP fields to this IP Group which would further filter the results based on the added criteria.
In 'Site to Site' IP Groups, for traffic classification purposes, the IP Address under the 'From' field is the primary IP and so all reports will be shown in relation to this IP Address or network. So, in our scenario, the IP Address 192.16.1.82, ie. Site A, is the primary IP Address.
Data Interpretation:
Traffic IN and OUT:
Traffic is shown based on volume, speed, utilization and number of packets for the IP Group and is classified on an IN and OUT basis.
Traffic IN refers to the traffic that came into the IP Group. Site A is considered as the primary IP Address and so any traffic that comes to Site A is classified as the IN traffic for the IP Group. The OUT traffic refers to the traffic that went out of the IP Group and so traffic leaving Site A is accounted as the OUT traffic.
Application:
Application IN and OUT shows the applications that came in or went out of the IP Group and is classified the same way as Traffic IN and OUT. Applications which formed the traffic to Site A is shown under Application IN. Those applications which constituted the traffic from Site A is Application OUT as Site A is considered the primary IP Address.
Source:
The Source tab for the IP Group will show the source of traffic originating from the IP Group. When traffic flows from Site A to Site B, the source of the traffic is 192.16.1.82 and the destination of the traffic is 10.15.8.47. Since the IP under 'From' field is the primary IP Address, 192.16.1.82 will form the addresses shown the source tab.
Destination:
The Destination tab for the IP Group will show the destination of traffic reaching the IP Group. When Site A receives traffic from Site B, the source of the traffic is 10.15.8.47 and the destination of the traffic is 192.16.1.82. Since Site A is the primary IP Address, the IP Address 192.16.1.82 forms the destination address for the IP Group.
For both Source and Destination, you can click on the IP Address and drill down to find the related conversations. Source Address drill down will show the IP Address to which traffic was sent and Destination Address drill down shows the IP Addresses from where traffic originated for the IP Group.
Conversation IN and OUT:
The Conversation IN and OUT is the same as for Traffic IN and OUT. All conversations which came into the IP Group will be classified as Conversation IN and conversations which went out of the IP Group is Conversation OUT. So, Site B to Site A forms the Conversation IN and Site A to Site B forms the Conversation OUT for the IP Group.
Hope this gives you a better understanding on how to monitor traffic between various branches much more effectively and how to interpret the data in Site to Site IP Groups. Do email us at netflowanalyzer-support@manageengine.com if you have any further queries. You can download the latest version of NetFlow Analyzer from here and see the features available in NetFlow Analyzer from this link.
Regards,
Don Thomas Jacob
Trying to diagnose and troubleshoot network problems at the remote locations can be a tough task as your router cannot show who is consuming the bandwidth, what application is used, the hosts involved, when spikes or choke in bandwidth occurred and due to what this happened. Deploying technical staffs at all branches for monitoring purposes is not a feasible solution too.
This is where NetFlow and NetFlow Analyzer comes into the picture. Most of the Cisco devices supports NetFlow feature by default and other major vendors like HP, Riverbed, Juniper, Enterasys and so on also have a similar flow technology. NetFlow Analyzer supports not only NetFlow but most of the major flow formats. All you need to do is enable NetFlow on the devices and have them exported to your server running NetFlow Analyzer. And yes, you do not have to worry about the bandwidth taken up by NetFlow export as NetFlow itself does not utilize more than 2% to 3% of the link capacity.
You can view a live demo of the product from here. Do post your suggestions and download NetFlow Analyzer trail edition to see what more you can do with the product.
Regards,
Don Thomas Jacob
Emails are an important aspect in every organization’s business needs. Email fetching issues or delay in mail delivery triggers many questions and raising of incident tickets by almost every employee ranging from the managers to CTO’s. Ensuring the up-time of the servers running business critical applications and links that connect to these servers are a big priority for a Network Administrator.
As a Network Administrator, you would definitely look forward to monitoring your organization’s email server to know if there is any unwanted traffic originating from it or to it, if the link connected to the server has the right capacity to carry the traffic, if the provided bandwidth is being choked and which hosts are the main contributors of the traffic.
But which is the cost effective solution? That is the “million-dollar”(pun intended!) question. The answer lies in NetFlow Analyzer and its IP Group feature. NetFlow Analyzer, an all software bandwidth monitoring solution, can monitor your network bandwidth and report on traffic usage across the links. By using the IP Group feature, you can monitor specific server or even a numbers of servers and get network reports on the traffic utilization, applications contributing to the traffic, hosts involved with the traffic and etc. This helps to find if only those applications that are actually supposed to contribute traffic to server are doing so, if any unwanted applications are running on the server, which specific host is sending high volumes of traffic, if the bandwidth provided is indeed right or if there is any bandwidth choke and at what time it happens.
You can create the IP Group by including the IP Address of your mail server and associate it with the interface that carries traffic to the mail server. You can also set the IP Group speed based on the speed of the interface carrying traffic to the server or based on the maximum speed to be taken by the traffic to the server. This speed is used for calculating the utilization percentage of traffic to the server.
Creating the IP Group
The IP Group created will show the traffic based on volume, speed, utilization and packets. You can thus find if the link has the right speed to handle all the traffic to the server or if the provided speed is much higher than needed (This might not be an issue when considering the LAN traffic).
The application tab shows you what applications contributed to the traffic to or from the server. You can see if the majority of traffic that came to or went out of the server is indeed SMTP or if there are applications like maybe FTP which should never have happened or an unexpected large volume of HTTP traffic. The advantages does not stop there. You can even drill down on an application to find what hosts were using these applications and volume of traffic they contributed.
Unwanted traffic to the mail server
Who was FTPing to the mail server
Thanks and Regards,
Don Thomas Jacob
Enterprises and organizations always prefer to have priority for their business critical applications within the network as well as for traffic to the Internet. No network administrator would like to have their valuable Internet links congested with non priority application traffic.
But, how would you find the bandwidth used business critical applications or by non priority traffic over the Internet links? Say, your organization uses certain applications that are critical to the smooth functioning of the organization’s business needs. You will certainly want to monitor the traffic pattern for these applications, which hosts are involved with the traffic, how much of the Internet link is occupied by them and if they indeed do utilize the provided bandwidth or if there is a bandwidth choke.
This is where the IP Group feature available in NetFlow Analyzer comes into the picture. You can create an IP Group associating the port and protocol used by these applications to the IP Group. Also select the interface that takes traffic from this office to the Internet and set the IP Group speed. The speed is for calculating the utilization of the applications and this can be set based on the associated link speed or based on the maximum bandwidth provided for these applications
Creating IP Group for Business critical applications
Once the IP Group has been created, NetFlow Analyzer will start storing the related data separately and show the traffic statistics for the group. From here, you can see how much of the link was utilized by the business critical applications, what hosts were involved with the application traffic, what volume of traffic was sent or received by the hosts using the applications, the conversations involved with the applications and so on.
Link utilization by critical applications
Conversations involved with applications
This helps you find if the necessary applications have the right priority for bandwidth utilization or if a higher capacity link has to be allocated for the WAN traffic. The data which can be exported to CSV or PDF format helps you make capacity planning decisions. If you find the bandwidth being choked or frequent spikes in traffic, you can also make use of CBQoS features to decide on application priority. Please visit here to read our expert blogs on how you can make use of CBQoS reporting in NetFlow Analyzer for application prioritization.
Download the trail version from here and feel free to post your suggestions here or email your queries to the product experts at netflowanalyzer-support@manageengine.com
Regards,
Don Thomas Jacob
In our first blog, we went through the billing feature in NetFlow Analyzer, its advantages and how ISP’s or Enterprises can use the bill plans to bill their customers or departments with more accurate traffic statistics. In this blog, we will explain about how Enterprises can use the Billing in conjunction with IP Groups for department wise charge back.
In the present scenario, where cost cutting and reliable data is the primary factor, any enterprise would love to maximize the usage from the existing infrastructure and technology. With NetFlow Analyzer and billing, customers can leverage on the NetFlow technology available on their devices to generate bandwidth and traffic reports as well as use the same technology and software for billing reports. NetFlow based billing also gives more in depth information with highly granular data about the traffic, hosts involved with the traffic, applications used and so on.
Now, how would enterprises make use of NetFlow and NetFlow Analyzer for billing reports?
As an enterprise, you may allocate budgets to your IT departments or bill customers for the resources they use, but nobody knows which departments are really spending the money and for what. NetFlow Analyzer will not only help you to find how much is being spend for the Internet traffic but also show for what the bandwidth was utilized.
Once you start monitoring your network with NetFlow Analyzer, reports can be generated on an interface basis and you can see reports for traffic based on speed, volume, utilization and packets, hosts involved with traffic, what application was used and etc.
Using IP Groups:
IP Groups help monitor separately the traffic for each department or any other IP entity you have in mind. The IP Group feature allows grouping of IP’s based on address, network or range for monitoring and report generation purposes. In case you are looking to monitor the Internet traffic used by Project Z through a LAN interface, you can make use of IP Groups.
To create an IP Group, navigate to IP Group option under Admin Operations. Specify the IP Address, network or range associated with this department and associate the interface through which traffic reaches the department with the IP Group. You can also specify the IP Group speed for calculation of bandwidth utilization purposes.
Creating an IP Group
Traffic for an IP Group
The created IP Group shows the traffic based on volume, speed, utilization and packets and also the hosts and applications involved with the traffic for this particular department. The IP Group can now be associated with a bill plan. The bill plans in NetFlow Analyzer can be created based on volume or speed and along with this, you can specify the base cost and additional charges for additional usage.
Creating Bill plans for the department
The bill reports can be generated on a monthly or quarterly basis and using on demand billing, bill reports can be generated immediately. The Billing feature also makes your tasks easier by emailing the bill reports in PDF format to the emails you specify at the end of each billing cycle.
Bill Report
With this, Enterprises will have greater control over their department wise traffic and also have reliable traffic reports for departmental charge back.
Please visit here to download the 30 day trial for NetFlow Analyzer Professional Plus, which has features for Billing reports and CBQoS and NBAR reports. Do post your comments on our billing feature and what more features you would like to see in NetFlow Analyzer.
Regards,
Don Thomas Jacob
Most of the enterprises have their LAN network connected to a firewall, and from there to an edge router which connects to the WAN cloud. In this topology, network administrators also employ NAT for traffic redirection and other purposes.
Though the primary design of NAT was as a mechanism to conserve IP V4 Addresses, it also has evolved as a security mechanism for the network. NAT gives network administrators greater control to filter traffic to the network and and restrict access to various resources within the network.
Some of the advantages in using NAT in IP networks are:
1. It helps to extenuate the depletion of IP V4 address space
2. Networks can use private address space internally and still connect to Internet using a single public IP address
3. Increased security by hiding internal network topology
In this blog we will discuss briefly about NAT and which type of NAT is best suitable to allow NetFlow packets to reach the NetFlow Analyzer server. There are various ways for configuring NAT. Some of them are:
Static NAT:
Static NAT provides one-to-one mapping between an unregistered IP address and a registered IP Address. This is particularly useful in cases when a host or device needs to be accessible from the outside public Internet.
Dynamic NAT:
Dynamic NAT is used when a pool of public IP Address provided the ISP is shared by an entire private IP subnet. Here, the internal private IP addresses is translated to a public addresses from the range of public addresses, when the private host initiates the connection.
Overloading or Port Address translation:
This is the most frequently used type of NAT in IP networks. A variation of Dynamic NAT, also known as Network Address Port Translation (NAPT), multiple private IP addresses are mapped to a single registered IP address with the connections differentiated based on TCP/UDP port numbers.
Overlapping:
In Overlapping, the IP addresses used on the internal network are registered IP addresses utilized on another network. To avoid conflicts, a NAT table is built to translate the internal addresses to a unique IP address and vice versa.
For NetFlow packets to reach NetFlow Analyzer:
Among the various NAT mechanisms, overloading (PAT) and static NAT are the best suitable for methods to forward NetFlow packets from the outside to a server within the network.
Static NAT forwards packets received on a public IP Address to its mapped inside address. Or simply put, you can have devices from external sites sending traffic to the mapped public IP Address of the NetFlow Analyzer server. Static NAT is not widely preferred due to the cost factors and etc involved with having a dedicated public IP address mapped to the NetFlow Analyzer server's private IP Address.
As in the image, the private IP Address 192.168.17.1 is always translated to the public IP Address 243.16.115.2, and so hosts from outside will be able to access the internal host using the IP Address 243.16.115.2. For this, the configuration for this can be done as below:
Firewall(config)# interface ethernet 0
Firewall(config-if )# ip address 192.168.17.1 255.255.255.0
Firewall(config-if )# ip nat inside
Firewall(config)# interface serial 0
Firewall(config-if )# ip address 100.100.100.1 255.255.255.252
Firewall(config-if )# ip nat outside
Firewall(config)# ip nat inside source static 192.168.17.1 243.16.115.2
With NAT Overloading or PAT, inbound traffic to a public IP address is redirected to the internal addresses based on the port number. For the following image, all traffic to 243.16.115.2 on port 80 is translated to the private IP Address 192.168.17.1
The configuration for PAT for the example can be done as below:
Firewall(config)# interface ethernet 0
Firewall(config-if )# ip address 192.168.17.1 255.255.255.0
Firewall(config-if )# ip nat inside
Firewall(config)# interface serial 0
Firewall(config-if )# ip address 243.16.115.2 255.255.255.0
Firewall(config-if )# ip nat outside
Firewall(config)# ip nat pool overloadpool 243.16.115.2 243.16.115.2 prefix-length 24
Firewall(config)# ip nat inside source list 1 pool overloadpool overload
Firewall(config)# access-list 1 permit 192.168.17.0 0.0.0.255
Port Redirection:
Port Redirection is a feature available in many devices to allow outside users to connect to a particular IP address/port and have the device redirect the traffic to the appropriate inside server/port. This is suitable when you need to sent traffic from external devices to specific internal IP Address on a particular port.
As an example, say you need traffic from external sites reaching the public IP 243.16.115.2 on UDP port 9996 to be forwarded to the internal host having the IP Address 192.168.17.2. The configuration can be done as below:
Firewall(config)# interface ethernet 0
Firewall(config-if )# ip address 192.168.17.2 255.255.255.0
Firewall(config-if )# ip nat inside
Firewall(config)# interface serial 0
Firewall(config-if )# ip address 243.16.115.2 255.255.255.252
Firewall(config-if )# ip nat outside
Firewall(config)# ip nat inside source static udp 192.168.17.2 9996 243.16.115.2 9996
Hope these suggestions will make the configuration of your network to receive NetFlow packets a more easier job. Please do let us know if you have any suggestions on the configurations or any queries regarding NetFlow and NetFlow Analyzer.
Regards,
Don Thomas Jacob
Billing is one of the major features available in ManageEngine NetFlow Analyzer Professional Plus edition. With real time information on bandwidth consumption using NetFlow data giving enterprises and ISPs ability to plan and manage its network infrastructure better, the billing feature in NetFlow Analyzer takes you to the next level by addressing the company’s business needs. With this, NetFlow Analyzer acts as an all in one solution for your multiple business requirements at no additional cost.
NetFlow based billing provides a number of advantages when compared with other typical billing mechanisms. The major advantage with NetFlow is that you can leverage on an existing technology already available on your routing or switching devices. NetFlow feature is supported on a wide range of Cisco devices and is just not Cisco devices, but many major vendors have similar flow formats like sFlow, NetStream, jFlow and etc. Please visit here for the complete list. So, with no additional hardware and software purchase, you get the ability to do traffic analysis, bandwidth monitoring and billing too.
Another advantage is the in depth information provided. NetFlow data has highly granular information about the source and destination involved with the traffic, what application was used, how much volume of traffic and so on. Even if your customer or client asks for details about a bill you presented for charge back, the requested information is not just on your finger tips, but as proper, detailed PDF reports which can be presented anytime.
NetFlow billing is also suitable when you cannot use the traditional billing mechanisms based on SNMP due to security constraints involved with enabling SNMP on edge routers or CPE.
NetFlow Analyzer’s billing feature provides even further advantages by letting you do on-demand billing and have the bills automatically emailed to the addresses you wish. And it does not stop there. You can even have alerts generated when the bandwidth usage in a bill plan reaches a percentage of the maximum base limit.
Creating bill plans:
Billing plans may vary according to each customer and also according to the enterprise’s requirement. You might want to bill your customers based on the traffic volume or speed. The bill plan may also involve a base cost and incremental cost for additional usage. Customers or departments can be based on IP network, range or even a dedicated interface. All these varied requirements can be met using the single solution of NetFlow Analyzer.
NetFlow Analyzer has a feature for IP Group where you can create a group based on IP Address, Network or Range and associate them with an interface. This feature lets you see the ‘IP’ factor associated in the group as a separate entity for bandwidth monitoring purposes.
Bill plans in NetFlow Analyzer can be associated with either IP Groups or interfaces. Say, you are an enterprise doing a major banking project and the SLA with the bank involves charge back for the Internet usage by the project department. In such a scenario, you can create an IP Group for the department involved with the banking project and associate the IP Group with a bill plan. This type of bill plan can also be suitable for enterprises who want department wise cost allocation for Internet utilization or for an ISP whose link might be shared by different enterprises based on IP Networks or ranges. And if you are an ISP, having interfaces dedicated to an enterprise customer, a bill plan can be created and associated with the interface itself.
The bill plans can be based on either speed or volume. To create a bill plan, navigate to the Billing section under Admin Operations. Create bill plans based on speed or volume and associate them with an IP Group or interface depending on the billing requirement. When creating a bill plan, set the cost for the assured base bandwidth and the incremental cost involved. The bills can be generated on a monthly or quarterly cycle. You also have the option to generate alert based on usage and also have the bills emailed to the addresses specified.
Volume and IP Group Bill plan
Speed and Interface Bill Plan
Once the bill plan is created, the bill will be generated and emailed on the set billing date. A user can also create the bill when needed using the on-demand billing which is useful when a plan is terminated before the end of the bill period or when you need an intermediate bill before the bill generation date. Creation of on-demand bill and viewing of previously generated bills can be done from the ‘reports’ tab under billing in NetFlow Analyzer. Please visit here for more details on how the billing calculation is done in NetFlow Analyzer.
Billing Report
The billing solution is meant to provide ISPs the ability to bill customers with in-depth information and enterprises customers to have departmental charge back or cost allocation along with detailed bandwidth reports. This is achieved through NetFlow Analyzer with an easy to use user interface and a simple design, making the creation and maintenance of bill plans an easy task.
With the addition of billing feature in Professional Plus, NetFlow Analyzer has changed from being an also-have monitoring tool to a must-have tool for any enterprise and ISP looking for a low cost, stable solution.
Do leave us your suggestions on what more features you would love to see in the billing section of NetFlow Analyzer and our engineering team will be happy to check it out.
Regards,
Don Thomas Jacob
NetFlow Analyzer shows valuable information about traffic and bandwidth being utilized on an interface. Reports are displayed about traffic based on volume, speed, utilization and packets and you can also see the source, destination and conversations pertaining to the traffic. All this information is shown on an IN and OUT basis.
One might wonder what the IN and OUT information for different report means. The reports on traffic IN shows the traffic that came into the interface and OUT shows the traffic that went out of the interface. That was simple enough but what about source, destination and conversations IN and OUT?
This too is very easy to understand and to explain this, we will make use of a small scenario. Consider a router with two interfaces, one connected to the LAN and the other connected to the WAN. Here, traffic exchange is taking place between the IP Addresses 68.180.206.184 which lies on the Internet and 192.16.1.82 which is in the local network.
When looking at reports for the WAN interface, the Source tab shows you the source of all traffic passing through this interface. Here, Source IN shows the source IP Addresses of the traffic that came into the network through the WAN interface (from the Internet in this case) and Source OUT shows the the source IP Addresses of the traffic that went OUT of this interface to the internet (in this case, from the LAN).
So, in the scenario, if there is traffic from the IP Address 68.180.206.184 to the LAN IP Address of 192.16.1.82, the Source IN will have the IP Address 68.180.206.184 as this IP Address is the source of traffic that came into the WAN Interface. When the LAN IP 192.16.1.82 sends information back to the public IP Address, the Source OUT will have the IP Address 192.16.1.82 because this is the source of traffic that went OUT of the WAN interface.
The Destination tab in NetFlow Analyzer shows the destination of all traffic that passed through a monitored interface. So, for the WAN interface, Destination IN shows the destination of traffic that came into the interface and Destination OUT shows the destination of traffic that went OUT of the WAN interface.
In the scenario where traffic was from 68.180.206.184 to the LAN IP Address of 192.16.1.82, the Destination IN is 192.16.1.82 because this was the destination of traffic that came into the WAN interface. During the return conversation, the IP Address 192.16.1.82 sends traffic with the destination IP Address as 68.180.206.184 and so this is the Destination OUT.
Coming to the conversation, the traffic exchange from the IP Address 68.180.206.184 to the IP Address 192.16.1.82 is a single conversation and this came into the WAN interface. So, this conversation will form the Conversation IN for the WAN interface. When the local IP Address 192.16.1.82 was sending traffic back to the public IP Address 68.180.206.184, this was a conversation that went out of the WAN interface and so forms the Conversation OUT.
Hope this will have cleared a bit of doubt anyone might have had on traffic being displayed in NetFlow Analyzer. So, all these reports based on IN and OUT should help you know the ins and outs about your network traffic.
Thanks and Regards,
Don Thomas Jacob
VPN is the solution used when traffic has to be sent securely between various offices and IPSEC tunnel is what would be commonly used in an enterprise level network.
Any enterprise which uses such tunnels would also like to monitor the traffic usage and bandwidth utilization in the tunnel. NetFlow technology comes into the picture in this case as IPSEC tunnels, or most tunnels for that matter, supports NetFlow data export. All that has to be done is enable NetFlow data export on the tunnel, send this information to the NetFlow Analyzer and you have your reports in a matter of minutes !
But here comes an issue. The tunnel traffic is encrypted at the entry and decrypted at the exit before being routed. All NetFlow based reporting tools will show the actual traffic (eg. HTTP) before encryption and the same will be again classified as ESP Traffic after encryption. This leads to the double counting of traffic for the tunnel interfaces and thus wrong bandwidth calculations.
ESP Traffic is shown in traffic reports.
At a time when accurate information is a high priority for cost cutting and better network management, this cannot be afforded. This is why ManageEngine NetFlow Analyzer has the enhanced option to filter out the ESP traffic. With a few simple steps, you can filter the ESP traffic on such tunnel interfaces and enabling this will stop the ESP Traffic from being double counted in bandwidth utilization reports.
To enable the option, navigate to Product Settings under Admin Operations and from here, click on the Advanced Settings tab. Now under Flow Filter Settings, select the interfaces which form the edge of a tunnel. Once the interfaces are selected, the ESP Traffic on them will not be counted for bandwidth reports and you get the advantage of having the correct information about your tunnel bandwidth.
Enable filter for an interface from Advanced Settings tab
No more ESP Traffic in reports
Our team is also working on having a filter for GRE traffic where the same double count occurs when traffic is encrypted using GRE in a tunnel. Hope to hear from you if you had issues with the GRE traffic being double counted and suggestions on how you would love this feature to be.
Don Thomas Jacob
NetFlow Analyzer Team
