Production Network Monitoring
sFlow®
- Top Sources
- Source Port
- Top Destinations
- Destination Port
- Traffic over time
- Flow by Filter Interface
- Flow by Device & IF
- Count sFlow vs. Last Wk
- Flow QoS PHB
- Flow Source
- Flow Destination
- sFlow MTU Distribution
- Flows by Time
sFlow and VXLAN
The sFlow dashboard shows both outer and inner flows of VXLAN packets based on the VNI number of the VXLAN packet. For all the inner flows of a particular VXLAN packet, first filter by VXLAN packets on the App L4 Port window to display all VXLAN packets. Identify the VXLAN packet you are interested in from the Flows by Time window. Expand the row, note the packet's VNI number, then remove the VXLAN filter and filter based on the VNI number. It will show both the outer flow of the VXLAN packet and all the inner flows associated with that VXLAN packet.
NetFlow and IPFIX
Configure the NetFlow collector interface on the Arista Analytics Node to obtain NetFlow packets, as described in the Setting up the NetFlow Collector on the Analytics Node section.
- nFlow Source IP (inner) Destination IP (outer)
- NF over Time
- nFlow Live L4 Ports
- nFlow by Filter Interface
- nFlow by Production Device & IF
- NF by QoS PHB
- NF by DPI App Name
- NF Top Talkers by Flow
- NF Detail
- The Arista Analytics Node cluster listens to NetFlow v9 and IPFIX traffic on UDP port 4739. NetFlow v5 traffic learn on UDP port 2055.
- Refer to DANZ Monitoring Fabric 8.4 User Guide for NetFlow and IPFIX service configuration.
- Starting from the DMF-8.1.0 release, Analytics Node capability augments in support of the following Arista Enterprise-Specific Information Element IDs:
- 1036 -AristaBscanExportReason
- 1038 -AristaBscanTsFlowStart
- 1039 -AristaBscanTsFlowEnd
- 1040 -AristaBscanTsNewLearn
- 1042 -AristaBscanTagControl
- 1043 -AristaBscanFlowGroupId
Consolidating Netflow V9/IPFIX records
You can consolidate NetFlow V9 and IPFIX records by grouping those with similar identifying characteristics within a configurable time window. This process reduces the number of documents published in Elasticsearch, decreases disk usage, and improves efficiency. This is particularly beneficial for long flows, where consolidations as high as 40:1 have been observed. However, enabling consolidation is not recommended for environments with low packet flow rates, as it may cause delays in the publication of documents.
cluster:analytics# config
analytics(config)# analytics-service netflow-v9-ipfix
analytics(config-controller-service)# load-balancing policy source-hashing
- Source hashing: forwards packets to nodes statistically assigned by a hashtable of their source IP address. Consolidation operations are performed on each node independently in source hashing.
- Round-robin: distributes the packets equally between the nodes if source-hashing results in significantly unbalanced traffic distribution. Round-robin is the default behavior.
Kibana Setup
To perform the Kibana configuration, select the
tab on the Fabric page and open the panel:- enable: turn consolidation on or off.
- window_size_ms: adjust window size using the rate of Netflow V9/IPFIX packets per second the analytics node receives. The default window size is 30 seconds but measured in milliseconds.
- mode: There are three supported modes:
- ip-port: records with the same source IP address, destination IP address, and IP protocol number. It also consolidates the lower numerical value of the source or destination Layer 4 port number with others.
- dmf-ip-port-switch:records from common DMF Filter switches that meet ip-port criteria.
- src-dst-mac: records with the same source and destination MAC addresses.
Note:It uses the mode when Netflow V9/IPFIX templates collect only Layer 2 fields.
Consolidation Troubleshooting
If consolidation is enabled but does not occur, Arista Networks recommends creating a support bundle and contacting Arista TAC.
Load-balancing Troubleshooting
If there are any issues related to load-balancing, Arista Networks recommends creating a support bundle and contacting Arista TAC.
NetFlow and IPFIX Flow with Application Information
This feature of Arista Analytics combines Netflow and IPFIX records containing application information with Netflow and IPFIX records containing flow information.
This feature improves the data visibility per application by correlating flow records with applications identified by the flow exporter.
This release supports only applications exported from Arista Networks Service Nodes. In a multi-node cluster, you must configure load balancing in the Analytics Node CLI command.
Configuration
analytics# config
analytics(config)# analytics-service netflow-v9-ipfix
analytics(config-an-service)# load-balancing policy source-hashing
Kibana Configuration
- add_to_flows: Enables or turns off the merging feature.
ElasticSearch Documents
Three fields display the application information in the final NetFlow/IPFIX document stored in ElasticSearch:
- appScope: Name of the NetFlow/IPFIX exporter.
- appName: Name of the application. This field is only populated if the exporter is NTOP.
- appID: Unique application identifier assigned by the exporter.
Troubleshooting
If merging is enabled but does not occur, Arista Networks recommends creating a support bundle and contacting Arista TAC.
Limitations
- Some flow records may not include the expected application information when configuring round-robin load balancing of Netflow/IPFIX traffic. Arista Networks recommends configuring the source-hashing load-balancing policy and sending all Netflow/IPFIX traffic to the Analytics Node from the same source IP address.
- Application information and flow records are correlated only if the application record is available before the flow record.
- Arista Networks only supports collecting application information from Netflow/IPFIX exporters: NTOP, Palo Alto Networks firewalls, and Arista Networks Service Node.
- This feature isn’t compatible with the consolidation feature documented in the Consolidating Netflow V9/IPFIX records. When merging with application information is enabled, consolidation must be disabled.
NetFlow and sFlow Traffic Volume Upsampling
Arista Analytics can upsample traffic volume sampled by NetFlow V9/IPFIX and sFlow. This feature provides better visibility of traffic volumes by approximating the number of bytes and packets from samples collected by the NetFlow V9/IPFIX or sFlow sampling protocols. It gives those approximation statistics along with the ElasticSearch statistics. The feature bases the approximations on the flow exporter’s sampling rate or a user-provided fixed factor.
The DMF 8.5.0 release does not support the automated approximation of total bytes and packets for Netflow V9/IPFIX. If upsampling is needed, Arista Networks recommends configuring a fixed upsampling rate.
NetFlow/IPFIX Configuration
- Auto: This is the default option. DMF 8.5.0 does not support automated upsampling for Netflow V9/IPFIX. Arista Networks recommends configuring an integer if upsampling is needed.
- Integer: Multiply the number of bytes and packets for each collected sample by this configured number.
sFlow Configuration
- Auto: Approximate the number of bytes and packets for each collected sample based on the collector’s sampling rate. Auto is the default option.
- Integer: Multiply the number of bytes and packets for each collected sample by this configured number.
Dashboards
- NF over Time
- NF Top Talkers by Flow
- upsampledPacketCount: Approximate total count of packets for a flow.
- upsampledByteCount: Approximate total count of bytes for a flow.
The sFlow dashboard is on the
tab on the Fabric page. The Traffic over Time visualization will display upsampled statistics.The newly added upsampledByteCount represents a flow's approximate total count of bytes.
Troubleshooting
Arista Networks recommends creating a support bundle and contacting Arista Networks TAC if upsampling isn’t working correctly.
TCPFlow
The information on the TCPFlow dashboard depends on TCP handshake signals and deduplicates. The Filter Interface visualization indicates the filter switch port where data is received. The switch description is specified in the Description attribute of each switch, configured on the DANZ Monitoring Fabric controller. Device & IF on this dashboard refers to the end device and depends on LLDP packets received.
Flows
- All Flows Type
- All Flows Overtime
- All Flows Details
Filters & Flows
ARP
DHCP
- DHCP OS Fingerprinted
- DHCP Messages by Filter Interface
- DHCP Messages by Production Switch
- Non-whitelist DHCP Servers
- DHCP Messages Over Time
- DHCP Messages by Type
- DHCP Messages
DNS
- DNS Top Servers
- DNS Top Clients
- DNS By Filter Interface
- DNS by Production Device & IF
- DNS Messages Over Time
- Unauthorized DNS Servers
- DNS RTT
- DNS All Messages
- DNS RCode Distro
- DNS QType Description
- DNS Top QNames
ICMP
- Top ICMP Message Source
- ICMP by Filter Interface
- Top ICM Message Dest
- ICMP by Error Description
- ICMP by Production Switch
- ICMP Top Err Dest IPs
- ICMP Top Err Dest Port Apps
- ICMP Messages Over Time
- ICMP Table