Managing the NetFlow Dashboard

This chapter describes how to manage NetFlow and use the NetFlow dashboard more efficiently. Arista Analytics acts as a NetFlow collector for any agent or generator that is configured with the Analytics server IP address as a collector. This includes DMF Service Node and any third-party NetFlow agent. This chapter has the following sections:

NetFlow Optimization

Arista Analytics may consolidate NetFlow records to improve performance.

The Analytics server/cluster consolidates flows received within a two second period into a single flow when the source and destination IP addresses are the same and either the source or destination L4 protocol port is the same.

For example, ten flows received by the Analytics server within a thirty second period are consolidated into a single flow if the source and destination IP addresses and destination port are the same for all the flows and only the source ports are different, or if the source and destination IP addresses and source port are the same for all the flows and only the destination ports are different. This consolidated flow displays as a single row.

By default, the NetFlow Optimization is enabled for Netflow v5 and disabled for Netflow v9 and IPFIX. To enable the Netflow Optimization for Netflow v9 and IPFIX please refer to Consolidating Netflow V9/IPFIX records section.

This consolidation improves Analytics NetFlow performance, allowing more efficient indexing and searching of NetFlow information.

The figure below shows the NF Detail window on the NetFlow dashboard, which provides an example of NetFlow information with optimization.
Figure 1. Analytics NetFlow Optimization

Viewing Filter Interface Information on the NetFlow Dashboard

Add the filter interface name to the NetFlow dashboard to see hop-by-hop forwarding of flows for NetFlow traffic coming from the DMF Service Node. It accomplishes by querying a specific flow. Arista Analytics then shows the filter interface name associated with that flow. If the flow goes through two hops, then two filter interface names are displayed for the flow.

Displaying Filter Interface Names

The nFlow by Filter Interface window on the NetFlow dashboard, shown below, can display the filter interface name where traffic is coming in for the NetFlow service. To display this information, enable the records-per-interface option in the NetFlow managed service configuration on the DANZ Monitoring Fabric controller using the commands shown in the following example. 
controller(config)# managed-service netflow-managed-service
controller(config-managed-srv)# service-action netflow netflow-delivery-int
controller(config-managed-srv-netflow)# collector 10.8.39.101 udp-port 2055 mtu 1500 records-per-interface
Figure 2. Production Network > NetFlow Dashboard with Filter Interface Name

The following example displays the running-config for this configuration.

NetFlow Managed Service Records-per-interface Option

! managed-service
managed-service netflow-managed-service
	service-interface switch 00:00:4c:76:25:f5:4b:80 ethernet4/3:4
	!
	service-action netflow netflow-delivery-int
		collector 10.8.39.101 udp-port 2055 mtu 1500 records-per-interface
controller(config)# sh running-config bigtap policy netflow-policy
! policy
policy netflow-policy
	action forward
	filter-interface filter-int-eth5
	use-managed-service netflow-managed-service sequence 1 use-service-delivery
	1 match any

After enabling this option, the nFlow by Filter Interface window, shown above, displays the filter interface identified in the policy that uses the NetFlow managed service.

The production device port connected to the filter interface sends LLDP messages Arista Analytics also displays the production switch name and the production interface name connected to the filter interface in the nFlow by Production Switch & IF window.

In the example below, wan-tap-1 displays in the nFlow by Filter Interface window. The production device N1524-WAN and the interface Gi1/0/1, connected to filter interface wan-tap-1, are displayed in the nFlow by Production Switch & IF window, shown below.
Figure 3. Production Network > NetFlow Dashboard with Filter Interface Name

NetFlow Traffic Coming from Third-party Devices

This section displays third-party device and interface names. It lets you see hop-by-hop forwarding of flows when NetFlow traffic is coming from a third-party device. When you query a specific flow, Arista Analytics shows the device and interface names associated with that flow. If the flows go through two hops, it displays the device and interface names associated with flows.

Arista Analytics can act as a NetFlow collector for third-party devices. In this case, Arista Analytics displays third-party device management IP addresses and the interface index (iFindex) of the interface on which NetFlow is enabled on each third-party device.

For example, the nFlow by Production Device & IF window shows that 10.8.39.198 is the third-party device that forwards NetFlow traffic. The iFindex of the interface on that device where NetFlow is enabled is 0, 2, 3, 4.

To discover the device name and the actual interface name rather than the iFindex, Arista Analytics automatically does an SNMP walk by getting the third-party device management IP from flow information. By default, Analytics uses the SNMP community name public to get the device name and interface name. If the SNMP community name of the third-party device is not public, change it in the Arista Analytics SNMP collector configuration.
Note: From 8.3.0, both SNMPv2 and SNMPv3 are supported.
Note: For IPFIX and nFlow v9, configure the third-party device to send the iFindex. The Analytics node will do an SNMP walk to get the interface names associated with that iFindex. By default, the iFindex is not sent with IPFIX or nFlow v9. For example, to send the iFindex for IPFIX and nFlow v9, enable match interface input snmp and match interface output snmp under flow record configuration on the third-party device.

DMF Analytic > System > Configuration > Analytic Configuration > snmp_collector

Arista Analytics then performs SNMP polling and displays the third-party device name and the actual interface name in the nflow by Production Device & IF window.

To perform the SNMP configuration, complete the following steps:

  1. On the screen shown below, click DMF Analytic > System > Configuration > Analytic Configuration > snmp_collector > Edit.
    Figure 4. Analytic snmp_collector config
    The system displays the following edit dialog.
    Figure 5. Analytic Configuration > snmp_collector > Edit Dialog (SNMPv2 Configuration)
    Figure 6. Analytic Configuration > snmp_collector > Edit Dialog (SNMPv3 Configuration)
  2. Click the community string public to change it to a different value as shown in the following dialog.

    By default, the SNMP collector polls devices every 60 seconds.

  3. To change the SNMP poll interval, click the value 60, change it to the preferred value, and click Save.
After completing this configuration, the third-party device is polled for the device name and interface name and it is displayed in the nflow by Production Device & IF window.
Figure 7. Analytic Configuration > snmp_collector > Edit Dialog

Displaying Flows with Out-Discards

The NetFlow dashboard provides an option to display flows with out-discards when the NetFlow packets come from third-party devices. To display this information, use the flows via interfaces with SNMP out-discards tab at the top of the Arista Analytics NetFlow dashboard.

To display the flows with out-discards, click the flows via interfaces with SNMP out-discards tab and click the Re-enable button. This window displays the flows with out-discards.