Configuration for AppVis™ and Flow
Overview
This page shows sample device configuration for AppVis™ (Cisco only) and Flow (IPFIX, Netflow and J-Flow).
Configuration for NBAR on Cisco routers is also available. Details are on the NBAR configuration page.
AppVis/Flow can cause a high CPU load so the monitored device needs to be adequately sized for the volume of traffic expected at each location
AppVis™
AppVis is only supported for Cisco routers, and each router:
- should have an NBAR2 protocol pack licensed and installed
Note: NBAR2 is not a pre-requisite for AppVis which could use standard NBAR classification. However standard NBAR has significantly fewer signatures than NBAR2 so AppVis would be less granular in the information it reports. Licence details are available from Reporting inventory - must have Flexible Netflow configured. An example configuration follows:
Note: existing Flow configuration for version 5 or version 9 should be removed from the router first
flow exporter highlight-exporter
description the fields to be used in the export packet header
destination **IP address of Collector**
source **interface that matches IP address in Highlight**
transport udp 9996
!
flow record highlight-appvis
description the fields to be sent in the individual flow records in a flow packet
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface input
match interface output
match application name
collect counter bytes
collect counter packets
!
flow monitor highlight-monitor
description the exporter/record combination to be applied to interfaces for flow collection
exporter highlight-exporter
record highlight-appvis And on the interface to be monitored for Flow
interface GigabitEthernet0/0
ip flow monitor highlight-monitor input
ip flow monitor highlight-monitor output Cisco NetFlow
Set out below are details of the Cisco IOS commands needed for Highlight to report Flow information, and a description of their function. See below for the equivalent Juniper commands.
The Flow configuration
- specifies the Flow version (version 9 recommended if available; version 5 is also supported)
- defines the destination address of the NetFlow collector (a Highlight Agent)
- specifies the interface on the device that has the source IP address used to send Flow packets to the Flow collector
Flow version 9 configuration
ip flow-export version 9
ip flow-export destination **IP address of Collector** 9996
ip flow-export source **interface to match the source IP address in Highlight** Then on the monitored interface
ip flow egress
ip flow ingress Flow version 5 configuration
ip flow-export version 5
ip flow-export destination **IP address of Collector** 9996
ip flow-export source **interface to match the source IP address in Highlight** Then on ALL interfaces carrying traffic
ip flow ingress Additional configuration
In addition to configuring Flow settings, it is recommended interface persistence is also added to avoid loss of Flow monitoring if the interface numbering changes.
snmp-server ifindex persist Cisco Flexible NetFlow
Highlight can support Flexible NetFlow using the 'Legacy' template only. This is an alternative to the configuration defined previously and both configurations should not be deployed together
flow exporter highlight-exporter
destination **IP address of Collector**
transport udp 9996
export-protocol netflow-v5
source **interface that matches IP address in Highlight**
!
flow monitor highlight-monitor
record netflow ipv4 original-input
exporter highlight-exporter
cache timeout active 1
cache timeout inactive 15 And on the interface to be monitored for Flow
ip flow monitor highlight-monitor input
ip flow monitor highlight-monitor output Additional configuration
In addition to configuring Flow settings, it is recommended interface persistence is also added to avoid loss of Flow monitoring if the interface numbering changes.
snmp-server ifindex persist Juniper J-Flow
Set out below are details of the Juniper commands needed for Highlight to report J-Flow information.
Assuming ge-0/0/0 to be your interface for flow analysis:
set interfaces ge-0/0/0 unit 0 family inet sampling input
set interfaces ge-0/0/0 unit 0 family inet sampling output For a sampling rate of 1 in n packets. Use n=1 for all packets to be analysed
set forwarding-options sampling input rate n For a Flow Collector with IP address nnn.nnn.nnn.nnn
set forwarding-options sampling family inet output flow-server nnn.nnn.nnn.nnn port 9996
set forwarding-options sampling family inet output flow-server nnn.nnn.nnn.nnn version 5 FortiGate Firewall
Set out below is a summary of the FortiGate commands needed to report NetFlow information in Highlight.
Details have been extracted from this Fortinet technical page.
For a Flow Collector with IP address nnn.nnn.nnn.nnn:
config system netflow
set collector-ip nnn.nnn.nnn.nnn
set collector-port 9996
end Then add Flow to the monitored interface:
config system interface
edit **interface to be monitored for Flow**
set netflow-sampler both
end