Vunetrix Network Monitor vCloud

Vunetrix Manual: Monitoring Bandwidth via Flows

Using Flow protocols you can monitor the bandwidth usage of all packets going through a device. In Vunetrix, you can view Toplists for all xFlow (including IPFIX) sensors.

How xFlow Monitoring works

You can measure bandwidth usage by IP address or by application in a network, using one of the xFlow (including IPFIX) protocols. They are the best choice especially for networks with high traffic (connections with 100s of megabit or gigabits). For xFlow monitoring the router gathers bandwidth usage data (flows), aggregates them and sends information about these flows to Vunetrix using UDP packets. When sampling is used (mandatory for sFlow) only information about every n-th packet is sent to Vunetrix which reduces CPU load a lot. Because the switch already performs a pre-aggregation of traffic data, the flow of data to Vunetrix is much smaller than the monitored traffic. This makes xFlow the ideal option for high traffic networks that need to differentiate the bandwidth usage by network protocol and/or IP addresses.

NetFlow and IPFIX Monitoring

The NetFlow (and IPFIX) protocol is mainly used by Cisco devices. Once configured, the router sends for each data flow a NetFlow or IPFIX packet to the monitoring system running on a Vunetrix probe. There the data can be filtered and evaluated. There are different NetFlow and IPFIX sensors available: The basic ones offer predefined channel definitions, the custom variants enable you to define your own channels.

The advantage of using NetFlow or IPFIX:

  • Generates little CPU load on the router itself (according to Cisco 10,000 active flows create about 7% additional CPU load; 45,000 active flows account for about 20% additional CPU load).
  • Generates less CPU load on the Vunetrix core system, compared to packet sniffer sensors.

Note: You must enable NetFlow or IPFIX export on the device you want to monitor. The device must send a flow data stream to the IP address of the Vunetrix probe system on which the NetFlow or IPFIX sensor is set up. Juniper jFlow monitoring is reported to work as well, using NetFlow v5 sensors.

sFlow Monitoring

sFlow works similar to NetFlow monitoring. The router sends data flow packets to the monitoring system running on a Vunetrix probe. The most obvious difference between the two flow protocols: With sFlow, not all of the traffic is analysed, but only every n-th packet. It is like having a river of traffic and you take a cup of water out of it ever so often and analyze it.

The advantage is clear: There is less data to analyze, there is less CPU load needed and less monitoring traffic is generated. Yet you can get a good insight into your network's bandwidth usage. Note: Currently, Vunetrix supports sFlow version 5.

Set Up Flow Sensors

Find details on how to set up the different flow sensors in the following sections:

 

Limitations

On a powerful 2008 PC (Dual Core, 2.5 Ghz), you can process about 100,000 flows per second for one xFlow stream. Using sampling the number of actual flows can be much higher. When using complex filters, the value can be much lower. For example, with a router sending about 2,000 flows/second (which corresponds to mixed traffic at gigabit/sec level without sampling) you can expect to configure up to 50 NetFlow sensors operating properly. Vunetrix internally monitors its own NetFlow processing, and you will see a decreased values in the Core/Probe Health sensor's Health channel as soon as NetFlow packets are not processed due to an overload (you find this sensor on the Local Probe device).

If you experience an overload please consider using sampling or setting up multiple probes and distribute the NetFlow streams to them. We do not recommend adding more than 400 NetFlow sensors per Vunetrix probe.

 

 

Next Topic

Keywords: Flow,Flow Technology