Specifications

ManualsBrandsEnterasys ManualsComputer equipmentN Standalone (NSA) Series

161

162

163

164

165

166

167

168

169

170

Understanding Flows

May 18, 2011 Page 4 of 21

2. Chooseuptofourcollectorsandamanagementapplication,suchasEnterasysSIEMor

NetSightRelease4.1orhigher,bestsuitedforthepurposeforwhichyouarecollectingthe

data.InstalltheapplicationontheNetFlowcollectorserver(s).

3. IdentifythepathsusedbythedatatobecollectedbyNetFlow.

4. Identify

the“chokepoint”interfaceswheretheIPpacketflowsyouwantNetFlowtocapture

aggregate.

5. EnableNetFlowontheidentifiedinterfaces.

6. IdentifyuptofourNetFlowcollectorserversbyconfiguringtheIPaddressforeachcollector.

7. UsethedatareportinggeneratedbytheNetFlowmanagementapplicationtoaddressthe

purposedeterminedin

step1.

Understanding Flows

Theconceptofaflowiscriticaltoundersta ndingNetFlow.AflowisastreamofIPpacketsin

whichthevaluesofafixedsetofIPpacketfieldsisthesameforeachpacketinthestream.Aflow

isidentifiedbyasetofkeyIPpacketfields

foundintheflow.Eachpacketcontainingthesame

valueforallkeyfieldsisconsideredpartofthesameflow,untilflowexpirationoccurs.Ifapacket

isviewedwithanykeyfieldvaluethatisdifferentfromanycurrentflow,anewflowisstarted

baseduponthe

keyfieldvaluesforthatpacket.TheNetFlowprotocolwilltrackaflowuntilan

expirationcriteriahasbeenmet,uptoaconfigurednumberofcurrentflows.

Thedatacapturedforeachflowisdifferent,basedontheNetFlowexportversionformat

supportedbythenetworkdevi ce.Thisdatacan

includesuchitemsaspacketcount,bytecount,

destinationinterfaceindex,startandendtime,andnexthoprouter.SeeNetFlowVersion5Record

Formatonpage 14forNetFlowVersion5templatedatafielddescriptionsandNetFlowVersion9

Templatesonpage 15forNetFlowVersion9templatedatafielddescriptions.

Flow Expiration Criteria

FlowdatarecordsarenotexportedbythenetworkswitchtotheNetFlowcollector(s)until

expirationtakesplace.Therearetwotimersthataffectflowexpiration:theNetFlowactiveand

inactivetimers.

Theactivetimerdeterminesthemaximumamountoftimealonglastingflowwillremainactive

beforeexpiring.When

alonglastingactiveflowexpires,duetotheactivetimerexpiring,another

flowisimmediatelycreatedtocontinuetheongoingflow.Itistheresponsibilityofthe

managementapplicationontheNetFlowcollectortorejointhesemultipleflowsthatmakeupa

singlelogicalflow.Theactivetimeris

configurableintheCLI(seeConfiguringtheActiveFlow

ExportTimeronpage 7).

TheinactivetimerdeterminesthelengthoftimeNetFlowwaitsbeforeexpiringagivenflowonce

thatflowhasstopped.Theinactivetimerisafixedvalueof40secondsandcannotbeconfigured.

RulesforexpiringNetFlowcache

entriesinclude:

•Flowswhichhavebeenidlefor40seconds(fixedvalueinfirmware)areexpiredandremoved

fromthecache.

• Longlivedflowsareexpiredandremovedfromthecache.(Flowsarenotallowedtolivemore

than30minutesbydefault;theunderlyingpacketconversationremainsundisturbed).

•Flows

associatedwithaninterfacethathasgonedownarea utomaticallyexpired.