We have had such an overwhelming response from both existing and potential customers for this version of our network monitoring application that we are now sending the upgrade instructions to customers to allow them to upgrade at their leisure.

It has been very well received, as it now allows customers to schedule their upgrade to non-business hours if necessary. Also, for customers with secure servers without Internet access and unable to allow us to use remote access software (we use GoToMeeting), they can now perform the upgrade on their own and enjoy the new features of Scrutinizer.

For you Rip Van Winkles out there (who have slept through all of our announcements and blogs about this new release), some of the hot new features of this network traffic analyzer are:

• Can now exclude transport layer protocol types per router, interface, or even globally across all flow exporting devices.
• Put users in groups and set permissions per group. Users can be members of multiple groups.
• Override reporting time interval (e.g. 1 minute time slices, 5 minute, 30 minute, etc.)
• Customizable login environment per account.
• Google maps have connections and change color based on utilization.
• LDAP and active directory support for logins.
• Applications can now be defined by a combination of ports and IP Addresses. Ports can be included in multiple defined applications.
• Extensive flexibility for VoIP reports.
• CSV, RSS, and XML output from any report.
• Bidirectional reports on every option (ie. Inbound and Outbound in same report)
• Enhanced ToS and DSCP reporting.
• Set thresholds for alarming on any report.

To summarize, we have incorporated many of the features requested by our customers into version 7, and as a result, we are now very busy supporting the installs and upgrades of this NetFlow and sFlow analyzer. For more information or support on either installing or upgrading, please visit our support site.

- Joanne

Please take a second and take our poll below:

The Key Advantages of using Flexible NetFlow on Routers:

A) User configurable ability to monitor a wider range of packet information which produces new information about network behavior: In other words, we can specify exactly what we want.  This is useful if you are trouble shooting and looking for very specific information that isn’t exported in traditional NetFlow (e.g. MAC addresses, VLAN IDs, NBAR, etc.).

B) Enhanced network anomaly and security detection: Basically, Flexible NetFlow can monitor more deeply inside packets.  What could these mean to the market for NBAD solutions?

C) Convergence of multiple accounting technologies into a single mechanism: This is basically reinforcing the above feature of collecting on any specific information but, using it for different purposes.  For example, maybe the NetFlow volume is so high that you have to use sampling.  This could throw a wrench into your accounting and billing plans as they likely won’t be accurate without 100% traditional NetFlow capture. Flexible NetFlow allows you to have a sampling export as well as other exports specific to traffic type (e.g. IP subnet) occurring simultaneously.

Using a free tool like Scrutinizer NetFlow Analyzer you can see the NetFlow coming in as well as the different templates shown below:

In the above screen capture, clicking on the interfaces at the top provides reports across all templates.

“The ASA exports bidirectional NetFlow which basically means that the data in both directions of a flow is summarized in a single flow export. This makes it interesting when trying to determine which direction the most data was transmitted.”  Marc Bilodeau – CTO of Plixer International

“The most popular question to date related to this topic has been How to setup NetFlow on the Cisco ASA. Thankfully, the GUI makes configuration of Flexible NetFlow on the appliance fairly easy. Now we are working with new features available via Flexible NetFlow and setting this up via the CLI takes a much deeper understanding than NetFlow v5.”

What do you think
Are you looking to take advantage of Flexible NetFlow?

In truth, V6 of Scrutinizer in some configurations could duplicate but, this has been fixed in v7. Many NetFlow solutions still suffer from this problem. Some NetFlow products jump on board to support the latest NetFlow technologies but, lack the discipline to backup and fix issues that the customer will come to realize after they have purchase. Ingress and Egress flows is one of those issues that must be dealt with properly. Ultimately, chasing new features in lieu of fixing existing issues can lead to

consumer frustration.

 
I believe all vendors including Plixer can learn from this mistake. Good software needs a solid foundation.

Notice above that Scrutinizer detects flow direction and dynamically
switches from displaying inbound or outBound utilization using ingress or egress flows based on what is currently being received from the interface. We feel it has been engineered very well.

Why are ingress and egress flow exports so important?  You should read this blog on WAN optimization with Cisco WAAS.

I’ve been seeing this issue lately and I think it’s worth talking about, since I can imagine it affects the way you see flows within just about any NetFlow traffic analyzer.

Within a NetFlow v5 packet, there are two rows that define the inbound and the outbound interface for every conversation. Those interface numbers are really just the ifindex interface ID assigned by your router.

The inbound/outbound interface fields are crucial to being able to calculate where your traffic stream is going.

Lets look at a couple screenshots:

This screenshot gives you a sample of a sFlow packet capture using Wireshark. Notice the fields for Input Interface index and Output Interface Index.

Looking at this packet capture, this particular sampled conversation first came in on interface 1, and then went out on interface… zero?

Interface 0 or Interface “null” can occur within a couple of the following scenarios.

• Multicast traffic
• Conversation denied by ACL rule
• Packets are destined for the router itself
• Conversation is dropped by QoS
• Router misconfiguration
• IOS bug
  

Those are a few of the common configurations that may cause this kind of traffic pattern. It’s important to know this, since this will affect how Scrutinizer renders this data when you are monitoring bandwidth usage.

For example: Imagine you have multicast traffic coming in on the Serial 0/1 interface (interface ID 1) and going out Serial 0/2 (interface ID 2). Keep in mind that multicast traffic will give you the outbound interface as “0″ in the NetFlow record.

How would your NetFlow collector know to associate that outbound multicast traffic with your Serial 0/2 interface with an ifindex ID of 2, when the NetFlow record says 0? It doesn’t with ingress flows, but if you enable multicast egress flows, you will see the outbound interface fill in as expected.

This scenario can cause a lot of confusion for a regular user that is new to the NetFlow dynamics.

When a NetFlow analyzer looks at these NetFlow records with an outbound interface of “0″, it may not be able to properly associate it with the interface the traffic may truly be passing across.

To help combat this problem, Scrutinizer throws nothing away. Maybe you’ve noticed that you have an Interface 0 listed on some of your devices. This interface is not a real interface. This is a summary of all the traffic that cannot be associated with any of your existing interfaces. Better to show it than discard it, right?

If you feel that you may be running into some of the conditions I listed above, I invite you to give us a call here. We created a fantastic tool within Scrutinizer called Flow View which allows you to see the contents of your NetFlow packets to verify everything you are seeing.

- Nate

 
In general, most customers see only a very slight CPU increase (i.e. 2% – 3%) on routers when NetFlow is enabled. I decided to investigate this topic further. Here is what Cisco has to say about the impact NetFlow has on performance  (see slide 74 & 75).

• Enabling NetFlow version 5 AND exporting increases the cpu utilization by around 15 % (with a max of 20 % depending on the platform)
• Enabling Neflow version 8 increases the cpu utilization by 2 to 5%, depending on the number of aggregations enabled With a multiple of 6% for multiple aggregations
• NetFlow is done in hardware on the cat6000 supervisor and the 12000 Engine 3 Line Cards

Like sFlow switches, Enterasys switches perform NetFlow exports using hardware with no impact to the CPU. Some vendors would like us to believe that NetFlow always impacts hardware performance. It simply isn’t true.

If you’re currently running version 7 of Plixer’s NetFlow analysis tool, then moving to v7.2 is a simple incremental upgrade.

However, for those customers who have been waiting anxiously to upgrade from version 6.x to v7, this is a major release and we want to make sure that using this network monitoring tool remains as pleasant an experience as ever.

For that reason, among others, we are assisting with the upgrades from Scrutinizer v6.x to v7.2 in these first few weeks of this release. And so far, it has been a relatively seamless process with delighted customers as a result.

If you are currently running Scrutinizer v6 and would like to upgrade to v7.2, please contact Plixer Technical Support for assistance.

We are also offering two webinars that cover important features in version 7, such as Cisco ASA Reporting and Cisco WAAS, and also the migration from v6 to v7. The first was held this morning at 10am EST and the other is scheduled for 2pm EST Wednesday, Nov. 4th.

With the combination of these webinars and our world class technical support, upgrading to and using Scrutinizer v7 as your primary network management tool just became that much simpler.

If you haven’t tried our NetFlow analyzer yet, what are you waiting for? Free technical support for install and setup are also available using the Evaluation support form, or by calling 207-324-8805 x3, or clicking on the Start Chat Now link.

- Joanne

The Cisco NetFlow Services Card (WS-F4531) is an optional daughter card for the Catalyst 4500 switch with Supervisor Engine IV or Supervisor Engine V. It extends the functions of the Supervisor Engine by collecting NetFlow statistics and enhanced virtual LAN (VLAN) statistics without affecting the forwarding performance rates of the supervisor engine.

To use the NetFlow feature on the Cisco 4500 Series, you must have the Supervisor Engine V-10GE, which has the functionality embedded in the supervisor engine, or the NetFlow Services Card (WS-F4531), and either a Supervisor Engine IV or a Supervisor Engine V, running Cisco IOS Version 12.1(13)EW or greater.

The WS-F4531, NetFlow Services Card is available at a number of online computer parts retailers, and cost between $1000 and $2000. Just Google ”WS-F4531″ and pick from a supplier that has a price that meets your budget.

Congratulations! By using Scrutinizer v7 and NetFlow, you have made your network analysis task easier.

Let the flows begin!

Here he is working on his latest video involving a Cisco Catalyst 6509.

I had a back stage pass that allowed me to take a few photos.  Is anyone interested in paying me for the legal rights to these one of a kind “in action” shots?

Coming Soon
Expect the next music video to be released soon. Here are the last two:
* NetFlow Rap 
* One Thing you Should Know

Go Go NetFlow!

Setting up sFlow on the HP Procurve
Let’s take sFlow support for example. In the early days ~4 years ago, setting up sFlow on the Procurve was horribly difficult.  It involved setting SNMP OIDs via a CLI, converting decimal IP addresses to HEX, scripting batch files to periodically (i.e. once per day) reset a decrementing timer so that it would continue to send sFlow. Telephone support from HP on this topic was terrible. We ended up being escalated to some guy who spoke horrible English that still couldn’t help us get it to work. We ended up returning the switch we purchased and buying from Alcatel, which at the time was awesome. We figured it out, sFlow on the Procurve for a customer several months later and documented the process. It was a four hour process to help a customer set it up, over the phone. Nathan blogged about sFlow on the procurve.

Procurve Today
More recently, we have started liking the Procurve for its commitment to the web GUI, which displays great element management (e.g. link status, port spanning, admin status, etc.) and improvements to the process of setting up sFlow. We still have the Alcatel, as well as an Extreme switch, and both are configured to send sFlow. We now use an Enterasys N-series switch, which supports NetFlow v9.

sFlow or NetFlow
We have a page on our web site dedicated to setting up sFlow exports and NetFlow exports.  If you have questions regarding which is better, sFlow or NetFlow, I suggest reading “Is sFlow better than NetFlow” in Network World or contacting Enterasys, they manufacture switches that support both. An unbiased opinion on the topic of NetFlow Vs sFlow will be hard to find.

Oh, Happy Halloween!

Time to go Trick or Treating. 

Enjoy the rest of the weekend and remember to set your clocks back for the time change.

We said it would come, and now it has been delivered.

With the availability of the new migration function, which comes with the latest release of Plixer’s own NetFlow monitoring application, we can now make your conversion from Scrutinizer NetFlow & sFlow Analyzer v6 to v7 smoother than ever.

Now, with the assistance of this new tool, your historical NetFlow data and elaborate Flash maps will be moved right on over to your new install.

Please know that there will be some limitations to this NetFlow data migration process. If you are still using Scrutinizer version 6 for your network traffic analysis and would like to know more about them, please contact Plixer support. Also, if you are interested to know what other new features and fixes are available in the latest release, take a look at the Scrutinizer version 7.2 release notes.

So, if you are eager to start running the most revolutionary Windows NetFlow Collector on the market, give our Support Team a call and we will assist you in getting your migration started!

Plixer Support
(207) 324-8805 ext: 4