What is a UDP Replicator?

UDP forwarding or UDP replication is, typically, used when you are limited to the amount of destinations that you can export data to. The solution is to send data such as NetFlow, syslogs, or any UDP protocol to a UDP replicator which can be configured to forward the data to any number of destinations.

Here’s an example of how we use a NetFlow replicator appliance on our own network to forward NetFlow data to all of our network monitoring solutions:

Since our high volume NetFlow Forwarder can easily forward over 100,000 flows a second it’s a great tool to provide distributed NetFlow collection. For example, you can send all the NetFlow packets to the UDP Replicator and then configure the Replicator to distribute the NetFlow to multiple collectors, so that all the data is not going to one single collection point. You can also setup the UDP Replicator for disaster recovery by sending the same flows to two different NetFlow collector servers.

Here’s an example of our UDP Replicator in action as it dynamically detects if it should stop forwarding flows when a host goes offline to prevent the flood of UDP packets across the network.  Then, when the host comes back online, the Replicator will begin forwarding flows again.

Don’t hesitate to contact us at 207-324-8805 if you’d like to find out more information on our UDP Replicator Appliance.

Visit our website to download a 30 day trial of Scrutinizer

Join the NetFlow Developments group on LinkedIn.

Cisco believes this appliance will help companies by:

• Providing End-to-end or hop by hop flow information collected across multiple network observation points using SPAN and network TAP (passive and active)
• Advanced filters to create custom exports for specific management needs
• It can forward flows to several collectors which means it has some NetFlow replication abilities
• Efficient design supporting up to six collectors for higher scalability and integration with multiple network management applications

Cisco markets that this new appliance will provide additional network performance details that can be fed into the Cisco Prime Assurance Manager. It claims to export about 120,000 flow records per second and supports NetFlow v5, v9 and even IPFIX exports.  A high volume NetFlow collector might be necessary for some NGA customers.

For a 30 day Trial of Scrutinizer, Click Here to Download!

Join the NetFlow Developments group on LinkedIn.

Cisco ASA Username NSEL Reports

In this Cisco ASA NSEL webcast you will learn about:
• Top usernames being denied network connections
• The events being violated the most and by whom
• The usernames of the IP addresses passing through the firewall
• NAT (Network Address Translations) who is translated to what?
• How to trend the frequency on all of the demonstrated metrics
• Scaling collection to over 100K flows per second
• How to detect threats with ASA data that the ASA will not detect

Presenters include:
• Michael Patterson, Founder/President, Plixer International
• Matt Jonkman, Founder/Emerging Threats Pro

Companies looking to monitor NSEL should take a minute and sign up now for the Cisco ASA NSEL Training and learn what you can gain by reporting on NSEL.

For a 30 day Trial of Scrutinizer, Click Here to Download!

Join the NetFlow Developments group on LinkedIn.

Citrix has joined the ranks of several other companies including Barracuda, Cisco, Extreme, Juniper, nProbe, Plixer and SonicWALL that are now exporting unique details in IPFIX.  Unlike NetFlow, IPFIX allows these companies to export unique details not supported by the elements found in Cisco NetFlow.

The Citrix commitment to AppFlow also known as IPFIX allows the company to keep pace with a similar technology found in the VMware vSphere NetFlow exports.  VMware however, has not made the switch yet to IPFIX.  This is probably because they have no need yet to export something unique like Citrix.

In the meantime, our performance monitoring solution for Citrix Desktop Virtualization is available today.

Visit our website to download a 30 day trial of Scrutinizer

Join the NetFlow Developments group on LinkedIn.

List of Next Gen NetFlow / IPFIX Reporting Features

If your company is contemplating the use of traditional or next generation flow exports, the insight you can gain depending on your hardware has never been greater.  Without a doubt, flow elements have been added to the technology in nearly all areas of performance and security which aid in end to end visibility.  Next Generation NetFlow collection and analysis requires:

1. A breakdown of all 7 layers of the OSI model with a focus on application details and end user information
2. Integration with other best of breed security systems like an IPS or firewall (e.g. Barracuda, Checkpoint, Cisco ASA, Palo Alto Networks, Juniper SRX, SonicWALL, etc.)
3. Reporting on the data in an easy to understand graphical format
4. Flexible filtering and sorting with customizable reports on the latest flow exports (e.g. Jitter, latency)
5. A breadth of experience and  reports which comes from working with numerous hardware vendors and a track record of being an innovator in the industry
6. Monitor for Internet threats based on IP host Reputation
7. A scalable solution that is able to collect over 100K flows/second
8. Support for virtual environments (e.g. VMware) and subnets where traditional flows aren’t  available
9. In depth forensic reporting and analysis capabilities which help reduce MTTK (Mean Time To Know) and MTTR (Mean Time To Repair)
10. Reporting on BYOD Security and BYOD Devices which often requires integration with NAC systems (e.g. Mobile IAM)
11. Reporting on usernames which can be done with several firewall exports (e.g. Cisco, Palo Alto Networks, SonicWALL)
12. The ability to map out end to end – hop by hop visibility by seeing the network communication path

Most of the above is available on older hardware.  This means you can gain access to next generation NetFlow even if you are purchasing refurbished Cisco hardware.

NetFlow Dashboard

Next generation flow reporting tools like Scrutinizer provide customizable dashboards that extend details on anything exported within Netflow.  For example, the top interfaces with the most Jitter, Latency, Packet loss or Utilization across thousands of interfaces are shown below.

Choosing a vendor with the experience and contacts with all of the major flow vendors may make a difference in your overall experience with flow collection and analysis.

Before you invest, spend some time comparing the reports available in the two solutions:

Our Flexible NetFlow for Medianet Tool:

Cisco Prime Assurance Manager

Our company is a Cisco NetFlow partner for Medianet VoIP reporting also known as Medianet Performance Monitoring because our system provides flexible filtering and sorting with Customizable Reports on the latest flow exports (e.g. Jitter , latency and packet loss).

Last year we got involved early with the latest Cisco NetFlow developments and became a recognized vendor for reporting on Cisco Performance Routing (PfR) which is a technology used to constantly test and monitor the quality of a link. If the QoS degrades, lower priority traffic can be dynamically rerouted to make room for priority applications such as voice and video.

If your company is deploying either of these reach out and we’ll help you get up and running.

For a 30 day Trial of Scrutinizer, Click Here to Download!

Join the NetFlow Developments group on LinkedIn.

One of the most overlooked NetFlow Collector System Requirements that write heavy database servers have is disk IOPS (Input/output Operations per Second). You have to remember that a spinning disk is very limited on how many writes it can make at any given time, and if the collector cannot write to the disk fast enough it can cause a lot of problems.  This has been the root cause of a lot of slow NetFlow collectors.

A large network can have thousands of flows per second, and each one of those has to be written to a storage device. The real problem is that on average a standard 7200RPM drive will struggle to get 100 IOPS. Simply upgrading to a 15K RPM drive can more than double that performance, but even a 15K RPM drive can be brought to its knees by a high flow rate.

Many of you already know that a RAID array can help boost NetFlow collector performance. But with so many RAID configurations how do you choose which one to use? First let me explain the most common and well-known two levels.

• RAID 0: a block-level striping of two or more drives with no redundancy. This will result in improved performance and additional storage but no fault tolerance.

• RAID 1: Is mirroring 2 drives for redundancy and will have very little affect on performance.

With most NetFlow collector hardware you ideally want the quality’s of both, additional speed and storage but with redundancy to keep historical data safe. This is where RAID 10 comes in.

RAID 10: The NetFlow collector recommended RAID, it is a RAID 0 array of an even number of RAID 1 Mirrors. This gives you additional performance, and fault tolerance. This is the configuration you will want to use to comply to the NetFlow Collector Recommended Specs.

Now that I have explained some points on what can help performance, let me share a few things that could hurt it.

While we are still on the subject of RAID, the next most popular RAID configuration is RAID 5. RAID 5 is a block-level striping of 3 or more drives with distributed parity. This will increase disk space, redundancy, and read speed. The issue with RAID 5 in regards to a NetFlow application is because of the need to write parity information.  You do not gain write speed with this configuration, so the same 4 15K RPM hard drives will perform much better with a collector server in a RAID 10 than RAID 5.

Visit our website to download a 30 day trial of Scrutinizer

Join the NetFlow Developments group on LinkedIn.

 “Aberdeen Group found that a company with 1,000 mobile devices spends an extra $170,000 per year, on average, when they use a BYOD approach.”

How do you improve BYOD Control?  Institute a company policy on BYOD use and enforce it.   There are several items to consider:

1. Implement some type of BYOD Security
2. Enforcement:  Leverage a technology such as Enterasys mobile IAM which allows the IT staff to track who is using what BYOD device and how many of each type of device is on the network.
3. Monitoring NetFlow and IPFIX is one of the best ways to find out how much BYOD traffic your infrastructure is currently supporting.
4. Educate employees and remind them to use appropriate behaviors when using BYOD devices.

With the above in place, network administrators have clear visibility into how many BYOD devices are on the network.  How many of each type (e.g. iPhone, Android, Blackberry, etc.) exist and which employee is authenticating them onto the network.

Loaded with the above details, the corresponding traffic generated as well as the websites they are visiting can be reported.   Asking employees not to behave a certain way and then not monitoring BYOD traffic would be like telling the police to post speed limit signs but, not to routinely monitor the roads.

For a 30 day Trial of Scrutinizer, Click Here to Download!

Join the NetFlow Developments group on LinkedIn.

• Palo Alto NetFlow exports
• Cisco ASR NetFlow exports

If you need help with your Cisco ASA NetFlow Configuration using ASDM there are some great “how to” videos on youtube.com. Reporting on NAT with NetFlow is sure to improve your network traffic monitoring efforts.

We also created some nifty reports that display the ACLs violated.

Let us know if you need any help setting all this up.

Visit our website to download a 30 day trial of Scrutinizer

Join the NetFlow Developments group on LinkedIn.

In today’s networks, application recognition is no longer one of those ‘nice to have’ options when it comes to traffic monitoring, it is a necessity.

Many vendors are now exporting application definitions in their flow exports.

Using NBAR,  applications like H.323, Telnet, RTP, Exchange and Skype can all be identified. Additionally, if you are running IOS release 15.1 or higher, can be exported in NetFlow exports.

On a call last week, a customer was looking at various NBAR reports, and seeing a significant amount of traffic showing up as “unknown”, and was wondering what this traffic was and what was the best approach for handling it.

The best way to reduce the amount of “unknown” traffic is twofold.

1. Make sure you have the latest possible IOS version. Cisco seems to add support for various PDLMs with various releases of IOS. With the newer versions of IOS, I have seen quite a bit of new apps defined in NBAR. So upgrading the IOS seems like the best way to increase the overall accuracy of NBAR.
2. Try and identify unknown traffic using WKP(well known port) reports, then create custom NBAR application definitions on the router.

Using an “Applications NBAR” report filter, we can look at only the traffic tagged as “unknown” . This will allow us to look at a well known port report of all the traffic the router can’t identify using NBAR.

Once applied, the report will show you the traffic that you want to identify.

Now, I have already been through this process on this router, but I do see some outbound traffic that I can identify on UDP port 4500.

I will define this application on the router since I know what it is. IPSEC VPN traffic.

(config)#ip nbar custom vpnipsec udp 4500

Now all traffic on UDP port 4500 (source and destination) will be marked as vpnipsec by NBAR.

I also know that all my traffic on UDP 16390 is relating to PfR active monitoring.

So I’ll create an NBAR app for this called “pfractmon”.

(config)#ip nbar custom pfractmon udp 16390

If you do this with each protocol, you’ll find that most of your traffic will no longer be “unknown”.

Some of the traffic seen here looks like HTTP, but is not. NBAR already has a definition for HTTP, but it looks deeper into the packet. You will not be able to add a definition using TCP 80 since it already overlaps the “real” tcp definition.

Here we can see that a report trend shows that the amount of “unknown” traffic dropped off quite a bit.

And, if you look at a few minutes of new NBAR data you’ll see that this traffic is now being marked with the new NBAR definitions.

Get visibility into the applications traversing your network. Define your custom applications and put our NBAR report filtering options to work for you.

Visit our website to download a 30 day trial of Scrutinizer

Join the NetFlow Developments group on LinkedIn.