Taking Advantage of Advanced NetFlow


Take a detailed look at how to take advantage of advanced netflow through utilizing SevOne technology in various unique situations. Learn how to predict potential service disruptions and avoid performance issues relating to business infrastructure.



I think we can get started. Good morning or good afternoon, everybody, depending on where in the world you may be right now. Welcome to SevOne's Demo with Dave: Taking Advantage of Advanced NetFlow. My name is Scott Frymire with the marketing team here at SevOne.

We thank you for taking the time today, out of your day, to join us for this demonstration. Most of this demonstration, which will last about 30 minutes or so, will be a live application share of the SevOne product. We will kick off with just a couple of slides.

For those of you who may not be familiar with SevOne and who we are, what do we do, who is SevOne in a nutshell. SevOne is a data center performance management solution. That means that we monitor report and alert on the health of your networks, your applications, your systems. It doesn't matter if we're talking about public or private cloud environments, virtualized or hybrid environments, SevOne monitors it all from a single pane of glass.

Essentially, what we do is we give you the ability to prove your data center performance and predict potential disruption to the services and the applications that rely on the optimized performance of your network and that data center.

Essentially, our goal is to help you avoid business disruption due to performance issues with your infrastructure. With SevOne, how do we do this? Everything is contained in a single appliance. We are an appliance-based solution. We can deploy physically or virtually, but that single appliance is the monitoring, the data collection, the alerting, the reporting. Everything's done by a single machine, and support for all the monitoring and reporting technologies, the protocols that you need whether it's SNMP, IP SLA, NetFlow, JMX, WMI, NBar, whatever you would expect is included out of the box. We support more than two dozen protocols out of the box.

A single SevOne appliance can actually monitor up to 200,000 objects on your network. If you need to go beyond that, if you have a large scale network and have the need to monitor more than 200,000 objects, what we have delivered to the market is a unique architecture called the SevOne cluster architecture. If you go beyond 200,000 objects, you just drop another appliance in, and they all talk to each other in sort of a peer to peer distributed computing architecture.

There is no centralized database with SevOne, which you would see with a lot of other competing vendors on the market. All the appliances work together. They share in the report load. They all know what each other's responsible for. The unique distributed computing architecture is what allows us, from your standpoint, to deliver instantaneous reports on the health of your infrastructure.

With SevOne, regardless of how large your infrastructure is, we could be monitoring millions of objects across multiple networks, literally calculating trillions of baseline analytics but those reports that you get on the health of your infrastructure are delivered in seconds, not minutes or hours. We do consider ourselves the world's most scalable, performance management platform.

That's SevOne in a nutshell. We're all about performance visibility. I think when I talked to a lot of our customers and our prospects, at the end of the day, the reason they come to us is because they have some gap in the visibility of the health of their network. That's what we specialize in helping our customers with.

For today's demonstration, we're going to be talking specifically about how to take advantage of advanced NetFlow. I know this is called Demo with Dave. Dave Hegenbarth, who's usually the presenter, is based out of North America. Dave's probably just rolling out of bed right now. For the EMEA time slot here, the presentation that we give, I'm happy to invite to the demonstration today, Tom Griffin.

Tom is our director of systems engineering for EMEA at SevOne. Tom is a performance management expert and for the demonstration, Tom, I'll go ahead. I'll pass you control and allow you to do your application share. Welcome, Tom.

Thanks, Scott. Good morning or good afternoon, everybody. What I'm going to do here I'm going to share my application. What you should see is the SevOne front end. What I'll do for the purpose of this demo is walk through a couple of use scenarios around NetFlow.

From this front end you'll see that there's a button on here that jumps straight into our FlowFalcon application. FlowFalcon is our NetFlow reporting front end and I'll use that as we go through but a more critical jumping off point for most organizations for NetFlow is when they're looking at traffic utilization or resource utilization on the network.

I'm looking at a graph, something similar to this. This is looking at network utilization on one of our wireless links internally and the question that most organizations are asking is what's occupying the bulk of my capacity. Why is the utilization where it is and within SevOne we provide the ability to link very quickly from SNMP or performance metric down to flow metric. We have the notion of what we call chaining so I can do here really quickly is chain from this SNMP graph and go off and generate a default NetFlow report on the fly.

What this is doing at this point is I've now got a default report template which defaults to looking at the top talkers on the network and with the same time scale as the report. Obviously you can see the comparisons and in the realm of the same time frame. What it allows me to do from this diagnosis is for example I may want to say what is this traffic at this period in time here? I can drill into particular time and look at what the traffic was at that particular period of time. What the application will do is it will resend to the SNMP graph and realign the NetFlow to match it. I'm looking at the SNMP traffic here and then I've got no traffic underneath, so can start to see what's actually causing that traffic.

I can change, at this point I'm looking at top talkers so I can see the top talker during that time was this particular IP address, The next question is typically well what's this guy doing to occupy this traffic at this point in time. We can go to different templates at this stage so we support multiple different templates. Multiple different views of the NetFlow traffic. Typically what I want to do is say give me top talkers with the application, so I add an application view to this report. The top talker actually is in blue. The application port is actually SNMP and well that might seem odd for a lot of organizations within SevOne it's not. We do mental performances for a living so it tends to be a lot of SNMP traffic.

Actually the additional traffic during that time period is highlighted in red here because the SNMP traffic, the blue line on the graph, it's pretty pointed. I can see that my additional load at that point of time was actually followed by the same end station, the same IP address for a different application port. The application port, the amount of traffic that's been generated and the number of packets.

In this case what it's showing is TCP port that traffic is using where if the application was configured to recognize that as a particular graphication like SNMP or WMI Proxy have already been configured so that we do a mapping of application port, particular application name. You can create your own services and applications and configurations so the reporting reflects applications that are in use within your environment. That shows you, in terms of the work load, the one example of how we can go from looking at the utilization on an interface, then drilling down to the traffic and getting more detail.

The second scenario we can run through is take an example where somebody complaining about bad quality of voice over IP traffic in the network at a particular period of time. At this point I'll jump into the the FlowFalcon interface. What FlowFalcon provides is the more detailed, more technical interface into NetFlow traffic so there's a lot more parameters that I can set. There's a lot more more detailed queries that I can do. I could select particular devices. So here is a list of devices that I've got in our network environment that are generating NetFlow but I'm actually going to look at everything.

The thing I'm interested in is QoS configuration that's across the network in the system because that would be a quick explanation as to why I'm getting degradation in voice for example. I'm going to look at the top flow wish DSCP and direction because I'm interested in what's the possible configuration. The user reported this was happening yesterday so collect yesterday. It's actually a user in New York so I can change time zone and say do this in New York time rather than London. I'm going to split the sources, split this traffic reporting out by interface.

I do just want to remind everybody when we talk about NetFlow in SevOne what you may be used to with a lot of other solutions on the market is NetFlow is sometimes, supported NetFlow is presented as a separate module on the system. As you'll see here with SevOne it's included again like support for all the other protocols and technologies. It's included out of the box. There's no additional subscription fee or module with NetFlow. When we're talking about from a trouble shooting stand point being able with one click go from the metric to flow information is pretty powerful and time saving from a trouble shooting stand point. Tom I'll turn it back to you here.

What I've selected here, I'm just going through a FlowFalcon interface and essentially what I want to be able to do is to drill down to looking at QoS parameters but I want to limit that particular client ID. So I can zero in on the traffic for the user that is reporting the issue. I put a source IP address at, the IP address that is reporting the issue, and therefore I can go and get results.

What this will do is it will go on query. Potentially it's querying every device for NetFlow with that source IP address. I can get a view as to what's configured across the network. Here's the report that's generated.

What I can see straight away is that I've got each interface that we're pulling NetFlow traffic from. The application IP address, the client IP address which is my phone that was reporting the issue, protocol, the application port, the client port. I can see pretty much straight away that I've got certain interfaces that have a DSCP setting of zero so there's no QoS markings for that traffic. That's a pretty good indication as to what might be causing the problem. Now from here, given that this is a pretty technical interface in terms of the work flow, the operational work flow, what I'm probably going to want to do is detach this. What that does is it will drop into a separate screen into our report, our dashboard screen so that's created a dashboard for me. It's updates.

At this stage I can do a number of things. Typically what I would want to do is probably send that report out to maybe the network engineering people and tell them you go and check the QoS settings and change those there, those rather configurations. I can do that really easily. It's generated the report here on my screen. I can do that by just clicking in here and exporting the report as a PDF so I can do it pretty much on demand. Export as PDF and email it to the engineering team. I also want to keep an eye on this situation. One of the things that was set in this report, edit it, is I can set this report to be automatically emailed to me and generated so I can send it to the boss and rather than that I really want it today so every 24 hours at the same time. What that would do is when I save it is it will set it so that report automatically gets generated and reruns. I can keep an eye on more at the same time. Have the necessary changes in there.

We're all clear that what you've seen is a good example of why we can quickly drill into a very specific scenario. This is looking at degradation in voice quality from one particular IP address. It's a pretty good example.

The other aspect of NetFlow that we support is being able to support both samples and un-samples of NetFlow. A lot of routers now are starting to use NetFlow sampling. We've got examples of it here. We select, I'll take one of my firewalls for example and pull all of its interfaces.

Hey Tom, I think the application share has fallen behind your voice. I apologize to our audience for that. You may just want to restart the application share one more time and see if we catch up. In the meantime Tom, I did have a question that came in from an audience member while we're waiting on that which was do we only support NetFlow or there other vendors that are also supported?

No we support multiple vendors. In terms of NetFlow and Cisco specifically we support multiple versions of NetFlow so V5 through V9 including some support for flexible NetFlow so multiple versions and Cisco World we also support, the Juniper environment we support J-Flow. Then some of the other things like C-Flow and S-Flow we've also got support in there and increasingly more and more vendors that are standardizing an IP fix, we also support them. We take the approach of we'll support standards but we also have vendor specific support that goes into the product. Is that screen back Scott?

Yes we're okay now.

Apologies. I've actually got this report already generated, already set up. One of the things you can do in SevOne is you can create multiple dashboards, multiple reports ahead of time and save them for quick retrieval. In this case I've created a report previously that had an example of samples versus non-samples, perfect. What it's going to pull up here is two NetFlow reports which I've generated for the same traffic from two different devices.

What we're looking at here is we're looking at creating the report from catalyst 6000 or 6509 which is providing NetFlow non-sample version. In here you'll see the top report is coming from the switch so I've got NetFlow in it's purest form so if I look at the application port is MySQL, bandwidth 161.2 gig. This is from yesterday in total. Underneath it what I've got is a similar view but coming from our broader fire wall. Again I can see I've got, MySQL traffic and bandwidth numbers are slightly different, 158 gig. That's a reflection. What this bottom report is showing is a NetFlow report that's generating on a sampling rate one in one thousand so we're getting one in one thousand that are exported to us and then we're extrapolating that to get the bandwidth and the number of packets because you're extracting the ailments of difference.

What you will see in SevOne if the report contains sample flows it will highlight that on the report and give you the flow rate. You can have a mixture of samples and un-samples NetFlow in the reports as well.

The final aspect that I wanted to touch on when we talk about multiple different versions supporting new technology the dangers as we go through is close so built in support from media net reporting. I've got an example. What we're looking at here, this is looking at a report for the last 4 hours of top media flows. Again we've got multiple templates associated so if you look at it by ports or by destinations this will just be your report.

What Media Net adds to the NetFlow technology is it enables devices to start recording on performance metrics per media flow. In this case if I take the top one as an example what we're reporting here is I've got source ID, source port. If there's QoS associated with the DSCP, if it's dead. In this case it's all zero bandwidth which is normal NetFlow and then the 3 additional fields which are specific to the Media Net or the Media Net enabled flow.

What we expect to do is it's an interesting technology and it's about to give you an ailment of application in performance from flow traffic. What we're showing here is you've got to collect that flow information and report. What we're showing here is the top flows. The next one down is top destinations and again bandwidth and jitter and then top sources. Multiple flow right up to a report based on Media Net and specifically media at this point in time.

The other final aspect that I just want to touch on is obviously when we've been generating these results and queries where we've been using the FlowFalcon interface which is quite a technical interface and it's very involved. It gives you the ability to set up parameter, to do very granular circumstances in the set up. For a lot of users what they actually want is the ability to have a simpler way of getting out the data and one of the things we focused on at SevOne is working on enabling non-technical users to get access to the data we hold inside the system. With that in mind what you can very quickly do is if I were to generate a new report for example it walks me through a wizard. It asks me what is it you want to report on. If I click the FlowFalcon, flow technology button, click on that, it then walks me through a dialogue of right, well what are the resources you want the report on. Is it particular devices? Is it every device? It defaults to every device if I had continued through the dialogue, do I want to filter on anything.

What we've seen within our customers, what we've been able to enable is you can open up access to this J box to possibly even my network people so that maybe some application owners or the applications support guys can start to get visibility into what the network sees of their application traffic.

Again the idea here is to make it as simple as possible for users to get data from the system so stop at that point and I guess we can maybe take some questions. Hopefully this has given you some ideas and view as to how SevOne addresses handling and reporting and NetFlow. There's a couple of useful scenarios so that you may have more specifics and if we can email SevOne and we can follow up with you. Scott I'll hand it back to you for any questions.

Sure thanks Tom and I do apologize to our audience that Webex, there seems to be an issue with Webex this morning and keeping up with Tom's presentation. I can say that it's not SevOne that is running that slow. Maybe bandwidth issue where Tom is located right now but some of the applications share just got a bit behind so I apologize to our audience.

What we are going to do is we actually have a repeat session of this tomorrow. It may not be at a convenient time slot. It's actually 2pm Eastern time in the US but we are going to record that session and I'll be sure that our marketing team sends out the recording for tomorrows session out to everybody. I don't anticipate the same issues with the delay or lag in the screen capture presentation there. We'll make sure we get that out to you.

In the meantime if you have questions right now, I know a couple of people were already using the QA panel in your Webbex interface, hopefully you're able to keep up with Tom there but if you have some questions about advanced NetFlow or SevOne's capability around NetFlow reporting, please go ahead and use the Q and A panel and submit that as a text question and we'll see if we can answer those questions online right now. I'm just going to take a look here at the queue. I think there might have been a question that came in.

Tom one person did want to know how long does SevOne retain NetFlow records.

Good question. We store NetFlow in two forms within SevOne so the raw NetFlow and all of the data collected is retained on the appliance typically for seven days, although that is configurable. What we're doing in the background is we're agrugating and storing a assessor of templates that are predefined by the end user for a year, 12 months of storage. What that enables you to do is go back and record on NetFlow or usage based on NetFlow for the last 12 months for a specific set of fields that you want to retain and you do need to disern that. For trouble shooting for example, detailed trouble shooting what's often convenient is people use the raw NetFlow for reporting. The default is 7 days but you can configure that

Great, thanks Tom. While we're waiting for any additional questions to come in I just want to make sure you're aware that our next Demo with Dave, it's actually not going to be a demo. We're going to break away from the tradition a little bit. We have a special guest, one of our customers who is a manage service provider. They're going to be joining us on January 24th for a discussion on best practices for performance monitoring. It's a great opportunity if you, yourself are a MSP and you would like to hear about some of the challenges and issues that they face and how they've overcome them. How they've become more efficient operationally. Things they've done to increase their ROI when it comes to their performance monitoring solution. Expect it to be a very interesting Q and A with that managed service provider so again that will be on January 24th. You can sign up on

If you have any further questions, I don't think anything else has come in right now in the question panel here but if you have questions or would like a follow up, again, please either visit our website or you can email us at That's I N F O at Again if there's no further questions, in the case Tom, thank you again for joining us and for doing the demonstration today. Of course I do apologize with respect to your time. Thank you for taking time out of your day. We apologize for any of the technical issues with Webex session but again we will make sure we send out a recording after tomorrow's session. You can always use that as a reference or share it with others in your organization if they're interested in the topic.

Thank you everybody and enjoy your day.

Thank you.