To get a flow from a Cisco device, that particular device code must support netflow.
You can export flows from multiples devices (even multiple flows from some devices - ie. different vlans and same cisco)
Each flow "export" and "collector" must match up on ports settings.
Use a single port for each export/collector pair.
Example:
telnet 10.0.0.254
config term
ip flow-cache timeout inactive 10
ip flow-cache timeout active 5
ip flow-export version 5
ip flow-export destination 10.0.0.1 9991
interface Vlan 1
ip route-cache flow
end
copy running startup
# Test
show ip flow export
NTop plugin
Moderators: Developers, Moderators
Thank you,
Ernie
http://www.NMSWorld.com
[b]Dual Zeon Dual Core 2.6Ghz / 8GB RAM / 4x15k RPM SATA RAID5[/b]
[b]Cacti Version[/b] - 0.8.7b
[b]Poller Type[/b] - cactid 0.8.7 with Boost v1.7
[b]Server Info[/b] - FreeBSD 7.0-RELEASE
[b]Web Server[/b] - Apache/2.2.6 (Unix) mod_ssl/2.2.6 OpenSSL/0.9.8g DAV/2 PHP/5.2.5 mod_perl/2.0.3 Perl/v5.8.8
[b]PHP[/b] - 5.2.6
[b]MySQL[/b] - 5.0.51b Mod: poller_output ENGINE = MEMORY
[b]RRDTool[/b] - 1.3.0
[b]SNMP[/b] - 5.4.1
[b]Plugins[/b] - Host Info (hostinfo - v0.2), Update Checker (update - v0.3), Network Tools (tools - v0.2), FlowView (flowview - v0.3), Read-only Devices Tab (devices - v0.4), Network Discovery (discovery - v0.8.3), Syslog Monitoring (syslog - v0.5.2), Thresholds (thold - v0.3.9), Device Monitoring (monitor - v0.8.2), PHP Network Weathermap (weathermap - v0.941), SuperLinks (superlinks - v0.72), Report Creator (reports - v0.1b)
Ernie
http://www.NMSWorld.com
[b]Dual Zeon Dual Core 2.6Ghz / 8GB RAM / 4x15k RPM SATA RAID5[/b]
[b]Cacti Version[/b] - 0.8.7b
[b]Poller Type[/b] - cactid 0.8.7 with Boost v1.7
[b]Server Info[/b] - FreeBSD 7.0-RELEASE
[b]Web Server[/b] - Apache/2.2.6 (Unix) mod_ssl/2.2.6 OpenSSL/0.9.8g DAV/2 PHP/5.2.5 mod_perl/2.0.3 Perl/v5.8.8
[b]PHP[/b] - 5.2.6
[b]MySQL[/b] - 5.0.51b Mod: poller_output ENGINE = MEMORY
[b]RRDTool[/b] - 1.3.0
[b]SNMP[/b] - 5.4.1
[b]Plugins[/b] - Host Info (hostinfo - v0.2), Update Checker (update - v0.3), Network Tools (tools - v0.2), FlowView (flowview - v0.3), Read-only Devices Tab (devices - v0.4), Network Discovery (discovery - v0.8.3), Syslog Monitoring (syslog - v0.5.2), Thresholds (thold - v0.3.9), Device Monitoring (monitor - v0.8.2), PHP Network Weathermap (weathermap - v0.941), SuperLinks (superlinks - v0.72), Report Creator (reports - v0.1b)
NTop must be configured to receive each flow.
NTop will handle as many flows as you setup.
Your computer running ntop must be more powerful as you add more flows of course.
I don't know exact hardware requirements for a given quantity of flows.
At some point, like any computer program, you may need a more powerful CPU and additional RAM.
But, to answer your question simply:
Each flow must be setup in a pair.
One flow on your Cisco router sending on say port 9991
would need one collector on your NTop box listening on port 9991.
To add more flows, you would setup more pairs.
Your next flow would send on say port 9992
and would need one collector on your NTop box listening on port 9992.
You always setup a sender "the flow export" on your Cisco router
and
a receiver "the collector" on your NTop server.
This makes one functional set or flow.
Please see pevious posts for mor details, example:
I have ntop running on the same NIC as Cacti as well.
They can peacefully co-exist.
I wrote (and borrowed) some instructions for getting ntop up and running on UNIX:
http://members.netjunkies.net/n3ncy/FreeBSD60/ntop.htm
On any platform, the steps should be similar:
1.) Get ntop installed on your server (ntop is a "Collector" and a web displayer of this collected data)
2.) Make sure you can log into ntop on your server (usually port 3000)
example: http://Yourserver:3000
3.) Configure a pair of items:
- Setup a "Collector" via your ntop web interface (see step 2 above)
- Export a "Flow" from your router to this collector
4.) Test ntop and look at this flow - You should be getting data
5.) Lastly setup the Cacti ntop plug-in to point to your ntop
example: http://Yourserver:3000
At a minimum read:
http://www.ntop.org/ to setup NTop
and
http://www.cisco.com/en/US/products/ps6 ... _home.html to setup your Cisco gear
Very last of all, after you already have NTop working, then consider the NTop plug-in for Cacti, since the Cacti NTop plug-in is only useful if you already have NTop functional.
NTop will handle as many flows as you setup.
Your computer running ntop must be more powerful as you add more flows of course.
I don't know exact hardware requirements for a given quantity of flows.
At some point, like any computer program, you may need a more powerful CPU and additional RAM.
But, to answer your question simply:
Each flow must be setup in a pair.
One flow on your Cisco router sending on say port 9991
would need one collector on your NTop box listening on port 9991.
To add more flows, you would setup more pairs.
Your next flow would send on say port 9992
and would need one collector on your NTop box listening on port 9992.
You always setup a sender "the flow export" on your Cisco router
and
a receiver "the collector" on your NTop server.
This makes one functional set or flow.
Please see pevious posts for mor details, example:
I have ntop running on the same NIC as Cacti as well.
They can peacefully co-exist.
I wrote (and borrowed) some instructions for getting ntop up and running on UNIX:
http://members.netjunkies.net/n3ncy/FreeBSD60/ntop.htm
On any platform, the steps should be similar:
1.) Get ntop installed on your server (ntop is a "Collector" and a web displayer of this collected data)
2.) Make sure you can log into ntop on your server (usually port 3000)
example: http://Yourserver:3000
3.) Configure a pair of items:
- Setup a "Collector" via your ntop web interface (see step 2 above)
- Export a "Flow" from your router to this collector
4.) Test ntop and look at this flow - You should be getting data
5.) Lastly setup the Cacti ntop plug-in to point to your ntop
example: http://Yourserver:3000
At a minimum read:
http://www.ntop.org/ to setup NTop
and
http://www.cisco.com/en/US/products/ps6 ... _home.html to setup your Cisco gear
Very last of all, after you already have NTop working, then consider the NTop plug-in for Cacti, since the Cacti NTop plug-in is only useful if you already have NTop functional.
Thank you,
Ernie
http://www.NMSWorld.com
[b]Dual Zeon Dual Core 2.6Ghz / 8GB RAM / 4x15k RPM SATA RAID5[/b]
[b]Cacti Version[/b] - 0.8.7b
[b]Poller Type[/b] - cactid 0.8.7 with Boost v1.7
[b]Server Info[/b] - FreeBSD 7.0-RELEASE
[b]Web Server[/b] - Apache/2.2.6 (Unix) mod_ssl/2.2.6 OpenSSL/0.9.8g DAV/2 PHP/5.2.5 mod_perl/2.0.3 Perl/v5.8.8
[b]PHP[/b] - 5.2.6
[b]MySQL[/b] - 5.0.51b Mod: poller_output ENGINE = MEMORY
[b]RRDTool[/b] - 1.3.0
[b]SNMP[/b] - 5.4.1
[b]Plugins[/b] - Host Info (hostinfo - v0.2), Update Checker (update - v0.3), Network Tools (tools - v0.2), FlowView (flowview - v0.3), Read-only Devices Tab (devices - v0.4), Network Discovery (discovery - v0.8.3), Syslog Monitoring (syslog - v0.5.2), Thresholds (thold - v0.3.9), Device Monitoring (monitor - v0.8.2), PHP Network Weathermap (weathermap - v0.941), SuperLinks (superlinks - v0.72), Report Creator (reports - v0.1b)
Ernie
http://www.NMSWorld.com
[b]Dual Zeon Dual Core 2.6Ghz / 8GB RAM / 4x15k RPM SATA RAID5[/b]
[b]Cacti Version[/b] - 0.8.7b
[b]Poller Type[/b] - cactid 0.8.7 with Boost v1.7
[b]Server Info[/b] - FreeBSD 7.0-RELEASE
[b]Web Server[/b] - Apache/2.2.6 (Unix) mod_ssl/2.2.6 OpenSSL/0.9.8g DAV/2 PHP/5.2.5 mod_perl/2.0.3 Perl/v5.8.8
[b]PHP[/b] - 5.2.6
[b]MySQL[/b] - 5.0.51b Mod: poller_output ENGINE = MEMORY
[b]RRDTool[/b] - 1.3.0
[b]SNMP[/b] - 5.4.1
[b]Plugins[/b] - Host Info (hostinfo - v0.2), Update Checker (update - v0.3), Network Tools (tools - v0.2), FlowView (flowview - v0.3), Read-only Devices Tab (devices - v0.4), Network Discovery (discovery - v0.8.3), Syslog Monitoring (syslog - v0.5.2), Thresholds (thold - v0.3.9), Device Monitoring (monitor - v0.8.2), PHP Network Weathermap (weathermap - v0.941), SuperLinks (superlinks - v0.72), Report Creator (reports - v0.1b)
silly mistake on my part:
I am running a pair of layer 3 switches in an hsrp pair. I opened up the firewall on the box running ntop for the defined ip address and port for netflow. The next day, I got my answer as to why netflow was not appearing in ntop. Lots of firewall logs from the real ip address from the primary l3 switch exporting the netflow. I should have remembered this little gotcha from doing things on the device such as extended pings & traces... Do not use the virtual addr for things like that
Now it appears to be happy.
I am running a pair of layer 3 switches in an hsrp pair. I opened up the firewall on the box running ntop for the defined ip address and port for netflow. The next day, I got my answer as to why netflow was not appearing in ntop. Lots of firewall logs from the real ip address from the primary l3 switch exporting the netflow. I should have remembered this little gotcha from doing things on the device such as extended pings & traces... Do not use the virtual addr for things like that
Now it appears to be happy.
Cacti1 OS: CentOS 5.6 | 300+ devices
Cacti2 OS: CentOS 5.6 | 300+ devices
King of the Elves
Local Anarchists Union #427
"Anarchism is founded on the observation that since few men are wise enough to rule themselves, even fewer are wise enough to rule others." -Edward Abbey
Cacti2 OS: CentOS 5.6 | 300+ devices
King of the Elves
Local Anarchists Union #427
"Anarchism is founded on the observation that since few men are wise enough to rule themselves, even fewer are wise enough to rule others." -Edward Abbey
Cool, I will be trying it within the next week or two.
One more question though, we have some government regs we'll be needing to comply with. One of the requirements for net flows is that they be sent from the loopback interface. Currently we don't do much of anything with the loopback - anyone here got some experience with this on Cisco devices?
I'd love to find someone who's brain I can pick...
One more question though, we have some government regs we'll be needing to comply with. One of the requirements for net flows is that they be sent from the loopback interface. Currently we don't do much of anything with the loopback - anyone here got some experience with this on Cisco devices?
I'd love to find someone who's brain I can pick...
ip flow-export source Loopback < number>
Cacti1 OS: CentOS 5.6 | 300+ devices
Cacti2 OS: CentOS 5.6 | 300+ devices
King of the Elves
Local Anarchists Union #427
"Anarchism is founded on the observation that since few men are wise enough to rule themselves, even fewer are wise enough to rule others." -Edward Abbey
Cacti2 OS: CentOS 5.6 | 300+ devices
King of the Elves
Local Anarchists Union #427
"Anarchism is founded on the observation that since few men are wise enough to rule themselves, even fewer are wise enough to rule others." -Edward Abbey
Did you setup mulitple flows and collectors on different ports?
Under the Admin menu click Switch NIC
Do you have multiple choices for sources you want to look at?
I setup different flows from my routers for each vlan I want to look at.
I get a "per vlan" view, not everything in one view.
Under the Admin menu click Switch NIC
Do you have multiple choices for sources you want to look at?
I setup different flows from my routers for each vlan I want to look at.
I get a "per vlan" view, not everything in one view.
Thank you,
Ernie
http://www.NMSWorld.com
[b]Dual Zeon Dual Core 2.6Ghz / 8GB RAM / 4x15k RPM SATA RAID5[/b]
[b]Cacti Version[/b] - 0.8.7b
[b]Poller Type[/b] - cactid 0.8.7 with Boost v1.7
[b]Server Info[/b] - FreeBSD 7.0-RELEASE
[b]Web Server[/b] - Apache/2.2.6 (Unix) mod_ssl/2.2.6 OpenSSL/0.9.8g DAV/2 PHP/5.2.5 mod_perl/2.0.3 Perl/v5.8.8
[b]PHP[/b] - 5.2.6
[b]MySQL[/b] - 5.0.51b Mod: poller_output ENGINE = MEMORY
[b]RRDTool[/b] - 1.3.0
[b]SNMP[/b] - 5.4.1
[b]Plugins[/b] - Host Info (hostinfo - v0.2), Update Checker (update - v0.3), Network Tools (tools - v0.2), FlowView (flowview - v0.3), Read-only Devices Tab (devices - v0.4), Network Discovery (discovery - v0.8.3), Syslog Monitoring (syslog - v0.5.2), Thresholds (thold - v0.3.9), Device Monitoring (monitor - v0.8.2), PHP Network Weathermap (weathermap - v0.941), SuperLinks (superlinks - v0.72), Report Creator (reports - v0.1b)
Ernie
http://www.NMSWorld.com
[b]Dual Zeon Dual Core 2.6Ghz / 8GB RAM / 4x15k RPM SATA RAID5[/b]
[b]Cacti Version[/b] - 0.8.7b
[b]Poller Type[/b] - cactid 0.8.7 with Boost v1.7
[b]Server Info[/b] - FreeBSD 7.0-RELEASE
[b]Web Server[/b] - Apache/2.2.6 (Unix) mod_ssl/2.2.6 OpenSSL/0.9.8g DAV/2 PHP/5.2.5 mod_perl/2.0.3 Perl/v5.8.8
[b]PHP[/b] - 5.2.6
[b]MySQL[/b] - 5.0.51b Mod: poller_output ENGINE = MEMORY
[b]RRDTool[/b] - 1.3.0
[b]SNMP[/b] - 5.4.1
[b]Plugins[/b] - Host Info (hostinfo - v0.2), Update Checker (update - v0.3), Network Tools (tools - v0.2), FlowView (flowview - v0.3), Read-only Devices Tab (devices - v0.4), Network Discovery (discovery - v0.8.3), Syslog Monitoring (syslog - v0.5.2), Thresholds (thold - v0.3.9), Device Monitoring (monitor - v0.8.2), PHP Network Weathermap (weathermap - v0.941), SuperLinks (superlinks - v0.72), Report Creator (reports - v0.1b)
Thanks i will do it. (ie i will use a different port per remote host).
By the way i have a other question.
I wanted to keep my data when i stop ntop. Do you know how to set ntop to save the data in log files instead of only put them in the swap?
Strangly, i did not find any clear answer on the web
Thanks again
Qwertz
By the way i have a other question.
I wanted to keep my data when i stop ntop. Do you know how to set ntop to save the data in log files instead of only put them in the swap?
Strangly, i did not find any clear answer on the web
Thanks again
Qwertz
Somebody would need to create the RRDTool Cacti plugin?
Currently my nTop does not save data between restarts either.
(Although I don't need it to do so)
Your question is really more for the nTop people:
http://www.ntop.org/documentation.html
Unless the Cacti crew already created a plguin for long term storage?
Currently my nTop does not save data between restarts either.
(Although I don't need it to do so)
Your question is really more for the nTop people:
http://www.ntop.org/documentation.html
Unless the Cacti crew already created a plguin for long term storage?
Thank you,
Ernie
http://www.NMSWorld.com
[b]Dual Zeon Dual Core 2.6Ghz / 8GB RAM / 4x15k RPM SATA RAID5[/b]
[b]Cacti Version[/b] - 0.8.7b
[b]Poller Type[/b] - cactid 0.8.7 with Boost v1.7
[b]Server Info[/b] - FreeBSD 7.0-RELEASE
[b]Web Server[/b] - Apache/2.2.6 (Unix) mod_ssl/2.2.6 OpenSSL/0.9.8g DAV/2 PHP/5.2.5 mod_perl/2.0.3 Perl/v5.8.8
[b]PHP[/b] - 5.2.6
[b]MySQL[/b] - 5.0.51b Mod: poller_output ENGINE = MEMORY
[b]RRDTool[/b] - 1.3.0
[b]SNMP[/b] - 5.4.1
[b]Plugins[/b] - Host Info (hostinfo - v0.2), Update Checker (update - v0.3), Network Tools (tools - v0.2), FlowView (flowview - v0.3), Read-only Devices Tab (devices - v0.4), Network Discovery (discovery - v0.8.3), Syslog Monitoring (syslog - v0.5.2), Thresholds (thold - v0.3.9), Device Monitoring (monitor - v0.8.2), PHP Network Weathermap (weathermap - v0.941), SuperLinks (superlinks - v0.72), Report Creator (reports - v0.1b)
Ernie
http://www.NMSWorld.com
[b]Dual Zeon Dual Core 2.6Ghz / 8GB RAM / 4x15k RPM SATA RAID5[/b]
[b]Cacti Version[/b] - 0.8.7b
[b]Poller Type[/b] - cactid 0.8.7 with Boost v1.7
[b]Server Info[/b] - FreeBSD 7.0-RELEASE
[b]Web Server[/b] - Apache/2.2.6 (Unix) mod_ssl/2.2.6 OpenSSL/0.9.8g DAV/2 PHP/5.2.5 mod_perl/2.0.3 Perl/v5.8.8
[b]PHP[/b] - 5.2.6
[b]MySQL[/b] - 5.0.51b Mod: poller_output ENGINE = MEMORY
[b]RRDTool[/b] - 1.3.0
[b]SNMP[/b] - 5.4.1
[b]Plugins[/b] - Host Info (hostinfo - v0.2), Update Checker (update - v0.3), Network Tools (tools - v0.2), FlowView (flowview - v0.3), Read-only Devices Tab (devices - v0.4), Network Discovery (discovery - v0.8.3), Syslog Monitoring (syslog - v0.5.2), Thresholds (thold - v0.3.9), Device Monitoring (monitor - v0.8.2), PHP Network Weathermap (weathermap - v0.941), SuperLinks (superlinks - v0.72), Report Creator (reports - v0.1b)
Thanks for your help.
For N3NCY:
On admin -> Plugins -> Netflow -> on Flow Collection -> Local Collecor UDP Port
I can set only one port. So i will have on admin -> Switch NIC: my ethernet interface and only one netflow interface and i will still see all my remote netflow hosts in one table
For flavour:
I went on admin -> Plugins -> rrdplugins -> i enabled everything in "data to Dump"
I noticed that the only things that are kept after a ntop restart is the data in the graphs in Summary -> Traffic
Thank you again
QWertz
For N3NCY:
On admin -> Plugins -> Netflow -> on Flow Collection -> Local Collecor UDP Port
I can set only one port. So i will have on admin -> Switch NIC: my ethernet interface and only one netflow interface and i will still see all my remote netflow hosts in one table
For flavour:
I went on admin -> Plugins -> rrdplugins -> i enabled everything in "data to Dump"
I noticed that the only things that are kept after a ntop restart is the data in the graphs in Summary -> Traffic
Thank you again
QWertz
Who is online
Users browsing this forum: No registered users and 1 guest