Configuring flow export collectors

Flow export collectors (such as NetFlow and SteelFlow) provide the ability to collect IP network traffic as traffic enters or exits an interface. By analyzing the data provided by a flow export collector, a network administrator can get insights into network traffic flow and volume, such as the source and destination of traffic, class of service, and the causes of congestion.

You enable and configure flow statistic settings in the Networking > Network Services: Flow Statistics page. You can also enable flow export to an external collector and to a CascadeFlow collector.

You can’t export data flowing through a secure transport tunnel to a flow collector. Secure transport provides security by creating tunnels between the peers through which the traffic flows. IPsec is used to provide authentication and encryption to the packets that flow through the tunnels. Specifically, secure transport uses the ESP mode of IPsec. Flow statistic collectors can’t collect ESP packet data flow information.

External collectors use information about network data flows to report trends such as the top users, peak usage times, traffic accounting, security, and traffic routing. You can export preoptimization and post-optimization data to an external collector.

The Top Talkers feature enables a report that details the hosts, applications, and host and application pairs that are either sending or receiving the most data on the network. Top Talkers doesn’t use a NetFlow Collector.

Enables the system to export network statistics about the individual flows that it sees as they traverse the network. By default, this setting is disabled.

Optionally, specify the amount of time, in seconds, the collector retains the list of active traffic flows. The default value is 60 seconds.

Optionally, specify the amount of time, in seconds, the collector retains the list of inactive traffic flows. The default value is 15 seconds.

NetFlow v5.0 and later, CascadeFlow v9.1 and later, and CascadeFlow-compatible features are supported.

NetFlow export is supported only when Xbridge mode is enabled. NetProfiler 10.20 and later are supported.

• Exporter—When you enable flow export support, the system exports data about the individual flows that it sees as they traverse the network.

• Collector—A server or appliance designed to aggregate data sent to it by the SteelHead and other exporters.

• Analyzer—A collection of tools used to analyze the data and provide relevant data summaries and graphs. NetFlow analyzers are available for free or from commercial sources. Analyzers are often provided in conjunction with the collectors.

• Flow data typically consumes less than 1 percent of link bandwidth. Take care with low-bandwidth links to ensure that flow export doesn’t consume too much bandwidth and thereby impact application performance.

• You can reduce the amount of bandwidth consumption by applying filters that only export the most critical information needed for your reports.

1. Choose Networking > Network Services: Flow Statistics to display the Flow Statistics page.

Specifies the IP address or (in RiOS 9.7 and later) a hostname for the Flow collector.

Specifies the UDP port the Flow collector is listening on. The default value is 2055.

• CascadeFlow-compatible—Use with Cascade Profiler 8.3.2 or earlier, and select the LAN Address check box.

For details on using NetFlow records with Cascade, see the SteelCentral Network Performance Management Deployment Guide.

CascadeFlow and CascadeFlow-compatible are enhanced versions of flow export to the SteelCentral. These versions allow automatic discovery and interface grouping for SteelHeads in a Riverbed SteelCentral NetProfiler or a SteelCentral Flow Gateway and support WAN and optimization reports in SteelCentral. For details, see the SteelCentral NetProfiler and NetExpress User Guide and the SteelCentral Flow Gateway User Guide.

Select the interface to use as the source IP address of the flow packets (Primary, Aux, or MIP) from the drop-down list. NetFlow records sent from the system appear to be sent from the IP address of the selected interface.

Causes the TCP/IP addresses and ports reported for optimized flows to contain the original client and server IP addresses and not those of the system. The default setting displays the IP addresses of the original client and server without the IP address of the SteelHead Interceptor.

This setting is unavailable with NetFlow v9 and later, because the optimized flows are always sent out with both the original client server IP addresses and the IP addresses used by the SteelHead Interceptor.

Specifies the traffic type to export to the flow collector. Select one of these types from the drop-down list:

The default is All for LAN and WAN interfaces, for all four collectors. The default for the other interfaces (Primary, rios_lan, and rios_wan) is None. You can’t select a MIP interface.

(CascadeFlow and NetFlow v9 only) Filter flow reports by IP and subnets or IP:ports included in the Filter list. When disabled, reports include all IP addresses and subnets.

In virtual in-path deployments, such as WCCP or PBR, traffic arrives and leaves from the same WAN interface. When data is exported to a flow export collector, all traffic has the WAN interface index. This behavior is correct because the input interface is the same as the output interface.

To distinguish between LAN-to-WAN and WAN-to-LAN traffic in virtual in-path deployments, see the SteelHead Deployment Guide.