Configuring Network Integration Features : Configuring Flow Statistics
  
Configuring Flow Statistics
You enable and configure flow statistic settings in the Networking > Network Services: Flow Statistics page. You can also enable flow export to an external collector and to a CascadeFlow collector. CascadeFlow collectors can aggregate information about QoS configuration and other application statistics to send to a SteelCentral NetProfiler. The Enterprise NetProfiler summarizes and displays the QoS configuration statistics.
By default, flow export is disabled.
Note: You can’t export data flowing through a secure transport tunnel to a flow collector. Secure transport provides security by creating tunnels between the peers through which the traffic flows. IPSec is used to provide authentication and encryption to the packets that flow through the tunnels. Specifically, secure transport uses the ESP mode of IPSec. Flow statistic collectors can’t collect ESP packet data flow information.
External collectors use information about network data flows to report trends such as the top users, peak usage times, traffic accounting, security, and traffic routing. You can export preoptimization and post-optimization data to an external collector.
The Top Talkers feature enables a report that details the hosts, applications, and host and application pairs that are either sending or receiving the most data on the network. Top Talkers doesn’t use a NetFlow Collector.
Enabling Flow Export
SteelHeads support NetFlow v5.0, CascadeFlow, NetFlow v9, and CascadeFlow-compatible. Flow export requires these components:
•  Exporter - When you enable flow export support, the SteelHead exports data about the individual flows that it sees as they traverse the network.
•  Collector - A server or appliance designed to aggregate data sent to it by the SteelHead and other exporters.
•  Analyzer - A collection of tools used to analyze the data and provide relevant data summaries and graphs. NetFlow analyzers are available for free or from commercial sources. Analyzers are often provided in conjunction with the collectors.
Before you enable flow export in your network, consider the following:
•  Flow data typically consumes less than 1 percent of link bandwidth. Take care with low bandwidth links to ensure that flow export doesn’t consume too much bandwidth and thereby impacting application performance.
•  You can reduce the amount of bandwidth consumption by applying filters that only export the most critical information needed for your reports.
Flow Export in Virtual In-Path Deployments
In virtual in-path deployments, such as WCCP or PBR, traffic arrives and leaves from the same WAN interface. When the exports data to a flow export collector, all traffic has the WAN interface index. This behavior is correct because the input interface is the same as the output interface.
For details about configuring flow export in a virtual in-path deployment, see Configuring Subnet Side Rules.
To distinguish between LAN-to-WAN and WAN-to-LAN traffic in virtual in-path deployments, see the SteelHead Deployment Guide.
To enable flow statistic settings
1. Choose Networking > Network Services: Flow Statistics to display the Flow Statistics page.
Figure: Flow Statistics Page
2. Under Flow Statistics Settings, complete the configuration as described in this table.
Control
Description
Enable Application Visibility
Continuously collects detailed application-level statistics for both pass-through and optimized traffic. The Application Visibility and Application Statistics reports display these statistics. This statistic collection is disabled by default.
To view the reports, choose Reports > Networking: Application Statistics or Application Visibility.
Enabling application visibility also improves connection reporting on the Current Connections report. For example, HTTP-SharePoint is displayed as the WebDAV or FPSE protocols and Office 365 appears as MS-Office-365 instead of HTTP.
Enable WAN Throughput Statistics
Continuously collects WAN throughput statistics, which the WAN Throughput report displays. This statistic collection is enabled by default; however, you can disable the collection to save processing power.
To view the WAN throughput statistics, choose Reports > Networking: WAN Throughput.
Enable Top Talkers
Continuously collects statistics for the most active traffic flows. A traffic flow consists of data sent and received from a single source IP address and port number to a single destination IP address and port number over the same protocol.
The most active, heaviest users of WAN bandwidth are called the Top Talkers. A flow collector identifies the top consumers of the available WAN capacity (the top 50 by default) and displays them in the Top Talkers report. Collecting statistics on the Top Talkers provides visibility into WAN traffic without applying an in-path rule to enable a WAN visibility mode.
You can analyze the Top Talkers for accounting, security, troubleshooting, and capacity planning purposes. You can also export the complete list in CSV format.
The collector gathers statistics on the Top Talkers based on the proportion of WAN bandwidth consumed by the top hosts, applications, and host and application pair conversations. The statistics track pass-through or optimized traffic, or both. Data includes TCP or UDP traffic, or both (configurable in the Top Talkers report page).
A NetFlow collector is not required for this feature.
Optionally, select a time period to adjust the collection interval:
•  24-hour Report Period - For a five-minute granularity (the default setting).
•  48-hour Report Period - For a ten-minute granularity.
The system also uses the time period to collect SNMP Top Talker statistics. For top talkers displayed in the Top Talker report and SNMP Top Talker statistics, the system updates the Top Talker data ranks either every 300 seconds (for a 24- hour reporting period), or 600 seconds (for a 48-hour reporting period).
The system saves a maximum of 300 Top Talker data snapshots, and aggregates these to calculate the top talkers for the 24-hour or 48-hour reporting period.
The system never clears top talker data at the time of polling; however, every 300 or 600 seconds, it replaces the oldest Top Talker data snapshot of the 300 with the new data snapshot.
After you change the reporting period, it takes the system one day to update the Top Talker rankings to reflect the new reporting period. In the interim, the data used to calculate the Top Talkers still includes data snapshots from the original reporting period. This delay applies to Top Talker report queries and SNMP Top Talker statistics.
3. Click Apply to apply your settings.
4. Click Save to Disk to save your settings permanently.
To enable flow export settings
1. Choose Networking > Network Services: Flow Statistics to display the Flow Statistics page.
2. Under Flow Export Settings, complete the configuration as described in this table.
Control
Description
Enable Flow Export
Enables the SteelHead to export network statistics about the individual flows that it sees as they traverse the network. By default, this setting is disabled.
Export QoS and Application Statistics to CascadeFlow Collectors
Sends application-level statistics from all sites to a SteelCentral collector on a SteelCentral appliance. SteelCentral appliances provide central reporting capabilities. The collector aggregates QoS and application statistics to provide visibility using detailed records specific to flows traversing the SteelHead.
The SteelHead sends SteelCentral an enhanced version of NetFlow called CascadeFlow. CascadeFlow includes:
•  NetFlow v9 extensions for round-trip time measurements that enable you to understand volumes of traffic across your WAN and end-to-end response time.
•  extensions that enable a SteelCentral NetExpress to properly measure and report on the benefits of optimization.
After the statistics are aggregated on a Cascade appliance, you can use its central reporting capabilities to:
•  analyze overall WAN use, such as traffic generated by application, most active sites, and so on.
•  troubleshoot a particular application by viewing how much bandwidth it received, checking for any retransmissions, interference from other applications, and so on.
•  compare actual application use against your outbound QoS policy configuration to analyze whether your policies are effective. For example, if your QoS policy determines that Citrix should get a minimum of 10 percent of the link, and the application statistics reveal that Citrix performance is unreliable and always stuck at 10 percent, you might want to increase that minimum guarantee.
You must enable outbound QoS on the SteelHead, add a CascadeFlow collector, and enable REST API access before sending QoS configuration statistics to an SteelCentral NetProfiler.
To enable QoS, choose Networking > Network Services: Outbound QoS. You can’t export statistics for inbound QoS.
The collectors appear in the Flow Collector list at the bottom of the Configure > Networking: Flow Statistics page.
To enable REST API access, choose Administration > Security: REST API Access.
The CascadeFlow collector collects read-only statistics on both pass-through and optimized traffic. When you use CascadeFlow, the SteelHead sends four flow records for each optimized TCP session: ingress and egress for the inner-channel connection, and ingress and egress for the outer-channel connection. A pass-through connection still sends four flow records, even though there are no separate inner- and outer-channel connections. In either case, the SteelCentral NetExpress merges these flow records together with flow data collected for the same flow from other devices.
For details, see the SteelCentral Network Performance Management Deployment Guide.
Active Flow Timeout
Optionally, specify the amount of time, in seconds, the collector retains the list of active traffic flows. The default value is 1800 seconds.
You can set the time-out period even if the Top Talkers option is enabled.
Inactive Flow Timeout
Optionally, specify the amount of time, in seconds, the collector retains the list of inactive traffic flows. The default value is 15 seconds.
3. Click Apply to apply your settings.
4. Click Save to Disk to save your settings permanently.
Related Topics
•  Configuring Subnet Side Rules
•  Viewing Top Talkers Reports
•  Viewing Application Statistics Reports
To add a Flow collector
1. Under Flow Collectors, complete the configuration as described in this table.
Control
Description
Add a New Flow Collector
Displays the controls to add a Flow collector.
Collector IP Address
Specify the IP address for the Flow collector.
Port
Specify the UDP port the Flow collector is listening on. The default value is 2055.
Version
Select one of these versions from the drop-down list:
•  CascadeFlow - Use with Cascade Profiler 8.4 or later.
•  CascadeFlow-compatible - Use with Cascade Profiler 8.3.2 or earlier, and select the LAN Address check box.
•  NetFlow v9 - Enables both ingress and egress flow records.
•  NetFlow v5 - Enables ingress flow records.
For details on using NetFlow records with Cascade, see the SteelCentral Network Performance Management Deployment Guide.
CascadeFlow and CascadeFlow-compatible are enhanced versions of flow export to the SteelCentral. These versions allow automatic discovery and interface grouping for SteelHeads in a Riverbed SteelCentral NetProfiler or a SteelCentral Flow Gateway and support WAN and optimization reports in SteelCentral. For details, see the SteelCentral NetProfiler and NetExpress User’s Guide and the SteelCentral Flow Gateway User’s Guide.
Packet Source Interface
Select the interface to use as the source IP address of the flow packets (Primary, Aux, or MIP) from the drop-down list. NetFlow records sent from the SteelHead appear to be sent from the IP address of the selected interface.
LAN Address
Causes the TCP/IP addresses and ports reported for optimized flows to contain the original client and server IP addresses and not those of the SteelHead. The default setting displays the IP addresses of the original client and server without the IP address of the SteelHeads.
This setting is unavailable with NetFlow v9, because the optimized flows are always sent out with both the original client server IP addresses and the IP addresses used by the SteelHead.
Capture Interface/Type
Specify the traffic type to export to the flow collector. Select one of these types from the drop-down list:
•  All - Exports both optimized and nonoptimized traffic.
•  Optimized - Exports optimized traffic.
•  Optimized - Exports optimized LAN or WAN traffic when WCCP is enabled.
•  Passthrough - Exports pass-through traffic.
•  None - Disables traffic flow export.
The default is All for LAN and WAN interfaces, for all four collectors. The default for the other interfaces (Primary, rios_lan, and rios_wan) is None. You can’t select a MIP interface.
Enable Filter
(CascadeFlow and NetFlow v9 only) Filter flow reports by IP and subnets or IP:ports included in the Filter list. When disabled, reports include all IP addresses and subnets.
Filter
(CascadeFlow and NetFlow v9 only) Specify the IP and subnet or IP:port to include in the report, one entry per line, up to 25 filters maximum.
Add
Adds the collector to the Collector list.
Remove Selected
Select the check box next to the name and click Remove Selected.
2. Click Apply to apply your settings.
3. Click Save to Disk to save your settings permanently.
Troubleshooting
To troubleshoot your flow export settings:
•  Make sure the port configuration matches on the SteelHead and the listening port of the collector.
•  Ensure that you can reach the collector from the SteelHead (for example, –i aux 1.1.1.1 where 1.1.1.1 is the NetFlow collector and aux is the Packet Source Interface).
•  Verify that your capture settings are on the correct interface and that traffic is flowing through it.