Create NetFlow Session for Physical Environment

Note: This configuration is applicable only when using NetFlow License.

1.   On the left navigation pane, select Traffic > Solutions > Application Intelligence.
2. Click Create New. The Create Application Intelligence Session page appears.

Note:   If the Create button is disabled, check whether a valid license for Application Metadata Intelligence or Application Filtering Intelligence is available.

3. In the Basic Info section complete the following:
■   Enter the name and description (optional).
■   Select Physical in the Environment field.
■   Select the node from the list of nodes.
4. In the Configurations section, view the following:
a. Select a GigaSMART Group. You can also choose to create a new GigaSMART Group.
•   Provide a name in the Alias field.
•   Select a port or multiple ports from the Port List.
•   Click Save.
5. If you are unable to view the required port in the Port field, perform these steps:
o   Click Port Editor. Select the Type as Tool from the drop-down list for the required Port Id. Select OK.

The selected Port appears in the list.

o   Select the Type as:
o   IPv4 - to allow the traffic in IPv4 interface.
o   IPv6 - to allow the traffic in IPv6 interface.
o   Provide the IP Address, IP Mask, Gateway, and MTU. Provide the IP address corresponding to the IP interface selected.
o   Click Save.
6. In the Source Traffic section, select a source port that require application monitoring in the Source ports field. Source port can be a single port, multiple ports, and port groups.

Note:   Ports already used as source ports in the intent-based orchestrated solution will not be listed in the drop-down.

7. Configure the rules for filtering the required traffic in the L2-L4 Rules fields. To configure a rule:
a. Click Select Conditions. Select the required parameters from the drop-down list.
b. Select the value for the parameters from the drop-down.
c. Select the required options:
•   Pass or Drop - Based on the parameter selected in the Conditions fields, the traffic that matches the conditions will either be passed or dropped.
•   Bidirectional - Allows the traffic in both directions of the flow.

Note:  Click “+” to create multiple rules for filtering the required traffic, and click “+ New Source Traffic” to create multiple sources with filtering options.

8. Click on the NetFlow tab.
9. In the Destination Traffic section, click + Add New to create an exporter to receive application-specific traffic. You can only create a maximum of 5 exporters. Enter the following details:

Option

Mandatory

Default

Description

Tool Name

Yes

 

Configures the alias name for the tool.

IP Interface

Yes

 

Configures the IP interface on the Gigamon device that connects to the tool.

Tool IP Address

Yes

 

Configures the destination IP address for exporting the records.

Template

No

 

Configures pre-defined tool templates for exporting metadata. Tool templates are user configurable. Ex.

SplunkMetadataTemplate, SecurityPostureTemplate etc.

L4 Source Port

Yes

 

Configures the Source Port of the IP interface on the Gigamon device.

L4 Destination Port

Yes

 

Configures the destination port on the tools side.

Application ID

No

Disabled

Configures exporting Application Name for all applications identified by the DPI engine.

Note:  Requires AMI/SVP/ZTA license.

Application List

No

 

Each exporter can be customized to export metadata for certain applications/ protocols.

Format

Yes

 

Options: NetFlow, CEF

Configures the format for exporting the records.

Version

Yes

IPFIX

Options: v5, v9 and IPFIX.

Configures the version of NetFlow for exporting the records.

Template Refresh Interval

Yes

60s

Range: 1-216000s

Configures the interval at which the template record is exported while exporting the IPFIX records.

Changing the refresh interval can impact ingesting the records on the tools side. Please seek guidance from your tool’s vendor before changing the default.

Record Type

Yes

Cohesive/ Segregated

Default depends on the Flow Behavior configuration.

Segregated: Default when the Flow Behavior is set to Unidirectional. Separate records are exported for network and application metadata.
Cohesive: Default when the Flow Behavior is set to Bidirectional. Generates consolidated record comprising of network and application metadata.

If record size exceeds the IP interface MTU, the records will be exported as fragments.

Active Timeout

 

Yes

 

60s

 

Range: 1-604800s

. This option configures the timeout interval for exporting interim records for such flows.

Shorter timeouts increase the no. of records and longer timeouts result in fewer records. Longer timeouts can also increase the record size. Please seek expert guidance from Gigamon and tool vendor before changing the default.

Inactive Timeout

Yes

15s

Range: 1-604800s

Configures the timeout interval for marking flows as inactive and exporting their records soon after.

Inactive timeout constitutes idle time after receiving the last packet. Shorter timeouts can prematurely deem a flow as inactive and subsequent packets would be considered as a new flow that can skew the analytics on the tools side.

Please seek expert guidance from Gigamon and tool vendor before changing the default.
10. In the Advanced Settings > Collects section, the following details are already configured.

Note:  When the template is NetFlow v5 or when the format is NetFlow and the version as V5 you cannot modify the Collects.

Note:  The GTP -U collects are disabled if the template is the Netflow v9 .

Collect Fields

Attributes

Default Export

Notes

Data Link

Source MAC

No

 

Destination MAC

No

 

VLAN

No

 

Interface

Input Interface

No

Supported values: 2B, 4B

The default value is 2B for NetFlow v5 and 4B for NetFlow v9, IPFIX, and CEF. CEF supports exporting the Input interface index with a width of 2B (default) or 4B.

Output Interface

No

Supported values: 2B, 4B

The default value is 2B for NetFlow v5 and 4B for NetFlow v9, IPFIX, and CEF. CEF supports exporting the Output interface index with a width of 2B (default) or 4B.

Input Name Width

No

Range: 1B to 32B

The Default value is 16B.

IPv4

   

Source Address

Yes

 

Destination Address

Yes

 

TOS

No

 

DSCP

No

 

Protocol

Yes

 

Header Length

No

 

Payload Length

No

 

Total Length

No

 

Precedence

No

 

TTL

No

 

Option Map

No

 

Fragmentation ID

No

 

Fragmentation Offset

No

 

Fragmentation Flags

No

 

IPv6

Source Address

Yes

 

Destination Address

Yes

 

Extension Map

No

 

Next Header

Yes

 

Flow Label

No

 

Precedence

No

 

Traffic Class

No

 

DSCP

No

 

Hop Limit

No

 

Fragmentation ID

No

 

Fragmentation Offset

No

 

 

Fragmentation Flags

No

 

Header Length

No

 

Total Length

No

 

Payload Length

No

 

Transport

Source Port

Yes

Corresponds to both TCP and UDP.

Destination Port

Yes

Corresponds to both TCP and UDP.

TCP ACK Number

No

 

TCP Header Length

No

 

TCP Sequence Number

No

 

TCP Urgent Pointer

No

 

TCP Flags

No

Following flags are supported in Gen 2 nodes : SYN, SYNACK, RST and FIN.

For Gen 3 nodes all TCP flags are supported.

TCP Window Size

No

 

UDP Message Length

No

 

ICMP

ICMP Code

No

Corresponds to types IPv4 and IPv6.

ICMP Type

No

Corresponds to types IPv4 and IPv6.

Counter

Bytes

Yes

Options: 32, 64 (default)

Determines the length of the counters, 32B or 64B. NetFlow v5 supports only 32B.

Packets

Yes

Options: 32, 64 (default)

Timestamp

System Uptime First

Yes

Difference between the flow start time and the GigaSMART® uptime in milliseconds.

System Uptime Last

Yes

Difference between the flow end time and the GigaSMART® uptime in milliseconds.

Flow Start

Yes (msec)

 

Flow End

Yes (msec)

 

Flow

End Reason

Yes

Inner flow end reason – TCP ack, reset, inactive, etc.
11. Click Save.

NetFlow Dashboard

In Appviz, only the traffic statistics are displayed as applications cannot be configured and used in the NetFlow configuration.