Create NetFlow Session for Physical Environment
Note: This configuration is applicable only when using NetFlow License.
|
1.
|
On the left navigation pane, select Traffic > Solutions > Application Intelligence. |
|
2.
|
Click Create New. The Create Application Intelligence Session page appears. |
Note: If the Create button is disabled, check whether a valid license for Application Metadata Intelligence or Application Filtering Intelligence is available.
|
3.
|
In the Basic Info section complete the following: |
|
■
|
Enter the name and description (optional). |
|
■
|
Select Physical in the Environment field. |
|
■
|
Select the node from the list of nodes. |
|
4.
|
In the Configurations section, view the following: |
|
a.
|
Select a GigaSMART Group. You can also choose to create a new GigaSMART Group. |
|
•
|
Provide a name in the Alias field. |
|
•
|
Select a port or multiple ports from the Port List. |
|
5.
|
If you are unable to view the required port in the Port field, perform these steps: |
|
o
|
Click Port Editor. Select the Type as Tool from the drop-down list for the required Port Id. Select OK. |
The selected Port appears in the list.
|
o
|
IPv4 - to allow the traffic in IPv4 interface. |
|
o
|
IPv6 - to allow the traffic in IPv6 interface. |
|
o
|
Provide the IP Address, IP Mask, Gateway, and MTU. Provide the IP address corresponding to the IP interface selected. |
|
6.
|
In the Source Traffic section, select a source port that require application monitoring in the Source ports field. Source port can be a single port, multiple ports, and port groups. |
Note: Ports already used as source ports in the intent-based orchestrated solution will not be listed in the drop-down.
|
7.
|
Configure the rules for filtering the required traffic in the L2-L4 Rules fields. To configure a rule: |
|
a.
|
Click Select Conditions. Select the required parameters from the drop-down list. |
|
b.
|
Select the value for the parameters from the drop-down. |
|
c.
|
Select the required options: |
|
•
|
Pass or Drop - Based on the parameter selected in the Conditions fields, the traffic that matches the conditions will either be passed or dropped. |
|
•
|
Bidirectional - Allows the traffic in both directions of the flow. |
Note: Click “+” to create multiple rules for filtering the required traffic, and click “+ New Source Traffic” to create multiple sources with filtering options.
|
8.
|
Click on the Application Metadata tab. |
|
9.
|
In the Destination Traffic section, click + Add New to create an exporter to receive application-specific traffic. You can only create a maximum of 5 exporters. Enter the following details:Option | Mandatory | Default | Description |
|---|
Tool Name | Yes | | Configures the alias name for the tool. | IP Interface | Yes | | Configures the IP interface on the Gigamon device that
connects to the tool. | Tool IP Address | Yes | | Configures the destination IP address for exporting the
records. | Template | No | | Configures pre-defined tool templates for exporting
metadata. Tool templates are user configurable. Ex. SplunkMetadataTemplate, SecurityPostureTemplate etc. | L4 Source Port | Yes | | Configures the Source Port of the IP interface on the
Gigamon device. | L4 Destination Port | Yes | | Configures the destination port on the tools side. | Application ID | No | Disabled | Configures exporting Application Name for all applications
identified by the DPI engine. Note: Requires AMI/SVP/ZTA license. | Application List | No | | Each exporter can be customized to export metadata for
certain applications/ protocols. | Format | Yes | | Options: NetFlow, CEF Configures the format for exporting the records. | Version | Yes | IPFIX | Options: v5, v9 and IPFIX. Configures the version of NetFlow for exporting the
records. | Template Refresh Interval | Yes | 60s | Range: 1-216000s Configures the interval at which the template record is exported
while exporting the IPFIX records. Changing the refresh interval can impact ingesting the
records on the tools side. Please seek guidance from your tool’s vendor
before changing the default. | Record Type | Yes | Cohesive/ Segregated | Default depends on the Flow Behavior configuration. | ● | Segregated: Default when the Flow Behavior is
set to Unidirectional. Separate records are exported for network and application
metadata. |
| ● | Cohesive: Default when the Flow Behavior is
set to Bidirectional. Generates consolidated record comprising of network and application metadata. |
If record size exceeds the IP interface MTU, the records will be exported as fragments. | Active Timeout | Yes | 60s | Range:
1-604800s . This option configures the timeout interval for
exporting interim records for such flows. Shorter timeouts increase the no. of records and longer timeouts result in fewer records. Longer timeouts can also
increase the record size. Please seek expert guidance from Gigamon and tool vendor
before changing the default. | Inactive Timeout | Yes | 15s | Range:
1-604800s Configures
the timeout interval for marking flows as inactive and exporting their records soon after. Inactive
timeout constitutes idle time after receiving the last packet. Shorter
timeouts can prematurely deem a flow as inactive and subsequent packets would
be considered as a new flow that can skew the
analytics on the tools side. Please seek expert guidance from
Gigamon and tool vendor before changing the default. |
|
|
10.
|
In the Advanced Settings > Collects section, the following details are already configured. Note: When the template is NetFlow v5 or when the format is NetFlow and the version as V5 you cannot modify the Collects. Note: The GTP -U collects are disabled if the template is the Netflow v9 . Collect Fields | Attributes | Default Export | Notes |
|---|
Data Link | Source MAC | No | | Destination MAC | No | | VLAN | No | | Interface | Input Interface | No | Supported values: 2B, 4B The default value is 2B for NetFlow v5 and 4B for NetFlow v9, IPFIX, and CEF. CEF supports exporting the Input interface index with a width of 2B (default) or 4B. | Output Interface | No | Supported values: 2B, 4B The default value is 2B for NetFlow v5 and 4B for NetFlow v9, IPFIX, and CEF. CEF supports exporting the Output interface index with a width of 2B (default) or 4B. | Input Name Width | No | Range: 1B to 32B The Default value is 16B. | IPv4 | | | | Source Address | Yes | | Destination
Address | Yes | | TOS | No | | DSCP | No | | Protocol | Yes | | Header Length | No | | Payload Length | No | | Total Length | No | | Precedence | No | | TTL | No | | Option Map | No | | Fragmentation ID | No | | Fragmentation Offset | No | | Fragmentation
Flags | No | | IPv6 | Source Address | Yes | | Destination
Address | Yes | | Extension Map | No | | Next Header | Yes | | Flow Label | No | | Precedence | No | | Traffic Class | No | | DSCP | No | | Hop Limit | No | | Fragmentation ID | No | | Fragmentation Offset | No | | | Fragmentation
Flags | No | | Header Length | No | | Total Length | No | | Payload Length | No | | Transport | Source Port | Yes | Corresponds to both TCP and UDP. | Destination Port | Yes | Corresponds to both TCP and UDP. | TCP ACK Number | No | | TCP Header Length | No | | TCP Sequence Number | No | | TCP Urgent Pointer | No | | TCP Flags | No | Following flags are supported in Gen 2 nodes : SYN, SYNACK, RST and
FIN. For Gen 3 nodes all TCP flags are supported. | TCP Window Size | No | | UDP Message Length | No | | MSS | No | Maximum payload size a TCP segment can carry without the headers. The MSS value is exported at the beginning of a flow. Its exported only when bidirectional flows are configured. This is supported only in Gen 3 GigaSMART cards and GigaVUE V Series. | Aggregate Window Size | No | The actual minimum, mean, and maximum TCP window size values, calculated separately for both sender and receiver packets for a given flow per export interval.
Its exported only when bidirectional flows are configured.
This is supported only in Gen 3 GigaSMART cards and GigaVUE V Series. | Zero Window | No | This captures TCP zero window event statistics (zero window, zero window probe and zero window acknowledgment) for both sender and receiver, indicating when the TCP receive buffer is full and data transmission is temporarily paused due to flow control for a given flow per export interval.
Its exported only when bidirectional flows are configured. This is supported only in Gen 3 GigaSMART cards and GigaVUE V Series. | ICMP | ICMP Code | No | Corresponds to types IPv4 and IPv6. | ICMP Type | No | Corresponds to types IPv4 and IPv6. | Counter | Bytes | Yes | Options: 32, 64 (default) Determines the length of the counters, 32B or 64B.
NetFlow v5 supports only 32B. | Packets | Yes | Options: 32, 64 (default) | Timestamp | System Uptime First | Yes | Difference between the flow start time and the GigaSMART®
uptime in milliseconds. | System Uptime Last | Yes | Difference between the flow end time and the GigaSMART® uptime in milliseconds. | Flow Start | Yes (msec) | | Flow End | Yes (msec) | | Flow | End Reason | Yes | Inner flow end reason – TCP ack, reset, inactive, etc. |
|
NetFlow Dashboard
In Appviz, only the traffic statistics are displayed as applications cannot be configured and used in the NetFlow configuration.
.png)
