Not true ... ntop 3.1
supports multiple netFlow devices.
Each pseudo-device can be
configured to receive on a separate port (that's the only meaningful
configuration). Each configured port is treated as a separate
'device'. ntop receives the flows and
accumulates counts in separate 'devices' and, just like any other situation, you
select one at a time for reporting. The trick is in the
configuration...
If the router(s) support it, you simply direct
the flows (perhaps both ports to the same destination to work around the
ingress question) to separate destination ports on the ntop
host. If the routers won't support alternate destination port
numbers, you need to get sneaky - use flow-tools (http://www.splintered.net/sw/flow-tools/) on
yet another box.
Is it efficient? Probably
not...
-----Burton
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Moore
Sent: Tuesday, February 15, 2005 9:26 AM
To: [email protected]
Subject: RE: [Ntop] NetFlow Multiple Routers Multiple Interfaces
In short, Ntop won't do
what you want to do in question 1.
At present, Ntop won't
break the info out according to interface the NetFLow info was collected on. I
have had some discussions with Luca about providing this functionality for sFlow
but I don't know if he has done any work on this.or not. If it could be
configured, you could send NetFlows from each interface to a different
destination port, but I don't think Cisco provides this functionality. Nor do I
know if NetFlow provides interface info along with the flows. One additional
complication is that, at least on Cisco devices, NetFlow only collects stats on
ingress packets. e.g. on a 2 interface router Netflow must be configured for
both interfaces to see both sides of the conversations. So in your example
below, each virtual device would only be seeing one side of the
conversations.
In response to your
second question, you set the virtual address to one on the network you wish to
be "local". I don't know how you might want to set this on your system. One
approach is to run more than one Ntop for your Netflow destinations, so you have
a bit more configuration control on what is considered local and what is
considered remote.
BTW, InMon Traffic Server
does exactly what you want, but warns that some Netflow implementations do not
provide interface info along with the flows. In any case, IIRC monitoring your
two routers with Traffic Server would run you something like $30k!
Chris
_____________________________________________
Chris Moore
Senior Network Engineer
Guardian
Mortgage Documents
303-942-2019
[EMAIL PROTECTED]
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete Hoffswell
Sent: Tuesday, February 15, 2005 7:03 AM
To: [email protected]
Subject: [Ntop] NetFlow Multiple Routers Multiple Interfaces
Good day to you -
I'm a ntop newbie, but am not seeing documention or list conversations that
clairify this well.
I have two WAN routers with multiple serial interfaces, terminating wan
links to serveral sites.
I have ntop 3.1 running with the NetFlow plugin working. I have two
Netflow devices created, each sending the flows to ntop on a separate port (2055
and 2056).
I have my routers configured to create flows on some of the serial
interfaces.
All looks pretty good.
Question 1: How do I view traffic on a per-interface basis? My
configuration seems to put all flows for a router into the one Netflow device
instance in ntop.
Instead of:
NetFlow-router.1 = NetFlow-device.1
NetFlow-router.2 = NetFlow-device.2
I would like to see, I think:
NetFlow-router1-serial.1 = NetFlow-device.1
NetFlow-router1-serial.2 = NetFlow-device.2
NetFlow-router1-serial.3 = NetFlow-device.3
NetFlow-router2-serial.1 = NetFlow-device.4
NetFlow-router2-serial.2 = NetFlow-device.5
NetFlow-router2-serial.3 = NetFlow-device.6
Question 2: What should I set my Virtual
NetFlow Interface Network Address to?
This may be the answer to question one. The
serial interfaces are just tiny ip networks to define the wan link. They
don't really define "local traffic"
Here's a single remote site example:
Serial link, wan router: 10.200.1.45/30
Ether link to lan router: 10.12.2.1/24
Lan 1 10.12.12.1/23
Lan 2 10.12.12.1/23
Lan 3 10.12.50.1/24
Lan 4 10.12.51.1/24
etc.
These networks are 1 (wan) or 2 (lan) hops away from
the netflow core wan router. In this case, how would I define "local
traffic" on the core wan router netflow setup in ntop?
Thanks!
Pardon my limited understanding of both ntop and NetFlow. I have a
feeling I'm barking up the wrong tree on this. Can someone help me out?
Thanks!
Pete Hoffswell 616-732-1101 (Grand Rapids, x1101)
University LAN/WAN Coordinator 616-510-1198 (Mobile)
IT Services [EMAIL PROTECTED]
Davenport University http://www.davenport.edu
-=-=- LAN/WAN services: http://networker.davenport.edu -=-=-
**********************************************************************
Confidential/Proprietary Note
The information in this email is confidential and may be legally privileged. Access to this email by anyone other than the intended addressee is unauthorized. If you are not the intended recipient of this message, any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you are not the intended recipient, please reply to or forward a copy of this message to the sender and delete the message, any attachments, and any copies thereof from your system. Thank you.
Guardian Mortgage Documents, Inc.
225 Union Boulevard, Suite 200
Lakewood, CO 80228.
**********************************************************************
_______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
