Collecting Netflow and Sending to Solarwinds NTA
If you are interested in collecting, viewing and inspecting Netflow data like I am, then you will be interested in this. Netflow gives you deep level inspection into your network traffic such as source and destination of traffic, protocols and types of service, plus much more. Why is this valuable information? Maybe you are interested in the different types of traffic that are floating around on your network or possibly you are getting reports of slow network connectivity by users. So how do we get this Netflow data? First off your network devices must support exporting Netflow data to begin with, sort of anyways! This goes for any network switches, firewalls and even vSphere. The second part of gathering Netflow data is that you must have a Netflow collector installed on your network, NTOP is a good open-source Netflow collector but it loses all of it’s data when rebooted; however, lately I have been doing some deep level testing with several of Solarwinds products (SAM, NPM, Virtualization Manager, NTA and Storage Manager); in particular, Solarwinds NTA (Netflow Traffic Analyzer). This product provides an unbelievable level of detail and is visually pleasing as well. One other thing about this product is the integration between their other products which provides a seamless view into your environment. Instead of jumping between different products that you may use and not having any sense of correlation between different elements in your environment.
So assuming that you are running a physical and virtual environment like I am, setting all of this up can be somewhat of a challenge. In my lab I am running a Cisco 3750G 48TS switch stack, physical PFSense firewall and three vSphere 5.5 hosts running between 30-40 VMs at any given time. So with my setup the first challenge is that my Cisco switches do not support exporting Netflow, obviously your environment may be different. So in order for me to collect netflow data from my switches you can take a look here on how to create a RSPAN port mirror and send that data to a vDS (vSphere Distributed Switch) port. The difference in this article compared to the link above will be that we will not be installing or using NTOP but instead on our VM we will be using nProbe (created by the same people who create NTOP). nProbe will be acting as a Netflow proxy in our setup for each device that we will be collecting Netflow data from and then forwarding onto our Solarwinds NTA. nProbe is not a free product but so far it is well worth it. There are several linux open-source (fprobe, ipt-netflow and pflow) Netflow forwarders but I have not had good success yet using with Solarwinds but I will be doing some additional testing on those as well in the near future.
To learn more and to read the entire article at its source, please refer to the following page, Collecting Netflow and Sending to Solarwinds NTA- Everything Should Be Virtual