NTop plugin

[N3NCY]

To get a flow from a Cisco device, that particular device code must support netflow.

You can export flows from multiples devices (even multiple flows from some devices - ie. different vlans and same cisco)

Each flow "export" and "collector" must match up on ports settings.
Use a single port for each export/collector pair.

Example:
telnet 10.0.0.254

config term

ip flow-cache timeout inactive 10
ip flow-cache timeout active 5
ip flow-export version 5
ip flow-export destination 10.0.0.1 9991

interface Vlan 1
ip route-cache flow

end
copy running startup

# Test
show ip flow export

[knobdy]

and Ntop is just configured to listen for the flow?

How many flows can nTop handle at a time?

[N3NCY]

NTop must be configured to receive each flow.

NTop will handle as many flows as you setup.
Your computer running ntop must be more powerful as you add more flows of course.

I don't know exact hardware requirements for a given quantity of flows.
At some point, like any computer program, you may need a more powerful CPU and additional RAM.

But, to answer your question simply:
Each flow must be setup in a pair.
One flow on your Cisco router sending on say port 9991
would need one collector on your NTop box listening on port 9991.

To add more flows, you would setup more pairs.
Your next flow would send on say port 9992
and would need one collector on your NTop box listening on port 9992.

You always setup a sender "the flow export" on your Cisco router
and
a receiver "the collector" on your NTop server.
This makes one functional set or flow.

Please see pevious posts for mor details, example:

I have ntop running on the same NIC as Cacti as well.
They can peacefully co-exist.

I wrote (and borrowed) some instructions for getting ntop up and running on UNIX:
http://members.netjunkies.net/n3ncy/FreeBSD60/ntop.htm

On any platform, the steps should be similar:
1.) Get ntop installed on your server (ntop is a "Collector" and a web displayer of this collected data)
2.) Make sure you can log into ntop on your server (usually port 3000)
example: http://Yourserver:3000
3.) Configure a pair of items:
- Setup a "Collector" via your ntop web interface (see step 2 above)
- Export a "Flow" from your router to this collector
4.) Test ntop and look at this flow - You should be getting data
5.) Lastly setup the Cacti ntop plug-in to point to your ntop
example: http://Yourserver:3000


At a minimum read:
http://www.ntop.org/ to setup NTop
and
http://www.cisco.com/en/US/products/ps6601/products_ios_protocol_group_home.html to setup your Cisco gear

Very last of all, after you already have NTop working, then consider the NTop plug-in for Cacti, since the Cacti NTop plug-in is only useful if you already have NTop functional.

[egarnel]

silly mistake on my part:

I am running a pair of layer 3 switches in an hsrp pair. I opened up the firewall on the box running ntop for the defined ip address and port for netflow. The next day, I got my answer as to why netflow was not appearing in ntop. Lots of firewall logs from the real ip address from the primary l3 switch exporting the netflow. I should have remembered this little gotcha from doing things on the device such as extended pings & traces... Do not use the virtual addr for things like that

Now it appears to be happy.

[knobdy]

Cool, I will be trying it within the next week or two.

One more question though, we have some government regs we'll be needing to comply with. One of the requirements for net flows is that they be sent from the loopback interface. Currently we don't do much of anything with the loopback - anyone here got some experience with this on Cisco devices?

I'd love to find someone who's brain I can pick...

[egarnel]

ip flow-export source Loopback < number>

[knobdy]

[qwertz]

I just installed netflow with ntop and everything is working fine.
I used Cacti and ntop plugin with success

I noticed in the netflow mode of ntop that the stat of all the remote routers are mixed in the same tables.
Is it possible to separate the tables per remote netflow router ?

Thanks

Qwertz

[N3NCY]

Did you setup mulitple flows and collectors on different ports?
Under the Admin menu click Switch NIC
Do you have multiple choices for sources you want to look at?
I setup different flows from my routers for each vlan I want to look at.
I get a "per vlan" view, not everything in one view.

[qwertz]

Thanks i will do it. (ie i will use a different port per remote host).

By the way i have a other question.
I wanted to keep my data when i stop ntop. Do you know how to set ntop to save the data in log files instead of only put them in the swap?

Strangly, i did not find any clear answer on the web

Thanks again

Qwertz

[flavour]

[qwertz]

Sorry, i don't understand

[N3NCY]

Somebody would need to create the RRDTool Cacti plugin?

Currently my nTop does not save data between restarts either.
(Although I don't need it to do so)

Your question is really more for the nTop people:
http://www.ntop.org/documentation.html

Unless the Cacti crew already created a plguin for long term storage?

[flavour]

RRDPlugin is part of the normal NTop distribution - just needs enabling.
- Check Plugins off the Admin menu.

F

[qwertz]

Thanks for your help.

For N3NCY:
On admin -> Plugins -> Netflow -> on Flow Collection -> Local Collecor UDP Port
I can set only one port. So i will have on admin -> Switch NIC: my ethernet interface and only one netflow interface and i will still see all my remote netflow hosts in one table


For flavour:
I went on admin -> Plugins -> rrdplugins -> i enabled everything in "data to Dump"
I noticed that the only things that are kept after a ntop restart is the data in the graphs in Summary -> Traffic

Thank you again

QWertz