NetFlow Analyzer

NetFlow Analyzer:
Introduction

ManageEngine NetFlow Analyzer is a web-based bandwidth monitoring tool that performs in-

depth traffic analysis using data exported from NetFlow / Netstream / cflowd / J-Flow / sFlow /
IPFIX / AppFlow flows.
This data provides granular details about network traffic that has passed through an interface.
NetFlow Analyzer processes this information to show you what applications are using bandwidth,
who is using them, and when. Extensive graphs and intuitive reports make this information easy to
analyze, and also help accelerate the troubleshooting process.
NetFlow Analyzer comes pre-loaded with a set of features that provide in-depth bandwidth usage
statistics and let you drill down to see more details about a bandwidth traffic, application, or
conversation etc. NetFlow Analyzer also includes other administrative options that help in managing
enterprise networks and bandwidth utilization with ease.
Why NetFlow Analyzer?

ManageEngine NetFlow Analyzer comes with out of the box high performance API driven UI
and highly scalable capabilities, including the following key features:
 Support for multiple flow exports
Regardless of different types of flows, now you can view a complete picture of the usage, network
performance, and traffic statistics of various network devices in single console. Support's NetFlow,
IPFIX, jFlow, sFlow, Netstream, Appflow etc.
 Web-based API driven UI
View the status of your links, and generate reports from just a web browser that is built on a
JavaScript framework powered by Ember.js. This new Fluidic web client offers 10x more
productivity and performance compared to the previous UI. The new user interfaces also features
keyboard navigation across interface snapshot pages, alarms and performance graphs which helps
network admins to access the information they are looking for even more quickly and easily.
 Real-time Traffic Graphs
View instant graphs for bandwidth utilization and traffic per link up to previous minute.
 Historical Trend Reports
Generate daily, weekly, monthly, and custom time period bandwidth reports showing peak traffic
patterns from the day 1.
 Application-level QoS shaping
Reconfigure application QoS with ACL to filter application traffic, thus reserve bandwidth for mission
critical activities. Now you can shape app traffic via service policy and allocate % to particular
application and thus regulate the bandwidth usage with the help of CBQoS monitoring.
 Cisco Application Visibility and Control (AVC)

Provides an detailed information from Cisco ASR1k and ISR-G2 routers with information on
NBAR2, Application response time, QOS Hierarchy, HTTP URL reporting.
 Cisco class-based Quality of service monitoring (CBQoS)
Validate the effectiveness of your QoS policies using CBQoS reports from NetFlow Analyzer.
Prioritize your network traffic accordingly.
 High Scalability
Now, NetFlow Analyzer can scale up to 250K flows per second without raw data storage and with
raw data storage it can process upto 100k flow per second.
 Capacity Planning & Billing
Helps you accurately measure your bandwidth growth over a period of time and helps to anticipate
the changes in bandwidth with capacity planning reports. You can also generate on-demand billing
for accounting and departmental chargebacks.
 Network Forensics & Security Analysis
Advanced security analytics module helps to detect a broad spectrum of external and internal
security threats and categorize threats/anomalies as problems such as Bad Src-Dst, DDoS,
Suspect Flows.
 Traffic Profiling
View bandwidth reports based on top applications, top hosts, and top conversations, DSCP,
multicast.
 Consolidated Reports
View bandwidth reports per Device and interfaces, showing top applications, top talkers in a single
report.
 Device Grouping
Categorize NetFlow devices into logical groups and grant reporting access to specific users based
on hierarchy. Group IP addresses and address ranges into department wise , and monitor
bandwidth usage individually.
 Traffic Configuration & User Management
Identify most standard applications out-of-the-box and configure custom applications and monitor
the same. Add users with different privileges, assign device groups, and selectively allow access for
monitoring and reporting.
This User Guide will help you install NetFlow Analyzer, understand netflow port details, Cisco
netflow configuration and other flow configuration steps and get familiar with the user interface. If
you are unable to find the information you are looking for in this document, please let us know
at netflowanalyzer-support@manageengine.com
System Requirements for NetFlow

Analyzer
The recommended hardware requirements for installing and running NetFlow Analyzer
Essential & Enterprise Edition are as follows:
Enterprise Edition
Parameter Essential Edition
Central Server Collector
2.4 GHz Quad Core 2.4 GHz Dual 3.2 GHz Quad
Processor
Processor Core core
RAM 4 GB 4 GB 8 GB
Hard-disk 1 TB SATA hard

200GB for database 600 GB
space disk
Operating
64 bit 64 bit 64 bit
System
Please note that change in flow rate will lead to change in system requirements as
below:
Disk Additional
space for Disk
Rate of Server
Processor RAM Aggregate space for
Flow/Second Type
Data RawData
(Forever) (Optional)
2.4 GHz Quad

0 to 3k 4 GB 200 GB 75 GB/Day -
Core Processor
3.2 GHz Quad

3k to 6k 6 GB 200 GB 150GB/Day 64 bit
Core Processor
3.2 GHz Quad

Core Processor
3.2 GHz Quad
Core Processor
3.2 GHz Quad

10k to 25k 18 GB 225 GB - 64 bit
Core Processor
3.2 GHz Quad

25k to 50k 20 GB 250 GB - 64 bit
Core Processor
3.2 GHz Quad

50k to 75k 22 GB 300 GB - 64 bit
Core Processor
3.2 GHz Quad

75k to 100k 24 GB 350 GB - 64 bit
Core Processor
* Aggregated data is calculated based on the top 100 records.
For the device exporting NetFlow, ensure that the NetFlow export version format is
exactly the same as the Cisco NetFlow version 5 or version 7 or version 9 format.
For information on Cisco devices and IOS versions supporting Netflow, consult
the Cisco NetFlow Device Support table.
Software Requirements
Supported Operating
Supported Browsers Database supported
System
 Windows Server  Google Chrome  PG SQL -

2019 (preferred) Bundled with the
 Windows Server  Mozilla Firefox product.
2016  Microsoft Edge  MSSQL - Also
 Windows Server  IE11 available.
2012 R1 & R2 Supported versions:
 Windows 10 SQL 2017 | SQL 2016 |
 Windows 8 SQL 2014 | SQL 2012 |
 Windows 7 SQL 2008
 Windows Vista
 Windows 2008 -
R1 & R2
 For production
 RedHat Linux 6.0
use 64 bit versions of
and above
SQL
 Cent OS 6.0 and
 Recovery mode
above
should be set to
 Fedora 18 and
above SIMPLE.
 Debian version 6.0  SQL and NetFlow
and above should be in the same
 Ubuntu 12 and LAN. Currently WAN
above based SQL installations
 SUSE 10 and are not supported.
above
Port Requirements
Default Port
Port Name Usage
Numbers
This is the port on which you will connect to the

Web server NetFlow Analyzer server from a web browser.
8060
port You can change this at any time from
the Settings tab.
This is the listener port on which NetFlow exports

NetFlow 9996 are received from routers. You can change this at
Listener port any time from the Settings tab.
Embedded This is the default port used to connect to the

13306
database port PGSQL database in NetFlow Analyzer.
This is the port that connects NetFlow Analyzer

MSSQL 1433
to a SQL database.
This is the default SNMP port to fetch the device

SNMP 161
information and configure SNMP based NBAR.
32000-
Wrapper
32999
31000-
JVM To connect to Wrapper.
31999
This is the port through which the collector

HTTPS Port 443
communicates with the central server.
Database Requirements
The following table lists the basic requirements for your OpManager database server.
PostgreSQL
 Comes bundled with the product.
 In case of failover, please use MS SQL.
Microsoft SQL
1. Supported versions:
SQL 2017 | SQL 2016 | SQL 2014 | SQL 2012 | SQL 2008
2. Important Notices:
1. For production use 64 bit versions of SQL

2. Recovery mode should be set to SIMPLE.
3. SQL and OpManager should be in the same LAN. Currently WAN based SQL
installations are not supported.
3. Collation:
 English with collation setting (SQL_Latin1_General_CP1_CI_AS)
 Norwegian with collation setting (Danish_Norwegian_CI_AS)
 Simplified Chinese with collation setting (Chinese_PRC_CI_AS)
 Japanese with collation setting (Japanese_CI_AS)
 German with collation setting (German_PhoneBook_CI_AS)
4. Authentication:
Mixed mode (MSSQL and Windows Authentication).
5. BCP:
The "bcp.exe" and "bcp.rll" must be available in the bin directory.
The BCP utility provided with Microsoft SQL Server is a command line utility that
allows you to import and export large amounts of data in and out of SQL server
databases quickly. The bcp.exe and bcp.rll will be available in the MSSQL installation
directory. If MSSQL is in a remote machine, copy bcp.exe and bcp.rll files and paste
them in the <\OpManager\bin> directory.
The SQL server version compliant with the SQL Native Client must be installed in
the same Server.
Note: NetFlow Analyzer runs in both Windows and Linux, supports NetFlow® versions
5/7/9,sFlow® , cflowd® ,J-Flow® , IPFIX® , NetStream®. To know which devices it
supports refer Configuring Cisco Devices section of the User Guide.
Installation and Startup

NetFlow Analyzer is available for Windows and Linux platforms. For information on supported
versions and other specifications, look up System Requirements.
Installing NetFlow Analyzer
Windows:
1. Download NetFlow Analyzer for Windows
2. Double-click it to start installation. Follow the instructions as they appear on screen to
successfully install NetFlow Analyzer on to your machine. NetFlow Analyzer supports both,
PostgreSQL and MSSQL as database. Select the database and click Next.
Linux:
1. Download NetFlow Analyzer for Linux

2. Assign execute permission using the command: chmod
a+x ManageEngine_NetFlowAnalyzer_xxxx.bin where
ManageEngine_NetFlowAnalyzer_xxxx is the name of the downloaded BIN file.
3. Execute the following command: sudo ./ManageEngine_NetFlowAnalyzer_xxxx.bin
4. Follow the instructions as they appear on the screen to successfully install NetFlow
Analyzer on to your machine.
Installing Linux using Console mode/ Silent mode
This is a quick walk-through of the console mode installation of NetFlow Analyzer on a Linux
box - an easy thing to do if you are working on a Windows box and want to install on a remote
Linux system.
Step 1: Execute the binary with administrator privileges (sudo) and -i console option.

Step 2: Go through the license agreement and enter 'Y' to proceed. You can register for
technical support by providing the required details. (Name, E-mail ID, Phone, Company Name)
Step 3: Select the location
Step 4: Choose the installation directory
Step 5: Configure the Webserver and Listener Ports.

Step 6: Verify the installation details and press 'Enter' to complete the installation.

During installation if you get an error message stating that the temp folder does not have
enough space, try executing this command with the -is:tempdiroption, where is the
absolute path of an existing directory.
sudo ./ManageEngine_NetFlowAnalyzer_xxxx.bin -is:tempdir
For non-x11 machines, use the following command:
sudo ./ManageEngine_NetFlowAnalyzer_xxxx.bin -i console
Once you have successfully installed NetFlow Analyzer, start the NetFlow Analyzer server by
following the steps below.
Starting NetFlow Analyzer
Windows:
Click on Start > Services > start the ManageEngine NetFlow Analyzer to start the service.
Alternatively you can navigate to the bin folder in a CMD prompt and invoke the run.bat file to start
as application.
Linux:
Navigate to the /bin directory and execute the ./run.sh file.
When the server is started, a command prompt window opens up showing startup information on
several modules of NetFlow Analyzer. Once all the modules have been successfully created, the
following message is displayed:

Server started.
Please connect your client at http://localhost:8060

The default port is 8060 and it will be replaced by the port you have specified as the web server
port during installation.

Starting as Service
Windows:
If you have chosen the Start as Service option during installation, NetFlow Analyzer will run as
a service on Windows.
Linux:
1. Login as root user.
2. Navigate to the bin directory.
3. Execute the linkAsService.sh file
4. Then execute the command systemctl start NetFlow Analyzer service

This starts NetFlow Analyzer as a service on Linux.

Shutting Down and Uninstalling

Shutting Down NetFlow Analyzer
Follow the steps below to shut down the NetFlow Analyzer server. Please note that once the server
is successfully shut down, the MySQL/Pgsql database connection is automatically closed, and all
the ports used by NetFlow Analyzer are freed.

Windows:
1. Navigate to the Program folder in which NetFlow Analyzer has been installed. By default,
this is Start > Programs > ManageEngine NetFlow Analyzer
2. Select the option Shut Down NetFlow Analyzer
3. Alternatively, you can navigate to the bin folder and invoke the shutdown.bat file.
4. You will be asked to confirm your choice, after which the NetFlow Analyzer server is shut
down.
Linux:
1. Navigate to the /bin directory.
2. Execute the shutdown.sh file.
3. You will be asked to confirm your choice, after which the NetFlow Analyzer server is shut
down.
4. Also you can execute systemctl stop OpManager.service--> This will stop the service.
Uninstalling NetFlow Analyzer

Windows
1. Navigate to Add/Remove Programs or Programs& Features in which NetFlow Analyzer
is listed.
2. Select the option Uninstall ManageEngine NetFlow Analyzer
3. You will be asked to confirm your choice, after which NetFlow Analyzer is uninstalled.
Linux
1. Navigate to the /_uninst directory.
2. Execute the command ./uninstaller.bin
3. You will be asked to confirm your choice, after which NetFlow Analyzer is uninstalled.
Antivirus scanners interfering with database files may affect normal functioning of database.
Define exception for the C:\ManageEngine\OpManager_scrnsht\OpManager directories in
the antivirus scanners.
NetFlow Analyzer - Supported Devices

NetFlow Analyzer leverages on NetFlow®, sFlow®, cflowd®, J-Flow®, IPFIX®, NetStream®

and Cisco NBAR® information exported from routing & switching devices to provide you
indepth visibility into the top talkers and applications on your network. The table below lists the
set of devices from various vendors and the type of flow they export.
Cisco Routers
Cisco IOS Software Release Version Supported Cisco Hardware Platforms
11.1CA, 11.1CC Cisco 7200 and 7500 series, RSP 7200 series
12.0 Cisco 1720, 2600, 3600, 4500, 4700, AS5800
RSP 7000 and 7200 series
uBR 7200 and 7500 series
RSM series
12.0T, 12.0S Cisco 1720, 2600, 3600, 4500, 4700, AS5800
RSM series, MGX8800RPM series, and BPx8600 series
12.0(3)T, 12.0(3)S Cisco 1720, 2600, 3600, 4500, 4700, AS5300, AS5800

12.0(4)T Cisco 1400, 1600, 1720, 2500, 2600, 3600, 4500,
4700, AS5300, AS5800
12.0(4)XE Cisco 7100 series
12.0(6)S Cisco 12000 series

NetFlow is also supported by these devices Cisco 800, 1700, 1800, 2800, 3800, 6500, 7300,
7600, 10000, CRS-1 and these Catalyst series switches: 45xx, 55xx, 6xxx and Cisco Meraki.

These devices do not support NetFlow: Cisco 2900, 3500, 3660, 3750.
Cisco Switches
NetFlow export is also supported on other Cisco switches when using a NetFlow Feature Card
(NFFC) or NFFC II and the Route Switch Module (RSM), or Route Switch Feature Card
(RSFC). However, check whether version 5 is supported, as most switches export version 7 by
default.

NetFlow Version 9 Support
Supported Platforms
 Cisco 2600 series
Other Vendors

Supported
Vendor Flows Device List
Cisco IOS Routers, Cisco IOS Routers, ASR 1000

series, Cisco 6500 switches with sup 2T, Cisco 4500
with sup 7E, Cisco wireless LAN controller (WLC),
NetFlow ISR-G2, ASR 1000
NetFlow-Lite Cisco 2960-X, 4948E switches
Cisco Meraki All Meraki NetFlow devices
Adtran NetFlow NetVanta
AlaxalA
Networks sFlow AX7800R , AX7800S , AX7700R , AX5400S
Refer AlaxalA Networks website
Alcatel sFlow OmniSwitch 6850 , OmniSwitch 9000
Allied Telesis sFlow SwitchBlade 7800R series , SwitchBlade 7800S

series , SwitchBlade 5400S series
Brocade NetFlow, sFlow
(Formerly BigIron series, FastIron series, IronPoint series,
Foundry
Networks) NetIron series, SecureIron series, ServerIron series
Barracuda IPFIX Barracuda NG Firewall(firmware 5.2.3 and above)
Comtec
Systems sFlow !-Rex 16Gi & 24Gi & 24Gi-Combo
Dell - Force 10 PowerConnect 6200 series, PowerConnect 8200

Networks sFlow series, E series
D-Link sFlow DGS-3600 series
Enterasys NetFlow Refer Enterasys website
Alpine 3800 series, BlackDiamond 6800 series,

Extreme BlackDiamond 8800 series, BlackDiamond 10808,
Networks IPFIX BlackDiamond 12804C , BlackDiamond
12804R ,Summit X450 Series , Summit i series
Fortigate sFlow FortiSwitch series, FortiGate series
sFlow Refer Huawei sFlow
Huawei NetStream Refer Huawei NetStream
H3C sflow Refer H3C website
Ruijie IPFIX Refer Ruijie website
ProCurve, ProCurve Wireless Edge Services xl

Module, ProCurve Wireless Edge Services zl Module,
ProCurve Access Point 530ProCurve 9300m series ,
Hewlett- ProCurve Routing Switch 9408sl
Packard sFlow ( http://www.sflow.org/products/network.php )
Hitachi sFlow GR4000 , GS4000 , GS3000
Juniper NetFlow, J-
Networks Flow Refer Juniper Networks website
Maipu sFlow S3300 Series, S3400 Series, S3900 Series

MikroTik NetFlow Refer Website
NetGear sFlow GSM7352S-200, GSM7328S-200
Nortel IPFIX 5500 & 8600 Series
IP8800/R400 series , IP8800/S400
NEC sFlow series , IP8800/S300 series
Palo Alto NetFlow Firmware version 4.1
Riverbed and NetFlow Analyzer Joint

Riverbed NetFlow Solution brief [PDF] | Refer Riverbed website
SonicWall NSA E5500(SonicOS Enhanced 5.6.4.0-

Sonicwall NetFlow/IPFIX 36o and above)
Vyatta 514, Vyatta 2500 series, Vyatta Virtual Router,

Firewall, VPN
Vyatta sFlow
CheckPoint
Firewall NetFlow Checkpoint IPSO 6.1 and above
For queries on working with other devices contact netflowanalyzer-

support@manageengine.com
Accessing the Web Client

NetFlow Analyzer Enterprise Edition has seperate UI logins for Central UI and Collector UI.
NetFlow Analyzer Central UI provides you to option to monitor all the collector and do
configuration changes on the Collectors. The changes done in the Central server UI will be
pushed to the Collectors automatically.
NetFlow Analyzer Collector UI gives the single view of the devices that are sending flows to
that Collector server alone.
Once the service has successfully started, follow the steps below to access NetFlow Analyzer.
1. Open a supported web browser window
2. Type the URL address as http://NetflowServer_IP:8060 (where NetflowServer is the
name of the machine on which NetFlow Analyzer is running, and 8060 is the default web
server port)
3. Log in to NetFlow Analyzer using the default username/password combination
of admin/admin
Once you log in, you can start managing devices exporting NetFlow, generate bandwidth
reports, and more.
License Information

 Free Edition - collect, analyze, and report on Netflow data for a upto two interfaces
with limited features
 Essential Edition - collect, analyze, and report on Netflow data for a maximum of n
interfaces (where 'n' is the number of interfaces for which NetFlow Analyzer has been
purchased)
 Add-ons - Reporting on Cisco IPSLA , Hi-Perf Reporting Engine, NCM (Network
Configuration Manager), Wireless LAN Controller (WLC) and deep packet inspection (DPI).
 Enterprise Edition - is scalable bandwidth monitoring for distributed networks for
unlimited interfaces upto 80k flows support. (all add-ons included)
Once installed, NetFlow Analyzer runs in evaluation mode for 30 days. You can obtain a
registered license for NetFlow Analyzer at any time during the evaluation period by contacting
NetFlow Analyzer Support.
If you have not upgraded to the Licensed Edition by the end of the evaluation period, NetFlow
Analyzer automatically reverts to the Free Edition.
Upgrading your License

After obtaining the new license from ZOHO Corp, save it on your computer, and follow the
steps below to upgrade your NetFlow Analyzer installation:
1. Log in to the NetFlow Analyzer web client

2. Click Admin logo/icon in the top right corner of the web client
3. Click the Register link present in that pop-up page.
4. In the License window that opens up, browse for the new license file and select it.
5. Click Register to apply the new license file
The new license is applied with immediate effect. You do not have to shut down or
restart the NetFlow Analyzer server after the license is applied.

NetFlow Analyzer Enterprise Edition -
Installation and Uninstallation
Central Server Installation
Windows
The Windows download for NetFlow Analyzer is available as an EXE file
at https://www.manageengine.com/products/netflow/download.html#ent Download the EXE file
for the Central Server to your local machine, and double-click it to start installation.Follow the
instructions as they appear on screen to successfully install NetFlow Analyzer on to your
machine.
Step1: On the Welcome Screen, Click ‘Next’ to continue.

Step2: Read the License agreement carefully and click ‘Next’ to proceed to the next step.
Step 3: Verify the destination folder and Click ‘Next’ to continue.
Step 4: Select your desired server type.
There are two options for server-type:
1) Central Reporting Server 2) Collector Server
Step 5: Select your desired port and language and click ‘Next’ to continue
Step 6: Provide proxy server host, server port, proxy username and password. Click ‘Next’ to
continue. Step 7: Choose your desired Program Folder
Step 8: Register for technical support by providing the information in the respective fields in the
registration form.
This is an optional form. Click ‘Next’ to continue.
Step 9: Review the Settings information that appears and Click ‘Next’ to begin the installation.
Step 10: Please wait till the installation is completed.
Step 11: Please wait till the files are extracted.
Step 12: The installation procedure is now complete. Click ‘Finish’ to start NetFlow Analyzer as
a service.
Linux:
The Linux download for NetFlow Analyzer is available as a BIN file
at https://www.manageengine.com/products/netflow/download.html#ent
1. Download the BIN file and assign execute permission using the command: chmod a+x
<file_name>.bin.where <file_name> is the name of the downloaded BIN file.
2. Execute the following command: sudo ./<file_name>.bin
enough space, try executing this command with the -is:tempdir <directoryname> option,
where <directoryname> is the absolute path of an existing directory. sudo
./<file_name>.bin -is:tempdir <directory_name>
Collector Installation
Windows
Step 1: On the Welcome Screen, Click ‘Next’ to continue.
Step 2: Read the License agreement carefully and click ‘Next’ to proceed to the next step.
Step 3: Verify destination folder and Click ‘Next’ to continue.
Step 4: Select your desired server type.
There are two options for server-type:
1) Central Reporting Server 2) Collector Server
Step 5: Select your desired port and language and click ‘Next’ to continue.
Step 6: Provide communication details such as Host Name, HTTPs port number etc. for both
Central Server & Collector. Click ‘Next’ when you are done.
Step 7: Please enter server details such as Name, user-name and password. Click ‘Next’ to
continue.
Step 8: Mention the default SNMP community and port information. This is an optional step.
Click ‘Next’ to continue.
Step 9: Provide proxy server host, server port, proxy username and password. Click ‘Next’ to
continue.
Step 10: Choose your desired Program Folder.
Step 11: Registration for technical support. An optional form to register yourself for technical
support would appear. You may choose to skip this form.
Step 12: Review the information that appears and click ‘Next’ to begin the installation.
Step 13: Please wait till the installation is completed.
Step 14: Once installation is complete, click on ‘Finish’. This will start NetFlow Analyzer as a
service.
Linux
The Linux download for NetFlow Analyzer is available as a BIN file
at https://www.manageengine.com/products/netflow/download.html#ent
1. Download the BIN file and assign execute permission using the command: chmod a+x
<file_name>.bin.where <file_name> is the name of the downloaded BIN file.
2. Execute the following command: sudo ./<file_name>.bin
enough space, try executing this command with the -is:tempdir <directoryname> option,
where <directoryname> is the absolute path of an existing directory. sudo
./<file_name>.bin -is:tempdir <directory_name>
Note: While Installing the collector please give the proper entries in the communication panel
and in the proxy server settings so that the collector can communicate with the central server
properly.
Once you have successfully installed NetFlow Analyzer, start the NetFlow Analyzer server for
central and collector.
Installing NetFlow Analyzer Enterprise Edition

on Linux using Console mode/ Silent mode
Central Server
Step 1: Execute ManageEngine_NFA_DE_64.bin with administrator privileges (sudo) and -i
console option.
Step 3: Select the location.
Step 4: Choose the installation directory

Step 5: Configure the Webserver and HTTP Ports
Step 6: Verify the installation details and press 'Enter' to complete the installation.

Probe Server
Step 1: Execute ManageEngine_NetFlowAnalyzer_Probe_64bit.bin with security privileges
(sudo) and -i console option.

Step 3: Select the location.
Step 4: Choose the installation directory, and configure the Webserver and Listener Ports.
Step 5: Verify the installation details, the installation status and press 'Enter' to complete the
installation.
Starting NetFlow Analyzer Central Server
Windows
Click on Start > Programs > ManageEngine NetFlow Analyzer Central Reporting Server >
Central Server.
Alternatively you can navigate to the \bin folder and invoke the run.bat file.
Linux
Navigate to the /bin directory and execute the run.sh file.
When the server is started, a command prompt window opens up showing startup information
on several modules of NetFlow Analyzer. Once all the modules have been successfully
created, the following message is displayed:
Server started.
Please connect your client at https://localhost
where 8060 is replaced by the port you have specified as the web server port during
installation.
Starting NetFlow Analyzer Collector
Windows
Click on Start > Programs > ManageEngine NetFlow Analyzer Collector > Collector
Server. Alternatively you can navigate to the \bin folder and invoke the run.bat file.
Linux
Navigate to the /bin directory and execute the run.sh file.
When the server is started, a command prompt window opens up showing startup
information on several modules of NetFlow Analyzer. Once all the modules have been
successfully created, the following message is displayed:
Server started.
Please connect your client at http://localhost:8060
where 8060 is replaced by the port you have specified as the web server port during
installation.
Starting as a Service
Windows
If you have chosen the Start as Service option during installation, NetFlow Analyzer will run
as a service on Windows.
Linux
1. Login as root user.
2. Navigate to the \bin directory.
3. Execute the linkAsservice.sh file.
4. Then execute the command systemctl start OpManager.service.
This starts NetFlow Analyzer as a service on Linux.
Data Backup and Restoration

Periodically backing up the database is very essential, as it helps you restore NetFlow
Analyzer service back during planned maintenance as well as unplanned mishaps. NetFlow
Analyzer database contains the following data:
Configuration data: There are quite a few configurations an administrator effects in NetFlow
Analyzer or easy management and monitoring. The configurations include user settings,
details of discovered devices, custom monitors, threshold settings, notification profiles, etc.
Most configuration data is persisted in the database while a few configurations are written in
conf files. So when you backup configuration data, you must take care to back up the ones
you need.

Backup & restoration steps for NetFlow Analyzer build 12300 and above
Backup
Following table lists the backup utilities bundled with NetFlow Analyzer and their purpose.
Make sure you use the one that fits your backup need:
S.N Utility Path Database
o
1 OpManager\bin\backup MSSQL | PGSQL This utility do

BackupDB.bat (for windows)
BackupDB.sh (for linux)

Restoration
To restore the backed up data,
1. Go to <OpManager Home>/bin/backup directory
2. Execute RestoreDB.bat (use RestoreDB.sh for linux) with the backup file name as
argument. See example below:
C:\<OpManager Home>\bin\backup>RestoreDB.bat
"OpManager\backup\BackUp_APR3_2009_17_43_38_8100.zip"
To restore the backed up data for MSSQL
1. Go to <OpManager Home>/bin/backup directory
2. Restore the data using RestoreDB.bat present under OpManager/bin/backup
directory and restart OpManager.
For ex : C:\<OpManager Home>\bin\backup>RestoreDB.bat
"c:\OpManager\backup\BackUp_APR3_2009_17_43_38_8100.zip"
How to Backup and Restore

VectorWise DB
Windows:
Backup:
1. Stop the NetFlow Analyzer service.
2. Open a command prompt as 'Administrator' and navigate to OpManager\bin (or)
NetFlow\bin.Execute VWstartdb.bat (This step can be ignored, if you get the
message "Vectorwise is already running. Use ingstop to shut down Vectorwise".)
3. Create a new folder to which the backup has to be saved (Eg. C:\NFA backup).
4. In command prompt, navigate to C:\NFA backup.
5. Execute copydb OpManagerDB (or) copydb netflow. This command will create two
script files named copy.in and copy.out
6. Execute sql OpManagerDB < copy.out (or) sql netflow < copy.out. This will start
copying the database. Please wait and continue with the restoration process.
7. Navigate to OpManager\bin (or) NetFlow\bin. Execute VWstopdb.bat
8. Once complete, copy the backup folder (C:\NFA backup) to New server.
Note: The directory structure for the backup folder should be the same as in the new server
(C:\NFA backup).
Restore:
Once the folder is copied to the new server follow the below steps to restore.
Note: The directory structure of the backup folder should be the same as in the old
server (C:\NFA backup).
1. Stop the Netflow Analyzer service.
2. Open a command prompt as 'Administrator' and navigate to OpManager\bin (or)
NetFlow\bin. Execute VWstartdb.bat
3. If HighPerf is installed on NetFlow Analyzer server, execute VWcreatedb.bat. Users
can skip this step if HighPerf is installed on a remote server.
4. In command prompt, navigate to C:\NFA backup.
5. Execute sql OpManagerDB < copy.in (or) sql netflow < copy.in
6. Start the NetFlow Analyzer service.
Linux:
Backup:
2. Open a terminal and login as 'installation owner'.
3. Navigate to OpManager/bin (or) NetFlow/bin. Execute
 . ./VWenv.sh
 ./VWstartdb.sh
Note: This step can be ignored, if you get the message - "Vectorwise is already running.
Use ingstop to shut down Vectorwise".
4. Create a new folder to which the backup has to be saved ( Eg.

/tmp/NFAHighPerfBackup/ ).
5. In the same terminal, navigate to /tmp/NFAHighPerfBackup/
6. Execute copydb OpManagerDB (or) copydb netflow. The above command will
create two script files named copy.in and copy.out
7. Execute sql OpManagerDB < copy.out (or) sql netflow < copy.out. This will start
copying the database. Please wait and continue with the restoration process.
8. Once complete, copy the backup folder ( /tmp/NFAHighPerfBackup/ ) to New server.
Note: the directory structure for the backup folder should be the same in the new
server (/tmp/NFAHighPerfBackup/).
9. Navigate to OpManager/bin (or) NetFlow/bin. Execute ./VWstopdb.sh
Restore:
Once the folder is copied to the new server follow the below steps to restore.
Note: The directory structure of the backup folder should be same as in the old
server (/tmp/NFAHighPerfBackup/ )
1. Stop the Netflow Analyzer service.
2. Open a terminal, and login as 'installation owner'.
3. Navigate to OpManager/bin (or) NetFlow/bin. Execute
 . ./VWenv.sh
 ./VWreinitializeDB.sh
 ./VWstartdb.sh
4. In the same terminal, navigate to /tmp/NFAHighPerfBackup/
5. Execute sql OpManagerDB < copy.in (or) sql netflow < copy.in
6. Start the NetFlow Analyzer service.
Migration steps for NetFlow Analyzer
from the build 9860 and above with
MySQL database (Windows)
Please follow the below steps to migrate NetFlow Analyzer build 9860 from 32 bit to 64 bit.
Steps
1. Shut down NetFlow Analyzer service.
2. Backup the following directories\files:
1. Data folder from <NetFlow> home directory.
2. Data folder from <NetFlow\Mysql> directory.
3. AdventnetLicense.xml file from <NetFlow\lib> directory.
4. database_params.conf, Persistence folder
and Wrapper.conf from <NetFlow\conf>
5. startDB.bat, stopDB.bat and setcommonenv.bat files from <NetFlow\bin>
Note:The above mentioned i & ii are two different directories but have been named the same.
Kindly ensure to note down in order to avoid confusion during restoration.
3. Install same NetFlow Analyzer BUILD 64 on the new server and run the NetFlow
Analyzer service once. You can download the same BUILD from this
link: http://archives.manageengine.com/netflow.
4. Run the service once and shutdown the NetFlow Analyzer service.
5. Download and unzip the Mysql folder from the following link and copy it to the
NetFlow_Home
directory. https://uploads.zohocorp.com/Internal_Useruploads/dnd/NetFlow_Analyzer/o_19dem
irre16voijnnar1rqk1obb1/mysql.zip
6. Restore the backed up folders to the new installation under the same location:
1. Data folder backed up from <NetFlow> home directory to <NetFlow> home
directory.
2. Data folder backed up from <NetFlow\Mysql> directory to <NetFlow\Mysql>
directory.
3. database_params.conf, Wrapper.conf and Persistence backed up from
<NetFlow\conf> directory to <NetFlow\conf> directory.
4. startDB.bat, stopDB.bat and setcommonenv.bat from bin folder backed up
from <NetFlow_Home>\bin directory to <NetFlow_home>\bin directory.
 Start the NetFlow Analyzer service and apply the license file from License
Management page in the product GUI.
MS SQL Server migration

2. Backup the old NetFlow Database and restore on to the new Database server
(Connect MS SQL client using SQL Server Management Studio and backup NetFlow database
and restore it in new server).
3. From the New MS SQL server, copy the
files bcp.exe and bcp.rll to OpManager/bin/ folder.
4. Please ensure that the 'SQL browser' service is running in the new server.
5. Download the same version of MS SQL server Native client and install it in the NetFlow
server. This is needed for NetFlow Analyzer to communicate with remote database server.
After installing the Native client, please restart the NetFlow Analyzer server.
6. Ensure that the database user for NetFlow has 'sys admin' permission.
7. Open a Command Prompt as administrator and navigate to /OpManager/bin/.
8. Execute ChangeDBserver.bat
9. Check if all the information is correct for the new SQL server, test and save the
configuration.
10. Start the NetFlow analyzer service.
PostgreSQL drive migration

Please follow the steps below to migrate the installation to a different drive.
Note: The build number of the NetFlow Analyzer should be the same on both the
servers. You can find the Build number by clicking on the 'About' link on the top right
corner of the user interface.
Steps:
1. Shut down NetFlow Analyzer service.
2. Backup the below directories\files to a safe location.
 data folder from <OpManager> home directory.
 pgsql folder from <OpManager> home directory.
 AdventnetLicense.xml file from <OpManager\lib> directory.
3. Uninstall the current build after taking backup and install same NetFlow Analyzer build
64 on the server and run the NetFlow Analyzer service once. You can download the same
build from this link: http://archives.manageengine.com/netflow/
4. Run the service once and shutdown the NetFlow Analyzer service.
5. Restore the backed up folders to the new installation under the same location:
 data folder backed up from <OpManager> home directory to <OpManager>
home directory.
 pgsql folder backed up from <OpManager> directory to <OpManager>
directory.
6. Once copied, open Command Prompt as 'Administrator' and navigate
to OpManager_Home/bin and execute initPgsql.bat / sh once.
7. Start the NetFlow Analyzer service and apply the license file from License
Management
Configure flows in NetFlow Analyzer
The first step to begin analyzing your flow data, NetFlow Analyzer lets you export flows from
your network devices. The different flow formats supported by NetFlow Analyzer are NetFlow,
sFLow, jFlow, IPFIX, Netstream, Appflow, etc. Once the flow data is exported from your
routers, switches and firewalls, NetFlow Analyzer will show traffic data in the dashboard and
inventory tab.
There are two ways of exporting flows in NetFlow Analyzer:
1. Using NetFlow Analyzer export flow tab

2. Using terminal
Export flows from GUI

Refer the below link to export flows using NetFlow Analyzer's export flow tab:
https://www.manageengine.com/products/netflow/help/how-to-add-a-device-in-netflow-
analyzer.html
Configuration steps for the devices supported

The following chart specifies information on various vendors and the flow supported. Click on
the specific device name to view the configuration steps for the corresponding flow export.
Device/Vendor Supported Flow

Export
Cisco devices NetFlow
Juniper devices cflowd, jFlow
Nortel IPFIX
Huawei, 3com,H3C Netstream
Alcatel-Lucent, Extreme Networks, Foundry Networks, HP, Hitachi, sFlow

NEC, AlaxalA Networks, Allied Telesis, Comtec Systems, Force10
Networks
Device/Vendor Supported Flow
Export
Brocade vrouters NetFlow
Fortigate NetFlow
Cybrome firewall NetFlow
Checkpoint & Sonicwall firewall sFlow
Configuring Huawei CE

This device support Flexible netstream flow export. Please configure the device as mentioned
below:
netstream export ip index-switch 32// to set the interface index exported to be in 32
bit format
netstream timeout ip active 1// to set the active timeout of the flows packets to 1 min
netstream timeout ip inactive 15
netstream template ip timeout 1// to set the v9 template timeout to 1 min
netstream export ip source source interfaceIP// Source IP can be any which
has routing to NFA server
netstream export ip host NFAserver IP 9996 // Enter the IP address of NFA
installed server and over the UDP port 9996
netstream export ip version 9
netstream record NetFlow ip
match ip tos match ip protocol
match ip source-address
match ip destination-address
match ip source-port
match ip destination-port
collect counter packets
collect counter bytes
collect interface input
collect interface output
Under all interfaces of the device:

netstream record NetFlow ip
netstream inbound ip
Sflow Configuration:
Sflow export happed from the device only over the default UDP port 6343 to the NetFlow
Analyzer server and it is not configurable in the device:
system-view
The system view is displayed.
sflow agent { ip ip-address | ipv6 ipv6-address } *

An IP address is configured for an sFlow agent.
By default, an sFlow agent uses the IP address of the outbound interface in a route to the
sFlow collector as an ip address of sFlow agent.
The IP address of an sFlow agent is contained in the data field of sFlow packets, and uniquely
identifies an sFlow agent. It is recommended that you configure the IP address of an sFlow
agent manually.
sflow source { ip ip-address | ipv6 ipv6-address } *
The source IP address of sFlow packets is configured.
By default, an sFlow agent uses the IP address of the outbound interface in a route destined
for the sFlow collector as a source IP address of sFlow packets.
sflow collector collector-id { ip ip-address | ipv6 ipv6-address }

[ vpn-instance vpn-instance-name | length length-value | udp-port udp-
port-number | description description ] *
Parameters are set for an sFlow collector.
By default, no sFlow collector is configured. A maximum of two sFlow collectors can be
configured in the system.
commit
The configuration is committed.
Under All interface of the device:
interface interface-type interface-number
sflow sampling { collector { collector-id } &<1-2> | rate rate |

length length | inbound | outbound }
sflow counter { collector { collector-id } &<1-2> | interval interval
For example:
system-view
sflow agent 1.1.1.1
sflow source 1.1.1.1
sflow collector 1 ip 192.162.1.10
interface 10ge 0/1/2
sflow sampling collector 1 rate 1000 inbound outbound
sflow counter collector 1 interval 60
Configuring sFlow for Huawei Devices

Please configure the Huawei device to export sFlow packets to the NetFlow Analyzer server:
Under System-view:
sflow collector 1 ip (NetFlow Server IP) port 9996

sflow agent ip (Device IP)
Under each interface :
Example:
Interface (interface name)

sflow counter-sampling collector 1
sflow counter-sampling interval 30
sflow flow-sampling collector 1
Configuring NetStream Export

On Huawei Devices:
Follow the below command to enable NetStream on huawei devices
ip netstream export host {hostname|ip_address}

9996
This exports the NetStream exports to the specified IP address. Use the IP address of the
NetFlow Analyzer server and the configured listener port. The default port is 9996.
ip netstream export source interface {interface

name}
Sets the source IP address of the NetStream exports sent by the device to the specified IP
address. NetFlow Analyzer will make SNMP requests of the device on this address. For
enabling Netstream on the desired interface, please execute the following command
ip netstream inbound

Example: Netstream config for Huawei devices
To configure Huawei device 192.168.1.1 to export flow to server 192.168.2.2
ip netstream export host 192.168.2.2 9996

ip netstream export source 192.168.1.1
ip netstream timeout active 1
ip netstream timeout inactive 15
ip netstream export version 9
ip netstream template timeout 1
Under all interfaces:
Dashboard Overview

NetFlow Analyzer Dashboard gives detailed information on all the top activities happening in
your network in a quick view with extensive customization options. We have different view to
give specific information on each category like Traffic, Applications, QOS, WAAS, WLC,
Attacks, NCM ( Advanced Security Analytics module) etc. Also NetFlow Analyzer provides
options to create custom Dashboards for different view and that you can set as default
dashboard for your login screen in a single click.
Traffic Overview in NetFlow Analyzer

Traffic overview provides details information on top talker in your network in an quick view with
the Information on the Interfaces monitored using the Heat Map, Top Conversations, Top
QOS, Top Applications, Top Protocols, Device Summary, and Recent Alarms .
Heat Map Widget

Provides the information on the Interfaces monitored and sending flows, inactive interfaces that
are not sending flows and interfaces that are administratively down with different color codes.
You can also mouse over to the heat map to get the Interface detail, Device with which the
interface is associated with and the status of the interface. You can even click on the any
interface in Heat map and this will take you to the Interface details view.
Widget names can be changed by clicking on the edit icon next to the
widget
Top N Conversations
The table gives a glance about the top 5 or 10 conversations based on the Device, Interfaces ,
Interface Groups or IPGroups with information on Source IP, Destination IP, Application and
Traffic utilized. By default the widget will show the top conversations from all the devices
monitored in NetFlow Analyzer.
You can customize the Widget to view the information based on Interfaces, interface groups or
IP groups for different time periods like Last 30 mins, Hourly, 6 Hours, 24 Hours, Today and
Yesterday by clicking on the edit icon on the right top of the Widget.
You can get the widget information based on IP address or Network address by selecting the
Resource Category in the Edit view.
Top N QOS
The chart gives a glance about the top 10 DSCP and its utilization based on the Device,
Interfaces, Interface Groups or IPGroups. By default the widget will show the top DSCP based
information from all the devices monitored in NetFlow Analyzer.
You can customize the Widget to view the information based on Interfaces or IP groups for
different time periods like Last 30 mins, Hourly, 6 Hours, 24 Hours, Today and Yesterday by
clicking on the edit icon on the right top of the Widget.
Top N Applications
The table gives a glance about the top 10 Application and its utilization based on the Device,
Interface, Interface Groups or IPGroups. By default the widget will show the top Applications
based information from all the devices monitored in NetFlow Analyzer.
Top N Protocols
The table gives a glance about the top 10 Protocol and its utilization based on the Device,
Interfaces, Interface Groups or IPGroups. By default the widget will show the top Protocols
based information from all the devices monitored in NetFlow Analyzer.

Device Summary
Quick Details on Devices Monitored with Device Summary details based on categories like
Routers, Switches, Firewalls and WLC. You can get to the Device details view by directly
cliking on any device.
Recent Alarms
The alerts report provides an at-a-glance view of the alerts generated in the network for the
last hour and a specified time period. The alerts are generated based on the list of criteria
provided in the alert profile.Click on the last hour or all alert link to view the type of alerts.
The report lists the device name, the interface and the time at which the alert was last
generated and the number of such alerts.
Apps Overview

This view provides the information on Top 10 Layer 4 and Layer 7 application and its traffic
utilization.
Layer 4
Layer 4 pplications are the application that are categorized based on the port and protocol
mapping available in NetFlow Analyzer. We have around 10,000 + port and protocol mapping
available based on IANA standards in NetFlow Analyzer to get the application details.
You can customize the Widget to view the information for different time periods like Last 30
mins, Hourly, 6 Hours, 24 Hours, Today and Yesterday by clicking on the edit icon on the right
top of the Widget.
Layer 7
Layer 7 application have the NBAR based application information that can be exported by
Cisco Devices. If the device is configured to export NBAR information we show this
information.
You can customize the Widget to view the information for different time periods like Last 30
mins, Hourly, 6 Hours, 24 Hours, Today and Yesterday by clicking on the edit icon on the right
top of the Widget.
Top N Applications By Device
The table gives a glance about the top 10 Application and its utilization based on the Devices.
You can customize the Widget to view the information based on Interfaces, Interface group or
IP groups for different time periods like Last 30 mins, Hourly, 6 Hours, 24 Hours, Today and
Yesterday for IN and OUT direction by selecting the Flow Type option by clicking on the edit
icon on the right top of the Widget.
Top N NBAR By Application

The table gives a glance of the top Applications and its utilization based on the Volume
consumption.
You can customize the Widget to view the information based on the Device, Interfaces,
Interface group or IP groups for different time periods like Last 30 mins, Hourly, 6 Hours, 24
Hours, Today and Yesterday for IN and OUT direction by selecting the Flow Type option by

QOS Overview
This View provides top DSCP based qos information that is collected from the flow export by
the devices monitored in NetFlow Analyzer.
Top N QOS
The table gives a glance about the top 10 DSCP and its utilization across multiple Devices,
Interfaces or IPGroups. By default the widget will show the top DSCP based information from
all the devices monitored in NetFlow Analyzer.
Top N QOS By Device
The widget gives a glance about the top 10 DSCP and its utilization based on the Device,
Interfaces, Interface group or IPGroups for both IN and OUT direction by selecting the Flow
Type option by clicking on the edit icon the right top of the Widget.
Traffic Graph
The graph gives a glance of all the top In and Out traffic based on the Devices, Interfaces,
Interface groups or IPGroups. The default value of the graph is bps.
WAN Overview

WAN dashboard view shows a detailed overview based on the IPSLA Voip monitor created in
NetFlow Analyzer. IPSLA voip details are collected using SNMP from the Cisco device.
These view show the locations and their destinations along with the jitter, latency and packet
loss details. The bad call details and the top 10 call paths by jitter, latency, MOS and packet
loss are also displayed. This provides you to have a quick view on VOIP link performance and
helps to react proactively.

WLC Overview

NetFlow Analyzer provides information on the wireless controllers and connected Access
Points with SSID and connected Clients with application, QOS and bandwidth utilization based
on Controller, Access Point, Time Frame, Resource Type, Client and SSID with different
widgets.

Top In N User by Wlan SSID
Displays Top 10 details based on Wireless SSID and its traffic utilization for IN direction.

Top Out N User by Wlan SSID
Displays Top 10 details based on Wireless SSID and its traffic utilization for OUT direction.

Top In N Application
Displays Top 10 details based on Application and its traffic utilization for IN direction for WLAN.

Top Out N Application
Displays Top 10 details based on Application and its traffic utilization for OUT direction for
WLAN.

Top In N Application by Wireless Host
Displays Top 10 details based on wireless Host IP and its traffic utilization for IN direction for
WLAN.

Top Out N Application by Wireless Host
Displays Top 10 details based on wireless Host IP and its traffic utilization for OUT direction for
Wireless Host.

Top In N User by Mac
Displays Top 10 details based on wireless client MAC address, Access Point and its traffic
utilization for IN direction.
Top Out N User by Mac
Displays Top 10 details based on wireless client MAC address, Access Point and its traffic
utilization for OUT direction.
Top In N Qos
Displays Top 10 details based on QOS and its traffic utilization for IN direction for WLAN
Controller.
Top Out N Qos
Displays Top 10 details based on QOS and its traffic utilization for OUT direction for WLAN.
Attacks Overview
Attacks or Advanced Security Analytics Module (ASAM) is a flow based network security
analytics tool that helps detect and classify network intrusions. It offers intelligence to detect a
broad spectrum of external and internal security threats. Using the "Continuous Stream Mining
Engine" technology, ASAM analyzes NetFlow packets in real time and matches multiple events
without duplication. It also offers continuous overall assessment of network security. ASAM is
available as an add-on module for NetFlow Analyzer and requires a license to run. Since
NetFlow packets are exported directly from NetFlow Analyzer there is no configuration required
on the module.
Top N Problem
Displays the top 10 problem classes and their respective problems by default. It also lists the
start and end time for each problem types withnumber of events involved. You can click on the
Edit icon to change the Top view from 10 to 5 and get the information based on different
time periods.
Top N Offender
Display the information on top 10 Offender IP with the Geo location with the number of events
involved. You can click on the Edit icon to change the Top view from 10 to 5 and get the
information based on different time periods.
Top N Target
Display the information on top 10 Target IP with the Geo location with the number of events
Top N Offender Location
Display the information about the top offender location and events involved. You can click on
the Edit icon to change the Top view from 10 to 5 and get the information based on
different time periods.

Top N Target location
Display the information about the top target location and events involved. You can click on the
Edit icon to change the Top view from 10 to 5 and get the information based on different
time periods.
Top N Devices
Display the information based on the Devices involved in problem classes in the network with
the events involved. You can click on the Edit icon to change the Top view from 10 to 5
and get the information based on different time periods.
Top N Interfaces(Routed Via)
Display the information about top device and interface involved in a problem with the events
NCM Overview

Network Configuration Manager is an NCCM ( Network Configuration and Compliance

Management) tool used to take the configuration backup, push configuration to the devices
and also do the Compliance check on the devices and many more operations. This view
provided an quick view on Devices and its configuration and compliance status with different
widgets like:

DPI Overview in NetFlow Analyzer Version

12
Deep packet inspection allows you to capture network packets and analyzes packet capture (PCAP) files.
The DPI capabilities rely on packet-level analysis to determine whether the network or an application is
at fault and react quickly to the issues before they impact users. It gives clear visibility to network
administrators about the volumes, application and network performances of application traffic for their
enterprise network and helps them to diagnose application performance problems with response time
details and drill even further to the root cause of performance degradation issues.
This view provided an quick view on number of applications and URLs accessed within the network
with different widgets like:
1. Top N Application by NRT

2. Top N Application by ART
3. Top N URL by NRT
4. Top N URL by ART
5. Top N Application by Volume
6. Top N URL by Volume
7. Traffic report by speed
Inventory in NetFlow Analyzer

We have 4 separate categories in the Inventory tab, based on the selected view we show the
appropriate information:
Views Description
Flow Analysis Represents the information based on the Flow packets
exported by the Devices.
Config Management Represents the Network Configuration Manager (NCM) add-on.

This view show on all the information regarding Devices that
are managed for Configuration based operations
IPSLA Represents the view for IPSLA VOIP, WAN and VIDEO
monitors created.
Packet Analysis Represents Deep packet inspection add-on. It provides

information on Application & Network Response Time and
traffic volume wrt packets.
Flow Analysis

NetFlow Analyzer Flow Analysis show the details and in-depth informations on Device
bandwidth, Interface real-time bandwidth statistics and top talker information, Apps, IP
groups and Interface Groups, Attacks and WLC in separate view.
List of Views Available in Flow Analysis
 Devices Details
 Interfaces Details
 Groups
 Apps
 QOS
 WLC
 Attacks
Devices Tab in NetFlow Analyzer
This view lists all the devices that are actively exporting flows to the NetFlow Analyzer.
NetFlow Analyzer auto detect the device over you have configured your devices to export the
flow packets to the UDP 9996 (Default).
Device Discovery
NetFlow Analyzer discover the device with the source interface IP configured in the device flow
export and Interfaces with Ifindex. NetFlow Analyzer use SNMP to get the Device Names,
Interface names and Interface speed. You can also get the Device DNS names discovered in
NetFlow Analyzer.
To view the Devices based on the Device Group created, you can select the Group name on
the right hand side to view only the devices available in the selected group.
To view the Router, Switches and Firewall separately, you can select the appropriate option
from to get the view:
You can sort the Device view based on each column i.e Router Name, IP address , Interface
Count and Flow Count by clicking on the respective column name.
Click on the device name and you will see the Device traffic graph for the device for Today
average by default.
Device Details
Drill down by clicking on the icon to see the particular device-based 10 top interfaces
based on utilization and speed, top protocols, top application, top source, top destination, top
conversation, top DSCP and AS information for the device.
By default you will see the information for Today(last 24 hours) time period. You can select the
different time period by clicking on the icon and can set Custom time selection and get
the reports.
Autonomous System View

The Autonomous System View displays information on all the autonomous systems (AS) to
which a router belongs, along with traffic details for each AS.
In order to get AS info in this view, you need to configure your router to include AS info. AS information collectio
especially when configured for origin-AS. In case you are not interested in monitoring peering arrangements, disab
improve NetFlow Analyzer performance.
View Device Traffic Information

Device Traffic can be viewed based on 1, 5 and 15 mins average by clicking on the Data
Points option and you can change the Report Type to view the graph based on Device traffic
by default, Interface IN speed and Interface OUT speed.
You can view the Interface traffic graph of the devices based on speed and utilization.
Application tab will list up top 10 applications by default, you can change the Type to Protocol
to view top 10 Protocols used.
By default NetFlow Analyzer show the Source IP, Destination IP and conversation only by IP
address, you can select the Resolve DNS toggle to get the view based on DNS names of the
IP address. NetFlow Analyzer do nslookup in the local installed server to get the DNS names
of the IP address.
You cannot drill down further under Application, Source, Destination or QOS as we only show
top 10 information for the device for the selected time period and remaining will be listed as
Others.
Setting SNMP in NetFlow Analyzer
NetFlow Analyzer uses RFC1213 MIB to get the Interface names, Interface speed and Device
names using SNMP.
Allows to do SNMP update for a single device or All devices in bulk using the SNMP
credentials configured under Settings -> Discovery -> Credentials.
Update Device/Interface Details using SNMP
You can click on the to get the below various settings to update for Devices:
Edit Device Details:
This view allows you to change the Display name of the router manually. Also you can get the
Display name of the router using DNS and SNMP by selecting the appropriate option as shown
below:
Set SNMP :
Select the Correct SNMP credentials configured on the device -> Click Test Credentials -> You
will get the status of the Test.
If it shows OK, you can click on Save to do the update>This will get the Device name, Interface
name and Interface speed updated with SNMP names.
Import Devices to NCM

Add to NCM :
You can add the Devices that are discovered in NetFlow Analyzer directly in NCM add-on for
configuration backup, Compliance and change management options.
Interface Details in NetFlow Analyzer

Version 12

NetFlow Analyzer version 12 shows the Interfaces view separately. You can select the
view from the below option to view Active, Down , Inactive and Unknown interfaces
separately.

Status of interfaces can be detected based on the below icons presented beside the
interface names.

Icon Status Description
Active Interface The link is UP and flows are being received

Unknown Interface The interface is responding to SNMP requests and the link is UP,
but no flows received from last 10 minutes
Down Interfaces The interface is responding to SNMP request and the link is Down
and no flow received from last 10 mins
InActive interfaces The status of the interfaces is unknown and no flows received from
last 10 minutes.
The interfaces sending flows but not managed due to the license
New Interfaces limit.
Views in Interfaces tab:

You can see the Interface view in 3 different ways:

 Default Table view
 List view
 Heat Map view

The IN Traffic and OUT Traffic columns show the utilization and speed of IN and OUT
Traffic on the respective interfaces for the past 12 hour(Today) average, you can
change the average view by clicking on the clock icon %click icon%. You can click
on the IN Traffic or OUT traffic bar to view the respective application traffic graph
for that interface.

Traffic Details
To get the real time traffic details for the interface you have to drill down the interface that
you want to monitor. Clicking the interface name will give a quick view of traffic graph for
the selected interface for last 12 hours.
Click on the arrow to expand the view to get the detailed information on the
interface like:
 Real Time traffic
 Application
 Source
 Destination
 QOS
 Conversation
 CBQOS
 NBAR
 Top Sites
 Application Group
 Multicast traffic
 Medianet traffic
 NBAR2 Application
 Http Host
 QOS Stats
 ART ( Application Response Time )
Real Time Traffic Details in NetFlow

Analyzer

NetFlow Analyzer generates traffic graphs as soon as Netflow data is received. The Traffic tab
shows real-time traffic graphs for incoming and outgoing traffic. Depending on which link was
clicked, you can see traffic graphs for an interface.

The Traffic reports are displayed based on Volume of traffic, Speed, Bandwidth utilization, and
number of packets received/sent by a specific resource. The graph and the data points can be
viewed as Today, last 15 mins, last month or other by selecting from the top left.
The Packets tab shows the number of actual packets of traffic data received. This information is included in expo
The Traffic IN Details and the Traffic OUT Details show sampled values of traffic generated

over the selected time period.The Packets tab shows the number of actual packets of traffic data
received. This information is included in exported Netflow data.
Time Filters
The default graph is for the "Last Day". You can choose to see hour-based data in the traffic graphs
for daily and weekly reports. To do this, first select the Last Day Report or Last Week
Report option in the top time selection bar. When the respective traffic graph is displayed, the table
below the graph includes manual selectable area to view details in depth.

95-th Percentile
The 95th percentile is the number that is greater than 95% of the numbers in a given set. The
reason this statistic is so useful in measuring data throughput is that it gives a very accurate picture
of the maximum traffic generated on an interface. This is a standard measure that is used for
interpreting the performance data.
The 95th Percentile is the highest value left when the top 5% of a numerically sorted set of collected
data is discarded. It is used as a measure of the peak value used when one discounts a fair amount
for transitory spikes. This makes it markedly different from the average. The following example
would help you understand it better.
Consider if the data collected for CPU Utilization is

60,45,43,21,56,89,76,32,22,10,12,14,23,35,45,43,23,23,43,23 (20 points). This list is sorted in
descending order and a single top value, 89, is discarded. Since 1 consitutes 5% of 20, we
discarded 1 value in this case. The highest value in the remaining list, 76, is the 95th percentile.
Selectable Graph
NetFlow Analyzer brings you the added advantage of drill-down to the traffic graphs presented. As
you hover the mouse over the plot-area you can see a "+ " - cross-hair icon. Click on an area of the
graph and holding the mouse down, drag it to the point(time period), you wish to further drill down
to. For example : Having chosen a Last week report you could choose to study two specific days by
selecting them. You could further drill down on until the time period you have chosen is more than 1
minute. Click on "reset graph" link to take you to a time period depending on the time difference
between the From time and the system time.

Illustration
If you choose Last Hour Report at 18:15 hours, then a graph with a plot of data from 17:15 to 18:15
is shown. If you choose the time period 17: 25 to 17:50 then a corresponding graph with 1 Minute
Average is shown. When you click on the "reset graph" link the screen changes to the Last Hour
report. ( as the time difference between the From Time 17:25 and system time 18:20 is less than 1
hour)
Thus depending on the time difference you are either taken to the Last Hour or Last Day or
Last Week or Last Month or Last Quarter graph. Applications

The Applications tab displays all the applications that pass through a specific interface for a
selected period of time. Choose between IN and OUT to display the application-wise distribution of
incoming or outgoing traffic respectively for selected interface using the radio
button above the widget . The default view of the application report shows
Traffic IN details. The applications, for the ease of monitoring can be grouped as application groups
and top-sites.
We have 2 views to view the Application view. You can select view by click on the Radio
Buttons above the widget.

Chart View

List View:
Applications Report
The report shows application-wise distribution of incoming and outgoing traffic. The list of
applications are ordered to show the top applications that contribute to maximum network traffic
along with the volume of traffic and the total percentage of network traffic it occupies. Clicking on
the application name will highlight the detailed report of the traffic.
// The Show Ports Link next to an application name indicates that that application is not identified by
NetFlow Analyzer. When you click on Show Ports Link, a window opens up showing the port and
protocol details for this application. If it is a valid application you can then add it to the list of
applications in the Application Mapping page. ( This Option will be available in next release )

The Show Ports Link will be displayed next to an unknown application only in the Last Hour
report.

Click on an application's name to see the Top Conversations that contributed to this application's
traffic.
You can export the report as PDF by clicking on the icon.

Applications Group
This report displays different applications that are grouped together for the ease of view. This
feature enables you to group the applications as a single entity.

Creating an application group:
To create applications group navigate to Settings -> NetFlow -> Group Settings -> Application
Group
1. Select Application Group
2. Click on "add" to create a new application group
3. Specify the group name, a description about the group and select the applications you want
to group together
4. Click "save" to view the application group.
Now, a new application group has been created.

Adding a sub application

The "Add Sub App" options allows you to add a sub application to the list of applications under
top sites tab. Through this, you can add a name to the IP address, range, or network and associate
it with an application name. This helps identify the IP network, range or address that has accessed
a particular application.

Viewing Top Protocols
Click on the drop arrow and select Protocol link to see the top protocols for the selected Devices in
Devices reports view:

Choose between IN and OUT to display the protocol-wise distribution of incoming or outgoing traffic
respectively.

This report sorts traffic based on the protocol used, while the Application IN/OUT
Report sorts traffic based on the application, i.e., the combination of port and protocol.

The pie chart shows what percentage of bandwidth is being used by each protocol. From here, you
can the export the report as a PDF by clicking on the icon.

Support for Internet Protocol Version 6(IPV6)
IP version 6 (IPv6) is a new version of the Internet Protocol, designed as the successor to IP
version 4 (IPv4). IPv6 increases the IP address size from 32 bits to 128 bits, to support more levels
of addressing hierarchy.
NetFlow Analyzer now offers support for IPV6. You can view the raw data records for the last two
hours in IPV6 format. since the IPV6 addressing format yet to be adapted by most people worldwide
we are offering support for IPV6 format only at raw data level. The raw data collected for top ten
applications, source, and destination for the past two hours can be viewed in IPV6 format.
Top Hosts

The Source tab shows the top source hosts contributing to traffic in the selected time period. The
default view shows the Top SourceIN Report.

The Destination tab shows the top destination hosts contributing to traffic in the selected time
period. The default view shows the Top DestinationIN Report.

Choose between IN and OUT to display the top hosts in incoming or outgoing traffic.

Exand the widget by clicking on to get the details list of Source and Destination reports.

When you drill down from an IP group, traffic is unidirectional, and hence
the IN and OUT options are not available.
The Time Period icon lets you choose between options available in the drop-down as per
your requirement at the top. The From and Toboxes let you choose custom time periods for the
graphs. The time period for these graphs is based on the current system time. Once you select the
desired date and time, click the OK button to display the appropriate source or destination traffic
report.

The default report view shows the IP addresses of the hosts. Click the Resolve DNS link to see the
corresponding DNS values.

Click the Network link to ON to see the network-wise top sources and destinations.
Ex: 192.168.4.0 / 24 . Here 192.168.4.0 is the IP address and 24 is the network mask.
QoS
QoS or Quality of service is the most important factor that determines how effectively the available
enterprise bandwidth is being used in the WAN. It is also an index of the overall User Experience of the
available Bandwidth.
The QoS feature by default lists out the Top DSCP IN Report. Clicking on the icon next to the DSCP
value gives a detailed traffic graph in a pop-up screen.
DSCP
The DSCP Groups can be viewed by clicking on the drop down arrow on the widget and select DSCP Group.
If no DSCP Groups have been created earlier, then an appropriate message is displayed and the user is
prompted to create a DSCP group.
The time period for which the report is shown can be controlled by using the time selection icon at the
top.
TOS
You can view the top TOS information by clicking on the drop down arrow at the top of the widget:
Conversations

The Conversation tab shows the top conversations contributing to traffic in the selected time
period. The conversations detail report lists the number of resources accessed the specific
application. It gives the details of the conversation like source, destination, application type,
DSCP, volume of traffic, and the perecentage of traffic the specific conversation contributes.

Choose between IN and OUT to display the top conversations in incoming or outgoing traffic.
Expand the widget by clicking on the icon to get the detailed list of converstion for selected
time period.

The Time Period icon lets you choose between options available in the drop-down as per
your requirement.

The default report view shows the IP addresses of the hosts. Click the Resolve DNS side button to
see the corresponding DNS names.

The default list shows the conversations sorted in descending order of number of bytes of traffic.

Because the Internet by itself has no direct knowledge of optimizing the path for a particular application or
user, the IP protocol provides a facility for upper layer protocols to convey hints to the Internet Layer about
how the trade-offs should be made for a particular packet. This facility is the "Type of Service" facility,
abbreviated as the "TOS facility".
The TOS facility is one of the features of the Type of Service octet in the IP datagram header. The Type of
Service octet consists of three fields. The first 3 bits ( 0,1,2) are for the first field, labeled "Precedence" ,
intended to denote the importance or priority of the datagram. The second field, labeled "TOS" , denotes how
the network should make tradeoffs between throughput, delay, reliability, and cost.The last field, labeled
"MBZ" ( for "must be zero" ) above, is currently unused. The originator of a datagram sets this field to zero
(unless participating in an Internet protocol experiment which makes use of that bit). Routers and recipients
of datagrams ignore the value of this field.This field is copied on fragmentation.
Specification of the TOS Field

The semantics of the TOS field values (expressed as binary numbers):

1000 minimize delay
0100 maximize throughput
0010 maximize reliability
0001 minimize monetary cost
0000 normal service

The values used in the TOS field are referred to as "TOS values", and the value of the TOS field of an IP
packet is referred to as the "requested TOS". The TOS field value 0000 is referred to "default TOS."
Because this specification redefines TOS values to be integers rather than sets of bits, computing the logical
OR of two TOS values is no longer meaningful. For example, it would be a serious error for a router to
choose a low delay path for a packet whose requested TOS was 1110 simply because the router noted that the
former "delay bit" was set.
Although the semantics of values other than the five listed above are not defined , they are perfectly legal
TOS values, and hosts and routers must not preclude their use in any way. Only the default TOS is in any
way special. A host or router need not make any distinction between TOS values
For example, setting the TOS field to 1000 (minimize delay) does not guarantee that the path taken by the
datagram will have a delay that the user considers "low". The network will attempt to choose the lowest
delay path available, based on its (often imperfect) information about path delay. The network will not
discard the datagram simply because it believes that the delay of the available paths is "too high" (actually,
the network manager can override this behavior through creative use of routing metrics, but this is strongly
discouraged: setting the TOS field is intended to give better service when it is available, rather than to deny
service when it is not).
Use of the TOS Field in Routing

Both hosts and routers should consider the value of the TOS field of a datagram when choosing an
appropriate path to get the datagram to its destination.The mechanisms for doing so are discussed in this
section.
Whether a packet's TOS value actually affects the path it takes inside a particular routing domain, is a choice
made by the routing domain's network manager. In many routing domains the paths are sufficiently
homogeneous in nature that there is no reason for routers to choose different paths based up the TOS field in
a datagram. Inside such a routing domain, the network manager may choose to limit the size of the routing
database and of routing protocol updates by only defining routes for the default (0000) TOS.
Neither hosts nor routers should need to have any explicit knowledge of whether TOS affects routing in the
local routing domain.
Inherent Limitations:
The most important of all the inherent limitations is that the TOS facility is strictly an advisory mechanism. It
is not an appropriate mechanism for requesting service guarantees. There are two reasons why this is so:
 Not all networks will consider the value of the TOS field when deciding how to handle and route
packets.Partly this is a transition issue: there will be a (probably lengthy) period when some networks will
use equipment that predates this specification. Even long term, many networks will not be able to provide
better service by considering the value of the TOS field. For example, the best path through a network
composed of a homogeneous collection of
interconnected LANs is probably the same for any possible TOS value. Inside such a network, it would make
little sense to require routers and routing protocols to do the extra work needed to consider the value of the
TOS field when forwarding packets.
 The TOS mechanism is not powerful enough to allow an application to quantify the level of service
it desires. For example, an application may use the TOS field to request that the network choose a path
which maximizes throughput, but cannot use that mechanism to say that it needs or wants a particular
number of kilobytes or megabytes per second. Because the network cannot know what the application
requires, it would be inappropriate for the network to discard a packet which requested maximal
throughput because no "high throughput" path was available.
Top Sites

This report displays the applications contributing to the maximum network traffic.
Expanding the applications displays name of the website (if the DNS is resolved) and names of top
10 machines in your network (if the DNS is resolved) connecting to that website. It will also give the
contribution of traffic in terms of upload & download volume (and % of total traffic) from each IP
address to the particular site through that application. You can also view the total traffic percentage
across each application. The report gives a detailed view about the traffic in terms of upload &
download volume and percentage of total traffic from each IP address to the specific site via the
application. Further drill-down to the website name gives you information on the upload or download
traffic detail and the specific IP address that accessed that site.
NBAR

NBAR is a more of an intelligent classification and has the ability to identify web based and client-
server applications that uses dynamic ports as well as those using well known port numbers (like Bit
Torrent). This helps the network administrator identify what really is going on in the network and
then define QoS policies to ensure that the bandwidth is used for its original purpose – run business
applications.
You can select the Grid option to view the list of NBAR apps and its bandwidth utilization.
Expand the widget by clicking on the to get the complete list of NBAR apps of the
selected interface.
Click on the NBAR app to get the Conversation details based on the NBAR applications.
Application Mapping, Application Group,

DSCP Mapping and DSCP Group

Application Mapping
The Application Mapping option lets you configure the applications identified by NetFlow
Analyzer. You can add new applications, modify existing ones, or delete them. Please see
the Additional Notes on Application Mapping section to understand this feature more clearly. Also
it is possible to associate an IP address with an application.

Adding an Application
Follow the steps below to add a new application:
1. Navigate to the Settings option in NetFlow Analyzer UI.

2. Click on NetFlow listed in the top menu bar.
3. Navigate to the Mappings option available in the left menu bar and select Application
List.
4. Click on Add button available on that page and provide a name to identify the
Application group in the Application Name box .
5. To enter a port range, separate the start and end points of the range with a hyphen.
(eg.) 1400-1700
6. Choose the protocol from the list of protocols
7. Choose one of the options from IP Address / IP Network / IP Range. Depending on
what you opt a set of fields are enabled and should be filled.
 If you opt for IP Address then you have to enter the address in the IP Address
box.
 If you opt for IP Network then you have to enter the IP Network and IP
Netmask details.
 If you opt for IP Range then you have to enter the Start IP, End IP and IP
Netmask Enter a unique name for the application
8. The Application Name has to be entered finally by which the IP address is associated
with an application.
Ensure that the combination of port number and protocol is unique. If not, the older
application mapping will be deleted.
Once you are done, click the Save button to save your changes.
Modifying an Application
Select an application and click the Modify window will pop up to modify its properties
You can only change the name of the application. If you need to change the port or the
protocol, you have to delete the application, and add it as a new application.
Once you are done, click the Update button to save your changes.
Deleting an Application
Select an application and click the Delete button to delete it. The application is permanently
deleted, the corresponding port is freed, and can be assigned to another application.
Additional Notes on Application Mapping

Applications are categorized based on the source address, destination address, source port,
destination port and protocol values in the flow record. These values are matched with the list of
applications in the Application Mapping.
The check is done first with the smaller of the 2 ports (source port / destination port), and if no
match is found the bigger of the 2 ports is mapped
Application mappings created with specific IP address / IP Range / IP Network is given higher
priority over applications mappings with no IP address. For example assume you have 2 application
mappings as below:
Port Protocol IP Address / IP Application

Range
80 TCP 10.10.1.0( 255.255 APP1

.255.0)
80 TCP Any APP2
If a flow is received with source address 10.10.10.10 and Port as TCP-80 then it is classified as
APP1. Only TCP-80 flows from non-10.10.10.0 network will be classified as APP2.
Application mappings created with single port is given higher priority over applications mappings
with port range. For example assume you have application mappings as below:
Port Protocol IP Address / IP Application

Range
80 TCP any APP1

70 - to - 90 TCP any APP2
If a flow is received with Port as TCP-80 then it is classified as APP1.
Applications are categorized based on the source address, destination address, source port,
destination port and protocol values in the flow record.
The smaller of the 2 ports (source port / destination port) and protocol is matched with the port-
protocol in the application mapping list
If no match is found, the bigger of the 2 ports (source port / destination port) and protocol is
matched with the port-protocol in the application mapping list.
If no match is found, the smaller of the 2 ports (source port / destination port) and protocol is
matched with the port range-protocol in the application mapping list.
If no match is found, the bigger of the 2 ports (source port / destination port) and protocol is
matched with the port range-protocol in the application mapping list.
If no match is found, the application is categorized as protocol_App (as in TCP_App or UDP_App)
In case the protocol is not available in the application mapping list, the application is categorized as
Unknown_App
The sequence in which the mappings are checked is as follows:

1. Application mapping with specific IP address / IP Range / IP Network is matched.
2. Application mapping with no IP address and single port number / port range.
Application Group
Application Groups allow you to define your own class of applications by including one or more
applications. For example, you might want to classify all your database applications like Oracle,
MySql, MS-Sql in to one group called the DataBase group. Initially when no application groups have
been created a message to that effect is displayed. The Application Group report can be viewed on
the Application tab for each interface.
Adding an ApplicationGroup
Follow the steps below to add a new application group:

3. Navigate to the Group Settings option available in the left menu bar and
select Application Group.
4. Click on Add button available on that page and proceed to the Add Group Screen.
5. Enter the Group Name and the Group Description (eg.) DataBase Group - Contains the
Oracle DB and MySql DB
6. Choose the applications from the list of applications in the left pane
 Select an application by clicking on it.
 Use the " >> " button to include the selected application to the right pane -
"Selected Applications" list.
 Add as many applications as you want to this group.
7. Click on update for the application group to be created with the list of applications you
had selected.
You may create additional Application Groups by clicking on the Add button and following the above
steps.
Modifying an Application Group

Select the Application Group you wish to modify and click on the "Modify" button.
You can only change the Application Group description and the list of selected
applications. It is not possible to change the application group name.
Deleting an Application Group

Select the application group you want to delete and click on the "Delete" button. You are asked for a
confirmation to delete and if you confirm the group is deleted.
DSCP Mapping
The DiffServ model for DSCP Mapping was developed to differentiate IP traffic so that the traffic's
relative priority could be determined on a per-hop basis. Using DSCP Mapping you can name the
DiffServ code points and monitor their traffic in troubleshooting reports under the DSCP tab. Note
that the DSCP reports can be viewed on the Troubleshooting page by clicking on the DSCP tab.
Adding a new DSCP Mapping

Click on the Add button to create a new DSCP Mapping. A window pops out where you may enter
the Group Name and the Code Point ( a six-digit Binary Number). For Example: Data Centre
devices - 001001. Click on the "Add" button to add this mapping.
Modifying a DSCP Mapping
Please note that it is not possible to modify a DSCP Mapping.
Deleting a DSCP Mapping

Select the DSCP Mapping ( the combination of QoS Group Name and Code Points) you want to
delete and click on the Delete button.

DSCP Group
Quality of Service is used to measure, improve and guarantee transmission rates, error rates and
other characteristics in a network's setting. The DiffServ model for DSCP Mapping was developed
to differentiate IP traffic so that the traffic's relative priority could be determined on a per-hop basis.
Using DSCP Mapping you can name the DiffServ code points and monitor their traffic in
troubleshooting reports under the DSCP tab. Note that the DSCP reports can be viewed on the
Troubleshooting page by clicking on the DSCP tab.The DCSP group is very valuable in the
deployment of QoS.
Adding a new DSCP Group

Follow the steps below to add a new application group:

3. Navigate to the Group Settings option available in the left menu bar and select DSCP
Group.
4. Click on Add button available on that page and proceed to the Add Group Screen.
5. Enter the Group Name and the Group Description (eg.) DataBase Group - Contains the
Oracle DB and MySql DB
6. Choose the DSCP Names from the list of names in the left pane
 Select a name by clicking on it.
 Use the " >> " button to include the selected DSCP Name to the right pane -
"Selected DSCP Names" list.
 Add as many DSCP Names as you want to this group.
7. Click on Save for the DSCP Group to be created with the list of DSCP Names you had
selected.
You may create additional DSCP Group by clicking on the Add button and following the above
steps.
Modifying a DSCP Group

Select the DSCP Group you wish to modify and click on the "Modify" button.
Deleting a DSCP Group

Select the DSCP Group you want to delete and click on the Delete button.
Top Sites
The Top Sites report displays the applications contributing to the maximum network traffic.The top
sites option maps application to the resolved DNS names. Using this option you can now Add,
Modify or Delete the pre-defined IP addresses and its corresponding application.
Adding a Top Site

To add a top site follow the steps given below:

3. Navigate to the Mappings option available in the left menu bar and select Top Sites.
4. Click "Add"
5. In the pop-up screen that appears, Select the IP Address, IP Network or Ip range you
wish to map
6. Specify the details
7. Select the Site name
8. Click "Save" to save the changes
Now the Application has been succesfully mapped to the IP address
Modifying a Top Site

To Modify a top site follow the steps given below:
1. Select the Site Name you want to modify

2. Click "Modify"
3. In the pop-up that appears, specify the new site name
4. Click Update to save the changes
Now the site name has been succesfully changed
Deleting a Top Site

To Delete a top site follow the steps given below:
1. Select the Site Name you want to modify

2. Click "Delete"
3. In the pop-up that appears, Click "OK" to delete the site name
Now the site name has been permanently deleted.
Multicast traffic monitoring

NetFlow Analyzer shows the Multicast traffic information that passes through the interface. This
option needs addition configuration in the device to export the multicast traffic information.
IP Multicasting allows a host to send packets to a specific group of hosts. These hosts are
called group members. In a multicast environment, packets delivered to group members are
identified by a single multicast group address. A group of hosts consists of both senders and
receivers. Any host, regardless of whether it is a member of a group, can send to a group.
However, only the members of a group receive the message. NetFlow Analyzer displays IP
Multicasting reports based on volume, speed, utilization and packets.
Enabling Multicast routing in Cisco routers
Follow the commands below to be enable Multicast on Cisco routers:
(config) ip multicast-routing
(config) ip multicast netflow output-counters
(config) ip multicast netflow rpf-failure
(config) interface fastethernet 0/0
(config-if) ip multicast netflow egress
IP Multicasting can be viewed using the Flexible NetFlow, including the multicasting fields in
exports. Given below is an example to export the flows.
Configuring Flow Exporter

cisco_281(config)#flow exporter FNFexp
cisco_281(config-flow-exporter)#destination 192.168.116.80
cisco_281(config-flow-exporter)#source fastEthernet 0/0
cisco_281(config-flow-exporter)#transport udp 9996
cisco_281(config-flow-exporter)#version 9
Configuring Flow Record
cisco_281(config)#flow record FNFREC
cisco_281(config-flow-record)#match routing is-multicast
cisco_281(config-flow-record)#match ipv4 protocol
cisco_281(config-flow-record)#match ipv4 source address
cisco_281(config-flow-record)#match ipv4 destination address
cisco_281(config-flow-record)#match transport source-port
cisco_281(config-flow-record)#match transport destination-port
cisco_281(config-flow-record)#collect routing multicast replication-
factor
cisco_281(config-flow-record)#collect routing forwarding-status
cisco_281(config-flow-record)#collect ipv4 dscp
cisco_281(config-flow-record)#collect ipv4 ttl
cisco_281(config-flow-record)#collect ipv4 source mask
cisco_281(config-flow-record)#collect ipv4 destination mask
cisco_281(config-flow-record)#collect interface input
cisco_281(config-flow-record)#collect interface output
cisco_281(config-flow-record)#collect counter bytes
cisco_281(config-flow-record)#collect counter packets
cisco_281(config-flow-record)#collect counter bytes replicated
cisco_281(config-flow-record)#collect counter packets replicated
cisco_281(config-flow-record)#collect timestamp sys-uptime first
cisco_281(config-flow-record)#collect timestamp sys-uptime last
Configuring Flow Monitor

cisco_281(config)#flow monitor FNFMON
cisco_281(config-flow-monitor)#exporter FNFEXP
cisco_281(config-flow-monitor)#record FNFREC
cisco_281(config-flow-monitor)#cache timeout active 1
cisco_281(config-flow-monitor)#cache timeout inactive 15
Once the configuration is done and saved, flows will be exported to the server where NetFlow
Analyzer is installed. NetFlow Analyzer is based on automatic discovery and so the NetFlow
exporting devices are automatically discovered and reports are generated within seconds of
receiving the flows.
Medianet traffic monitoring

What is Cisco Medianet?
Cisco's Medianet is an intelligent network optimized for media rich traffic that is capable of
reporting on packet loss, latency and jitter. It enables you to monitor the flow of packets to
keep an eye on the performance of the applications and media rich traffic. Performance
monitoring is especially important for voice and video traffic because high quality interactive
video traffic is highly sensitive to network issues. Even minor issues that may not affect other
applications can have dramatic effects on video quality.
NetFlow Analyzer uses Medianet to report on volume and quality of media traffic in your
network. NetFlow Analyzer reports on the volume of media traffic (IN and OUT), round trip
time, packet loss and jitter. You can also view source, destination and applications that are
responsible for the media traffic. These reports help you isolate network issues for rich media
applications and determine the quality of media traffic.
Drill down to each interface of the router for which Medianet export is configured and generate
desired reports from the Medianet tab. The reports can be generated for following parameters
individually:
 Media volume
 RTT
 Jitter average
 Packet loss
Configuring Cisco Medianet

Refer the below link to enable medianet for Cisco
routers: https://www.manageengine.com/products/netflow/help/how-to-enable-medianet-for-
cisco-devices.html
Additional fields in Cisco Medianet reporting
Graph and table view

The graph and table view displays the information of performance metrics in graphical and
tabular format. You can select one of the options to display the data. Table view for "All
Reports" is shown below:
Group by
The group by option allows you to display the performance metrics by source, destination or
application. The below report is grouped by "Application" where metrics such as RTT, jitter and
packet loss is shown wrt the applications
Network and Resolve DNS
Turning the Network "ON" will combine the source and destination IPs in the same network
and show the combined stats. Resolve DNS option will provide the DNS names to the source
and destination IPs.
NBAR 2 Apps

NBAR 2, also known as Next-Generation NBAR, is an advanced version of Cisco NBAR that helps
in identifying Layer-3-7 applications in the network based on some advanced techniques that are
accurate and reliable. Over a 1000 applications are covered through Cisco NBAR 2 and that gives
unprecedented amount of visibility into the applications on the network.
NetFlow Analyzer's NBAR2 reports show the list of applications that are identified with NBAR2
along with their traffic details and the contribution of a particular application's traffic to the total traffic
in the network. Drilling down an application lists the conversations that happened and has fields
such as source IP, destination IP, source port, destination port, DSCP value etc.
To get the NBAR 2 application information in NetFlow Analyzer, you have to configure you CISCO
devices to export netflow packets using Flexible netflow configuration and create flow record to
export NBAR information in the flows.

Application Response Time

ART refers to Application Response time and the ART report helps identifying the
most latent applications in the network based on their response times. The report
shows client packets, server packets, transactions, retransmission, new
connections, responses and traffic. Drilling down a particular application shows the
following graphically:
 Response time distribution
 New connections
 Transactions
 Traffic
 Retransmission
You have to configure the Cisco devices to export the ART information to the
NetFlow Analyzer server to get the statistics. You can get the detailed information
on ART based on each NBAR2 application exported by the device.
You can drill down each NBAR 2 application and get the details information on
Client Packets, Server Packets, Retransmissions, Transactions, Connections,
Responses and Traffic.
Application Response Time is only supported for Cisco ASR and ISRG2 routers.
Please refer the below link to configure ART is ASR routers:
https://forums.manageengine.com/topic/steps-to-enable-avc-in-cisco-ios-and-ios-
xe-routers-using-easy-performance-monitor-%E2%80%9Ceasy-perf-mon
%E2%80%9D-or-%E2%80%9Cezpm%E2%80%9D
https://blogs.manageengine.com/network/netflowanalyzer/2014/02/27/analyzing-
art-using-netflow-analyzer.html
What is CBQoS?
CBQoS (Class-Based Quality of Service) is a Cisco feature set that is part of the IOS 12.4(4)T
and above. This data is retrieved using SNMP and provides information on the QoS policies
applied and class-based traffic patterns within an enterprise's network.
Why do I need CBQoS ?

Typically, networks operate on the basis of best-effort delivery, in which all traffic has equal
priority and an equal chance of being delivered. When congestion results, all traffic has an
equal chance of being dropped. QoS selects network traffic, prioritizes it according to its
relative importance, and uses congestion avoidance to provide priority-indexed treatment.
CBQoS can also limit the bandwidth used by network traffic. CBQoS can make network
performance more predictable and bandwidth utilization more effective. Network administrators
implement CBQoS policies to ensure that their business-critical applications receive the
highest priority on the network. CBQoS provides you in depth visibility into the policies applied
on your links and the traffic patterns in your various class of traffic. The pre-policy, post-policy
and drops in different traffic class along with the queuing status enables you to validate the
efficiency of your QoS settings.
 Creating a traffic class

 Creating a traffic policy
 Attaching a Traffic Policy to an Interface
 Verifying the Traffic Class and Traffic Policy Information
How do I start CBQoS data collection?

Configuring Policies on the router
Initially, CBQoS has to be enabled on the router manually. Further, policies have to be defined
on the router. Usually, Traffic Policies are dependent on the type of enterprise and its business
needs. ( heavy voice traffic, heavy document transfer, heavy streaming video traffic, etc ). The
policy / classification can be done on the basis of Class Maps and Policy Maps.
A class map is a mechanism that you use to isolate and name a specific traffic flow (or class)
from all other traffic. The class map defines the criterion used to match against a specific traffic
flow to further classify it; the criteria can include matching the access group defined by the ACL
or matching a specific list of DSCP or IP precedence values. If you have more than one type of
traffic that you want to classify, you can create another class map and use a different name.
After a packet is matched against the class-map criteria, you can specify the QoS actions via a
policy map. A policy map specifies the QoS actions for the traffic classes. Actions can include
trusting the CoS or DSCP values in the traffic class; setting a specific DSCP or IP precedence
value in the traffic class; or specifying the traffic bandwidth limitations and the action to take
when the traffic is out of profile. Before a policy map can be effective, you must attach it to an
interface.
After a packet is classified and has an internal DSCP value assigned to it, the policing and
marking process has to be done. Policing involves creating a policy that specifies the
bandwidth limits for the traffic. Packets that exceed the limits are out of profile or
nonconforming. Each policy specifies the action to take for packets that are in or out of profile.
These actions, carried out by the marker, include passing through the packet without
modification, dropping the packet, or marking down the packet with a new DSCP value that is
obtained from the configurable policed-DSCP map.
Fetching Policy Details from The Router

The policy details from the router can be found under Settings>Netflow>CBQos, the CBQoS
Configuration tab lists all the interfaces that have policies applied on them are displayed along
with the router names and specific IN and OUT Policies. To facilitate the NetFlow Analyzer
application to recognize the policies applied at each router level, click on the icon. This list all
the routers, along with their Policies. By clicking on "Fetch Policy" it is possible to fetch the
policy details from the router about each individual interface.
Once the policy details have been fetched from the routers the following message is displayed:
"Policy Details Updated". If any policy is not found the "Not Available" message is displayed.
Polling for CBQoS data

After setting the policies on the router and fetching the policy details polling can be started.
Click on the "Update Polling" button to select/unselect the interfaces on which polling has to be
done. The Polling Parameters namely Polling Interval and Time Out can also be modified. The
Polling interval can take any value from 5, 10, 15, 25, 30, 60. Time Out can take values from 5,
10, 15. After selecting/deselecting the list of interfaces on which Polling has to be done and
after the Polling Parameters have been set click on "Update Polling" to start the polling action.
Creating a traffic class

To create a traffic class, use the class-map command. The syntax of the class-map command
is as follows:
class-map [match-any | match-all] class-name
no class-map [match-any | match-all] class-name
 The match-all and match-any Keywords
 The match-all and match-any keywords need to be specified only if more than one
match criterion is configured in the traffic class.
 The match-all keyword is used when all of the match criteria in the traffic class must
be met in order for a packet to be placed in the specified traffic class.
 The match-any keyword is used when only one of the match criterion in the traffic
class must be met in order for a packet to be placed in the specified traffic class.
 If neither the match-all nor match-any keyword is specified, the traffic class will
behave in a manner consistent with the match-all keyword.
About The match not Command
The match not command, rather than identifying the specific match parameter to use as a
match criterion, is used to specify a match criterion that prevents a packet from being classified
as a member of the class. For instance, if the match not QoS-group 6 command is issued
while you configure the traffic class, QoS group 6 becomes the only QoS group value that is
not considered a successful match criterion. All other QoS group values would be successful
match criteria.
Procedure
To create a traffic class containing match criteria, use the class-map command to specify the
traffic class name. Then use one or more match commands to specify the appropriate match
criteria. Packets matching the criteria you specify are placed in the traffic class.
In the following steps, a number of match commands are listed. The
specific match commands available vary by platform and Cisco IOS release. For
the match commands available, see the Cisco IOS command reference for the platform and
Cisco IOS release you are using.
Command or Purpose
Action
Step Router> enable Enables privileged EXEC mode.
1
Step Router # configure Enters global configuration mode.

2 terminal
Step Router(config)# class-

3 map [match-all | match- Creates a class to be used with a class map, and
any] class-name enters class-map configuration mode. The class map
is used for matching packets to the specified class.
Note: The match-all keyword specifies that all match

criteria must be met. The match-any keyword
specifies that one of the match criteria must be met.
Use one or more of the following match commands, as applicable.
Step Router(config-cmap)#
4 match access-group (Optional) Configures the match criteria for a class
{access-group | name map on the basis of the specified access control list
access-group-name (ACL).
Note: Access lists configured with the optional log

keyword of the access-list command are not
supported when configuring a traffic class.
Step Router(config-cmap)# (Optional) Configures the match criteria for a class

5 match any map to be successful match criteria for all packets.
Step Router config-cmap)# (Optional) Specifies the name of a traffic class to be

6 match class-map class- used as a matching criterion (for nesting traffic class
name [nested class maps] within one another).
Step Router(config-cmap)# (Optional) Matches a packet based on a Layer 2

7 match cos cos-number class of service (CoS) marking.
Step Router(config-cmap)# (Optional) Uses the destination Media Access Control

8 match destination-
address mac address (MAC) address as a match criterion.
Step Router(config-cmap)# (Optional) Matches packets of a certain discard class.

9 match discard-class
class-number
Step Router(config-cmap)# (Optional) Identifies a specific IP differentiated

10 match [ip] dscp service code point (DSCP) value as a match criterion.
dscp-value [dscp-value Up to eight DSCP values can be included in one
dscp-value dscp-value match statement.
dscp-value dscp-value
dscp-value dscp-value]
Step Router(config-cmap)# (Optional) Configures the match criteria for a class

11 match field protocol map on the basis of the fields defined in the protocol
protocol-field {eq [mask] | header description files (PHDFs).
neq [mask] |
gt | lt | range range |
regex string}
value [next next-protocol]
Step Router(config-cmap)# (Optional) Specifies the Frame Relay data-link

12 match fr-dlci dlci-number connection identifier (DLCI) number as a match
criterion in a class map.
Step Router(config-cmap)# (Optional) Configures a class map to use the

13 match input-interface specified input interface as a match criterion.
interface-name
Step Router(config-cmap)# (Optional) Configures a class map to use the Real-

14 match ip rtp starting-port- Time Protocol (RTP) protocol port as the match
number port-range criterion.
Step Router(config-cmap)# (Optional) Configure a class map to use the specified

15 match mpls experimental value of the Multiprotocol Label Switching (MPLS)
mpls-values experimental (EXP) field as a match criterion.
Step Router(config-cmap)# (Optional) Matches the MPLS EXP value in the
16 match mpls experimental topmost label.
topmost values
Step Router(config-cmap)# (Optional) Specifies the single match criterion value

17 match not match-criteria to use as an unsuccessful match criterion.
Step Router(config-cmap)# (Optional) Specifies the Layer 3 packet length in the

18 match packet length IP header as a match criterion in a class map.
{max maximum-length-
value
[min minimum-length-
value]
| min minimum-length-
value
[max maximum-length-
value]}
Step Router(config-cmap)# {routed | switched} (Optional) Matches traffic on the

19 match port-type {routed | basis of the port type for a class map.
switched}
Step Router(config-cmap)# (Optional) Identifies IP precedence values as match

20 match [ip] precedence criteria.
precedence-value
[precedence-value
precedence-value
precedence-value]
Step Router(config-cmap)# m
21 atch protocol protocol- (Optional) Configures the match criteria for a class
name map on the basis of the specified protocol.
Note: There is a separate match protocol (NBAR)

command used to configure network-based
application recognition (NBAR) to match traffic by a
protocol type known to NBAR.
Step Router(config-cmap)# m (Optional) Configures NBAR to match Citrix traffic

22 atch protocol citrix
[appapplication-name-
string] [ica-tag ica-tag-
value]
Step Router(config-cmap)# m (Optional) Configures NBAR to match FastTrack

23 atch protocol fasttrack peer-to-peer traffic.
file-transfer "regular-
expression"
Step Router(config-cmap)# m (Optional) Configures NBAR to match Gnutella peer-

24 atch protocol gnutella to-peer traffic.
file-transfer "regular-
expression"
Step Router(config-cmap)# m (Optional) Configures NBAR to match Hypertext

25 atch protocol http Transfer Protocol (HTTP) traffic by URL, host,
[url url-string Multipurpose Internet Mail Extension (MIME) type, or
| host hostname-string fields in HTTP packet headers.
| mime MIME-type | c-
header-field c-header-
field-string | s-header-
field s-header-field-
string]
Step Router(config-cmap)# m (Optional) Configures NBAR to match Real-Time

26 atch protocol rtp [audio Transfer Protocol (RTP) traffic.
| video | payload-
type payload-string]
Step Router(config-cmap)# m qos-group-value (Optional) Identifies a specific QoS

27 atch qos-groupqos- group value as a match criterion.
group-value
Step Router(config-cmap)# m (Optional) Uses the source MAC address as a match

28 atch source-address criterion.
macaddress-destination
Step Router(config-cmap)# m (Optional) Configures the match criteria for a class

29 atch start {l2-start | l3- map on the basis of the datagram header (Layer 2) or
start} offset number the network header (Layer 3).
size number {eq | neq |
gt | lt | rangerange |
regex string} {value
[value2] | [string]}
Step Router(config-cmap)# m (Optional) Specifies tag type as a match criterion.

30 atch tag {tag-name}
Step Route(config-cmap)# exi (Optional) Exits class-map configuration mode.

31 t
Creating a traffic policy

To configure a traffic policy (sometimes also referred to as a policy map), use the policy-
map command. The policy-map command allows you to specify the traffic policy name and
also allows you to enter policy-map configuration mode (a prerequisite for enabling QoS
features such as traffic policing or traffic shaping).
Associate the Traffic Policy with the Traffic Class
After using the policy-map command, use the class command to associate the traffic class
(created in the "Creating a Traffic Class" section) with the traffic policy.
The syntax of the class command is as follows:
class class-name
no class class-name
For the class-name argument, use the name of the class you created when you used
the class-map command to create the traffic class (Step 3 of the "Creating a Traffic Class"
section).
After entering the class command, you are automatically in policy-map class configuration
mode. The policy-map class configuration mode is the mode used for enabling the specific
QoS features.
Procedure
To create a traffic policy (or policy map) and enable one or more QoS features, perform the
following steps.
This procedure lists many of the commands you can use to enable one or more QoS features.
For example, to enable Class-Based Weighted Fair Queuing (CBWFQ), you would use the
bandwidth command. Not all QoS features are available on all platforms or in all Cisco IOS
releases. For the features and commands available to you, see the Cisco IOS documentation
for your platform and version of Cisco IOS software you are using.
Configuration Steps
Command or Action Purpose

1
Step Router# configure Enters global configuration mode.

2 terminal
Step Router(config)# policy- Creates or specifies the name of the traffic policy

3 map policy-name and enters policy-map configuration mode.
Step Router(config-pmap)# clas Specifies the name of a traffic class (previously

4 s {class-name |class- created in the "Creating a Traffic Class" section)
default} and enters policy-map class configuration mode.
Use one or more of the following commands to enable the specific QoS feature you want to
use.
Step Router(config-pmap-c)# ba (Optional) Specifies a minimum bandwidth

5 ndwidth {bandwidth-kbps guarantee to a traffic class in periods of congestion.
| percent percent } A minimum bandwidth guarantee can be specified
in kbps or by a percentage of the overall available
bandwidth.
Step Router(config-pmap-c)# fai (Optional) Specifies the number of queues to be

6 r-queue number-of-queues reserved for a traffic class.
Step Router (config-pmap- (Optional) Configures traffic policing.

7 c)# police bps [burst-
normal][burst-max] confor
m-action action exceed-
action action [violate-
action action]
Step Router(config-pmap-c)# pri (Optional) Gives priority to a class of traffic

8 ority{bandwidth-kbps belonging to a policy map.
| percent percentage}
[burst]
Step Router(config-pmap-c)# qu (Optional) Specifies or modifies the maximum

9 eue-limitnumber-of- number of packets the queue can hold for a class
packets configured in a policy map.
Step Router(config-pmap-c)# ra (Optional) Enables Weighted Random Early

10 ndom-detect [dscp- Detection (WRED) or distributed WRED (DWRED).
based | prec-based]
Step Router(config-pmap-c)# se (Optional) Sets the cell loss priority (CLP) bit when
11 t atm-clp a policy map is configured.
Step Router(config-pmap-c)# se (Optional) Sets the Layer 2 class of service (CoS)

12 t cos {cos-value | from- value of an outgoing packet.
field [table table-map-
name]}
Step Router(config-pmap-c)# se (Optional) Marks a packet with a discard-class

13 t discard-class value value.
Step Router(config-pmap-c)# se (Optional) Marks a packet by setting the

14 t [ip] dscp {dscp-value | differentiated services code point (DSCP) value in
from-field [table table-map- the type of service (ToS) byte.
name]}
Step Router(config-pmap-c)# se (Optional) Changes the discard eligible (DE) bit

15 t fr-de setting in the address field of a Frame Relay frame
to 1 for all traffic leaving an interface.
Step Router(config-pmap-c)# se (Optional) Sets the precedence value in the packet

16 t precedence{precedence- header.
value | from-field
[table table-map-name]}
Step Route(config-pmap-c)# set (Optional) Designates the value to which the MPLS

17 mpls experimental value bits are set if the packets match the specified policy
map.
Step Router (config-pmap- (Optional) Sets a QoS group identifier (ID) that can
18 c)# set qos-group{group- be used later to classify packets.
id | from-field [table table-
map-name]}
Step Router(config-pmap-c)# se (Optional) Specifies the name of a traffic policy

19 rvice-policypolicy-map- used as a matching criterion (for nesting traffic
name policies [hierarchical traffic policies] within one
another).
Step Router(config-pmap-c)# sh (Optional) Shapes traffic to the indicated bit rate

20 ape {average | peak } according to the algorithm specified.
mean-rate [burst-size
[excess-burst-size ]]
Step Router(config-pmap-c)# ex (Optional) Exits policy-map class configuration

21 it mode.
Attaching a Traffic Policy to an Interface

To attach a traffic policy to an interface, use the service-policy command. The service-
policy command also allows you to specify the direction in which the traffic policy should be
applied (either on packets coming into the interface or packets leaving the interface).
The service-policy command syntax is as follows:
service-policy {input | output} policy-map-name
no service-policy {input | output} policy-map-name
Procedure
To attach a traffic policy to an interface, perform the following steps.
Depending on the platform and Cisco IOS release you are using, a traffic policy can be
attached to an ATM permanent virtual circuit (PVC) subinterface, a Frame Relay data-link
connection identifier (DLCI), or another type of interface.
Command or Purpose
Action

1
Step Router# configure Enters global configuration mode

2 terminal
Step Router(config)# Configures an interface type and enters interface

3 interface serial0 configuration mode.
Step Router(config-if)# servic Attaches a policy map to an interface.

4 e-policy output [type
access-control] {input |
output} policy-map-
name
Step Router (config-if)# exit (Optional) Exits interface configuration mode.

5
Multiple traffic policies on tunnel interfaces and physical interfaces are not supported if the
interfaces are associated with each other. For instance, if a traffic policy is attached to a tunnel
interface while another traffic policy is attached to a physical interface with which the tunnel
interface is associated, only the traffic policy on the tunnel interface works properly.
Verifying the Traffic Class and Traffic Policy

Information
To display and verify the information about a traffic class or traffic policy, perform the following
steps.
Command or Purpose
Action

1
Step Router# show class- (Optional) Displays all class maps and their matching
2 map [type {stack | criteria.
access-control}] [class-
map-name]
Step Router# show policy- (Optional) Displays the configuration for the specified
3 map policy-mapclass cl class of the specified policy map.
ass-name
Step Router# show policy- (Optional) Displays the configuration of all classes for
4 map policy-map a specified policy map or all classes for all existing
policy maps.
Step Router# show policy- (Optional) Displays the packet statistics of all classes
5 map interface[type that are configured for all service policies either on
access-control] type the specified interface or subinterface or on a specific
number [vc[vpi/] vci] [dlci permanent virtual circuit (PVC) on the interface.
dlci] [input | output]
Step Router# exit (Optional) Exits privileged EXEC mode.

6
Using the CBQoS data

Once Polling has been started, reports can be viewed under the CBQoS tab. Reporting is
available in terms of Volume of Traffic, Number of Packets, Traffic Speed and Queue. The pre-
policy, post-policy and drops in different traffic class along with the queuing status enables you
to validate the efficiency of your QoS settings. Individual graphs are displayed for Pre Policy,
Post Policy and Dropped. Pre Policy refers to the state before the CBQoS policy was applied.
Post Policy refers to the state after the CBQoS policy is applied. Dropped gives information on
the packets that are dropped as a result of applying the policies.
CBQoS reports can be exported as PDF or can be mailed by going to "Actions" and clicking on
the necessary action.
Based on these information suitable corrections can be done to the policies to make it best suit
the business goals of the organization.
CBQoS Child Policies

NetFlow Analyzer lets you create child policies under the parent policies.
Creating a traffic policy
To configure a traffic policy (also referred to as a policy map), use the policy-map command.
The policy-map command allows you to specify the traffic policy name and also allows you to
enter policy-map configuration mode (a prerequisite for enabling QoS features such as traffic
policing or traffic shaping).
Associate the Traffic Policy with the Traffic Class
After using the policy-map command, use the class command to associate the traffic class
(created in the "Creating a Traffic Class" section) with the traffic policy.
The syntax of the class command is as follows:
class class-name
no class class-name
For the class-name argument, use the name of the class you created when you used
the class-map command to create the previous traffic class (Step 3 of the "Creating a Traffic
Class" section).
After entering the class command, you are automatically in policy-map class configuration
mode. The policy-map class configuration mode is the mode used for enabling the specific
QoS features.
Procedure
To create a traffic policy (or policy map) and enable one or more QoS features, perform the
following steps.
This procedure lists many of the commands you can use to enable one or more QoS features.
For example, to enable Class-Based Weighted Fair Queuing (CBWFQ), you would use
the bandwidth command. Not all QoS features are available on all platforms or in all Cisco
IOS releases. For the features and commands available to you, see the Cisco IOS
documentation for your platform and version of Cisco IOS software you are using.
Configuration Steps
Command or Purpose
Action

1
Step Router# configure Enters global configuration mode.

2 terminal
Step Router(config)# policy- Creates or specifies the name of the traffic policy

3 map policy-name and enters policy-map configuration mode.
Step Router(config-pmap)# clas Specifies the name of a traffic class (previously

4 s {class-name |class- created in the "Creating a Traffic Class" section)
default} and enters policy-map class configuration mode.
Use one or more of the following commands to enable the specific QoS feature you want to
use.
Step Router(config-pmap-c)# ba (Optional) Specifies a minimum bandwidth

5 ndwidth {bandwidth-kbps | guarantee to a traffic class in periods of
percent percent } congestion. A minimum bandwidth guarantee can
be specified in kbps or by a percentage of the
overall available bandwidth.
Step Router(config-pmap-c)# fai (Optional) Specifies the number of queues to be

6 r-queue number-of- reserved for a traffic class.
queues
Step Router (config-pmap- (Optional) Configures traffic policing.

7 c)# police bps [burst-
normal][burst-max] confor
m-action action exceed-
action action [violate-
action action]
Step Router(config-pmap-c)# pri (Optional) Gives priority to a class of traffic

8 ority{bandwidth-kbps belonging to a policy map.
| percent percentage}
[burst]
Step Router(config-pmap-c)# qu (Optional) Specifies or modifies the maximum

9 eue-limit number-of- number of packets the queue can hold for a class
packets configured in a policy map.
Step Router(config-pmap-c)# ra (Optional) Enables Weighted Random Early

10 ndom-detect [dscp- Detection (WRED) or distributed WRED (DWRED).
based | prec-based]
Step Router(config-pmap-c)# se (Optional) Sets the cell loss priority (CLP) bit when
11 t atm-clp a policy map is configured.
Step Router(config-pmap-c)# se (Optional) Sets the Layer 2 class of service (CoS)

12 t cos{cos-value | from- value of an outgoing packet.
field [table table-map-
name]}
Step Router(config-pmap-c)# (Optional) Marks a packet with a discard-class

13 set discard-class value value.
Step Router(config-pmap-c)# se (Optional) Marks a packet by setting the

14 t [ip] dscp {dscp- differentiated services code point (DSCP) value in
value | from-field [table tabl the type of service (ToS) byte.
e-map-name]}
Step Router(config-pmap-c)# se (Optional) Changes the discard eligible (DE) bit

15 t fr-de setting in the address field of a Frame Relay frame
to 1 for all traffic leaving an interface.
Step Router(config-pmap-c)# se (Optional) Sets the precedence value in the packet

16 t precedence{precedence- header.
value | from-field[table tabl
e-map-name]}
Step Route(config-pmap-c)# set (Optional) Designates the value to which the MPLS

17 mpls experimental value bits are set if the packets match the specified policy
map.
Step Router (config-pmap- (Optional) Sets a QoS group identifier (ID) that can
18 c)# set qos-group{group- be used later to classify packets.
id | from-field [table table-
map-name]}
Step Router(config-pmap-c)# se (Optional) Specifies the name of a traffic policy

19 rvice-policy policy-map- used as a matching criterion (for nesting traffic
name policies [hierarchical traffic policies] within one
another).
Step Router(config-pmap-c)# sh (Optional) Shapes traffic to the indicated bit rate

20 ape {average | peak } mea according to the algorithm specified.
n-rate [burst-size [excess-
burst-size ]]
Step Router(config-pmap-c)# ex (Optional) Exits policy-map class configuration

21 it mode.
Traffic policy can be nested within another traffic policy using the service-policy command. It’s
called Hierarchical traffic policy. This policy that holds another policy is the parent policy and
the nested one is called child policy.
Sample configuration of policy with parent-child relationship:
 Router(config)# policy-map child
 Router(config-pmap)# class voice
 Router(config-pmap-c)# priority 50
 Router(config)# policy-map parent
 Router(config-pmap)# class class-default
 Router(config-pmap-c)# shape average 10000000
 Router(config-pmap-c)# service-policy child
 Router(config-pmap-c)# exit
APPS

Apps tab in NetFlow Analyzer list up all the apps discovered in NetFlow Analyzer UI

and bandwidth utilization. We show 2 kinds of app:
Layer 4 Apps:
These are the application detected by NetFlow Analyzer based on the port and
protocol mappings. NetFlow Analyzer traffic calculation is based on the port and protocol map
available, we have around 10000 application mapped based on the IANA which you can find it
under Application/QoS mapping.
Layer 7 Apps:
These are the NBAR applications discovered by NetFlow Analyzer exported by the

Cisco Devices. You can click on the select icon on the left to select layer 4 and
layer 7 apps list to view.

You can click on any application name and expand the view by clicking on , this will
show the traffic utilization graph for the selected application for IN and OUT direction with the
list of interfaces utilizing this application in descending order. You can view the utilization report
for an application for different time period by click on .

You can drill down the Interfaces by select the Grid view by clicking on the radio button at the
top of the widget and can view the conversation for that particular application from the selected
interface.
QoS

The QoS stats tab lists QoS-specific information in the network. QoS or Quality of service is the
most important factor that determines how effectively the available enterprise bandwidth is being
used in the WAN. It is also an index of the overall User Experience of the available Bandwidth.
Here you see the top DSCP that is utilizing the maximum traffic from accross all the devices that are
sending flows to the NetFlow Analyzer server. Also you can see the Device and Interface specific
QOS information by clicking on the device or interface name on the right hand side view.

Network Configuration Management

Overview
Analysis by numerous IT experts have time and again revealed that the commonest cause for
most Network outages is faulty configuration changes. In this age of the Internet, IT
applications dominate almost all aspects of business enterprises. To cater to various business
needs, network administrators carry out frequent configuration changes to network devices.
Every single change to a network device configuration carries with it the risk of creating a
network outage, security issues and even performance degradation. The problem becomes still
more complex when there are multiple devices from multiple vendors and multiple
administrators manage the network and carryout changes. Unplanned changes make the
network vulnerable for unexpected outages.
Besides, the network administrator is fraught with the challenge of keeping track of all the
happenings in the network devices - who did what and when. In mission critical environments,
network downtime, even for a few minutes, might prove to be costly. When a configuration
error occurs in the network, it becomes a cumbersome task to identify the exact cause and
initiate corrective action. Network administrators indeed face a daunting task when it comes to
effectively doing the Network Change and Configuration Management !
Network Configuration Manager - a simple and elegant solution

ManageEngine Network Configuration Manager offers a simple, comprehensive and elegant
solution for easy Network Change and Configuration Management (NCCM). It offers multi-
vendor network device configuration, continuous monitoring of configuration changes,
notifications on respective changes, detailed operation audit and trails, easy and safe recovery
to trusted configurations, automation of configuration tasks and insightful reporting.
Network Configuration Manager can manage network devices such as switches, routers,
firewalls, wireless access points, integrated access devices etc., from multiple vendors. It
discovers network devices, builds up an inventory database and allows IT administrators to
take control of configuring the devices from a central console. The web-based administrator
console provides the User Interface to perform all the configuration operations. Additionally, it
can be accessed from anywhere using any standard web browser.
You can click here to know more about the configuration details

Alarms

NetFlow Analyzer generate and show alerts once the configured threshold is violated, you can
create Alert profiles based on you requirement from Settings -> NetFlow
-> Aggregated/Real-Time Alert Profiles. Alerts are generated based on the RAW data
collected in the database.
You can see the alerts and its events based on the severity configured in Alert Profile
like Critical, Trouble, Attention and Service down. You can click on the severity to get the list of
Alarms generated for that severity.
You can click on the Filter icon to change the view of the Alarms in NetFlow Analyzer, also you
can sort the alarms by time on which it is generated by clicking on the icon on the left
side column.

Filter Description
Active Alarms List up all the recent active alarms.
All Alarms List up all the alarms for all category
NFA Alarms List only NetFlow Alarms
NCM Alarms List only Network Configuration Add-on alarms
Severity List Alarms based on severity an event has occurred
Category List all category alarms
You can set the different view from the right hand side top for Alarms to display under the
Alarms tab using the below option:
View Description
Allows you to view the Alarms in list view

List view
Allows you to view the Alarms in Block view

Block view
Shows Alarms and events in color view based on

Color view severity
You can sort the Alarms based on Message, Source,

Sorting
Category, Technician, Severity, Time.
Allows you to search Alarms based on Message,

Search Source, Category, Technician, Severity, Time.
You can click on each alarm for a detailed view on the Alert generated, and view the Traffic
and Application statistics during the time the Alert was generated. Any technician who checks
the alert can add notes for others to understand.
You can also delete an Alert form the view by selecting the Alert and then click on the delete
icon on the right side top.
Events
When an threshold is violated in your network, an event occurs and multiple events correlate to
trigger an alarm. An event can not be deleted from the UI. Event for an Alert is stored for 7
days by default in the database and deleted automatically.
Types of Alerts
NetFlow Analyzer allows you to customise alerts and the type of notification. You can choose
to be notified via SMS, email, SNMP trap or log a ticket.
For emails alerts, you must provide details such as the To email address and the email subject.
For SNMP Trap you must provide Server:Port:Community details.
You can receive SMS notifications by providing the mobile number.
Logging SDP Tickets

NetFlow Analyzer also allows you to log alerts as SDP tickets. Service desk plus is available as
an plug-in, and it has to be integrated with NetFlow Analyzer under Settings → Basic
Settings → Add-ons/Products Integration → ServiceDesk Plus and configure the
ServiceDesk Plus add-on integration, for this option to be available.
For logging the alert as a ticket, provide ticket details such as category, priority, and group.
You can also assign it to a particular technician based on severity and category of the alert.
Every time an alert is generated, it will automatically be logged in as an SDP ticket and
assigned to the particular technician, based on the details provided. You create a private
knowledge base in SDP to resolve repetitive network bottlenecks quickly. You can also
announce known network issues in SDP’s ‘announcements’ to help reduce number of tickets
created for the same issue.
Zoho Maps
NetFlow Analyzer uses Zoho Maps as the default map provider for the Maps feature. You can
use it to visualize your network by placing the devices on the maps according to their
geographic distribution.
Adding Devices on the Zoho Map
1. Now, zoom in/out the map and double-click on the location where you want to place a
discovered device.
2. A device list box pops up allowing you to select a device to be placed in that location.
3. Select the device and click on Add.
4. Add the required devices on to the map by double-clicking the location.
Viewing Device Details from Zoho Map

1. Click on the device marker on the Zoho Map to view further details on interface
utilization and device location.
Deleting Devices from Zoho Map

1. Click on the device marker on the Zoho Map to see a popup.
2. Click the Delete link on this popup to delete the device from the map.
Further, Refer to https://www.manageengine.com/products/netflow/help/how-to-add-a-link-
between-devices-in-network-map.html to add link between two devices.
Google Maps

Network diagram or Network layout defines how the network is distributed and spread across
globally. As a network administrator, its a huge task to consolidate and manage network devices
spread globally. NetFlow Analyzer as a comprehensive network monitoring tool which allow the
users to draw their network layout and provides an easiest way to manage network resources.
Google maps feature lets you physically locate your network resources on a map. This enables
network administrators to have a feel of how devices are distributed and more importantly provide a
quick and easy drill down to specific information. NetFlow Analyzer, by using Google maps API, lets
you position your devices on a map for a graphical presentation.
Network Layout
The network layout configuration on the Google map allow users to draw their network diagrams
according to the device connectivity. To configure network layout, navigate to Maps icon on the
user interface and click on anywhere in the map to place the network device in Google Map View.
You will be prompted with a pop-up to select the nodes (routers or switches) for connectivity once
you click on the Add Link button. Provide the link name and description and click on next. Select
the interface relative to which you need to see the traffic details and “ save”. Now you can see the
traffic between the two link as per your need.

Google Maps
NetFlow Analyzer allows you to integrate Google Maps and place the devices on the maps
according to the geographic distribution. Please refer to the Google licensing terms and pricing
plans before you proceed further.
How to configure Google maps

1. Download this file to your desktop.
2. Extract the downloaded zip and open maps.html file in any script editor.
3. Update the Google API key as shown below. (Visit this page generate an API key)
<script type="text/javascript" src="//maps.googleapis.com/maps/api/js?

sensor=false&language=en&key="Your-API-Key"> </script>
4. Once you have updated the key, upload the updated maps.html.
How to add devices on the Google Map

1. Now, zoom in/out the map and double-click on the location where you want to place a
discovered device.
2. A device list box pops up allowing you to select a device to be placed in that location.
3. Select the device and click on Add.
4. Add the required devices on to the map by double-clicking the location.
5. You can also add the devices to the map from the device snapshot page.
6. Go to the device snapshot page.
7. Click on Add to Map link in the page to add the device to the m
Reports

NetFlow Analyzer has many reporting options available based on Interfaces and IP groups out of
box.
Reports Description
Search Search Report provide you the options to generate reports based on search criteria. We have 2
Report different kind of search reports Global search and Custom search reports.
Compare Allows you to compare statistics of bandwidth utilization of different interfaces or IP groups for same
Report time or different time periods.
More Allows you to generate reports like Consolidated Report, Protocol Distribution Report, IPGroup
Reports Consolidated Report and Capacity Planning Report.
Schedule Allows you create schedule automatic report generation daily, weekly, monthly and export to
Reports your email address.
Billing Allows you Add and generate billing reports based on utilization of Speed or Volume
Forensic Allows you to generate reports based on the RAW data collected in NetFlow Analyzer
s
WAAS Allows you to view data based on the CM added in NetFlow Analyzer UI

Explore the following sections to know more about the Reports available in NetFlow Analyzer.
Search Reports

Search Reports can be used to generate reports specific to the user. This is especially useful
in finding out the bandwidth utilization of a specific host or application.
While Troubleshooting Reports can be used to derive information on one interface at a time,
Search Reports can be generated across interfaces. Data for Troubleshooting reports is taken
directly from raw data, whose maximum retention period can be set from Settings. But data for
Custom Reports is taken from aggregated data in the database.
You can select the device or its interfaces for which you need to generate an report based on
the custom criteria.
Under Select Criteria, enter the criteria on which traffic needs to be filtered. You can enter any
of the following criteria to filter traffic:
 Source/Destination Address
 Source/Destination Network
 Source/Destination Nodes
 Source/Destination AS
 Application
 Port/Port Range
 DSCP
Once the criteria is selected, please Define the appropriate criteria and click on add icon to
set the criteria that you want to filter, here you can multiple criteria's. Select option using the
radio button to generate report either by matching all the criteria or by matching selected
criteria.
Match all the following option will only generate the report is all the custom criteria you
provided match.
Match any of the following option will generate the report is any of the provided custom
criteria matches.
Once done select on which Data you need the report to be generated either IN or OUT using
the radio button. The From and To boxes let you choose custom time periods for the report.
Once you select all the desired criteria, click the Generate Report button to display the
corresponding traffic report. The default report view shows the IP addresses of the hosts. You
can also sort the data displayed either by Number of packets or Bytes.
You can export the report as CSV, Excel, or email by clicking on the export icon.
Compare Reports

Compare Report feature lets the user Compare multiple devices for the same time period or
Compare the same Device over different time periods. eg: Every Day Report, Every Hour
Report, Every Week Report, Every Month Report.
Report type
The report type could be one of :
 Compare Multiple Devices over the same time period ( or)

 Compare same device over different time periods

When the Report Type is chosen as - Compare Multiple Devices over the same time
period, the available Periods are Last Hour, Last 6 Hour, Today, Last 24 Hours, Yesterday,
Last Week, Last Month, Last Quarter.
When the Report Type is chosen as -Compare same device over different time periods, the
available Periods are Every Day Report, Every Hour Report, Every Week Report, Every Month
Report.
Data Points
Data Point option allows you to select the average in which you want the reports to be
generated, you can select either 1min, 5mins or 15 mins average using the radio button.
Report Option
The Report Options could be chosen to be one of below to generate the reports in terms of
Speed, Volume, Utilization or Packets
 Speed
 Volume
 Utilization
 Packets
Select Time Period

This option Allows you the select the time priod based on the Report Type you have selected.

Select Device
You can generate Compare Report either based on Device/Interfaces or IP groups. You can
select any one of the option to generate the report.
Once all the fields are selected based on the requirement, click in the Generate Report button
to generate the report the report will be shown as below:
You can select the traffic graphs to show in different style by selecting the
icons on the right top. You can export ouput of each traffic details in
CSV or Excel by click on the icon at the bottom of the view.

Consolidated Reports

Consolidated reports let you see all the traffic details for an interface, interface group or IP group at
a glance. Click the Reports Tab -> More Reports -> Consolidated Report link to see all traffic
details for an interface, interface group or IP Group at one glance.
Select the Interface, Interface Group or IP group based on which you need the consolidated report
under Select Source tab. Once you Select the Interface you will have the option to select the
Device and Interface interface based on which you need the report in the same way you can select
IP Group and for Interface groups as well.
Select Top allows you to show view with top 5,10 or top 20 outputs for top Source, destination and
Application.
Traffic Type give the option to select the view for the traffic graph details in either Speed, Volume
or Utilization.
You can choose to generate hourly, daily or reports based only on business hours and
also customise time period by selecting Custom option under Time Period option.
Click on Generate Report to generate the report. The report gives the Graphical and Tabular
representation for Traffic Graph, Application IN/OUT, Source IN/OUT and Destination IN/OUT

You can export ouput of each widget in CSV or Excel by click on the icon at
the bottom of the view.
Protocol Distribution Report

Protocol Distribution report lets you to view the information on top protocol utilizing the
bandwidth from Interface, Interface Group or IP group.
Select the Interface, Interface Group or IP group based on which you need the Protocol
Distribution report under Select Source tab. Once you Select the Interface you will have the option
to select the Device and Interface interface based on which you need the report in the same way
you can select IP Group and for Interface groups as well.
Traffic Type give the option to select the view for the traffic graph details in either Speed, Volume
or Utilization.
You can choose to generate hourly, daily or reports based only on business hours and
also customise time period by selecting Custom option under Time Period option.
Flow Type allows you the select IN or OUT, to get the Protocol Distribution report based on either
IN or OUT traffic you need the report to be generated.
Click on Generate Report to generate the report. The report has 2 views, Graph view and Table
view.
Graph view:
Show the Graphical representation for Protocols bandwidth utilization.
You can select the traffic graphs to show in different style by selecting the
icons on the right top.
Table View:
This show the detailed list output of Protocol and its volume used and percentage of total traffic:
You can export ouput list report in CSV or Excel by click on the icon at the
bottom of the view.
Inventory Report
In the absence of a proactive network monitoring solution, network monitoring can become a
daunting task. Network administrators will have to monitor the entire network manually which
can be a rather monotonous, time-consuming and error-prone task. With Inventory reports,
these repetitive network monitoring tasks have been simplified. With an easy-to-use interface
and a consolidated view of your preference, the Inventory report delivers a bird's-eye view over
your network traffic.
Inventory report enables you to choose amongst the traffic source - Interface/IP
Group/Interface Group/Access Point/AS View/Access Point Group/SSID Group.
The traffic type allows you to generate a report based on speed, volume or utilization.
Furthermore, you can also set the criteria based on the selected traffic type.
Inventory report can be generated in the period of your preference and additional business
hour filters can also be enabled.
Also note that a violation report will be generated if the selected criteria are violated. This
report can be viewed by clicking on the graph icon in the generated report.

Capacity Planning Reports

Capacity Planning feature in NetFlow Analyzer helps you make informed decisions about your
network bandwidth. It details on the traffic trend and bandwidth utilization pattern over a period
of time. The capacity planning Report is available for all interfaces and IPgroups monitored
under the NetFlow Analyzer.
Capacity Planning Report

The capacity planning report provides you traffic patterns based on volume, speed, utilization,
and packets. The reports can be generated for any selected time period from last hour to last
quarter and you can also customize the selected time period to suit your requirement. Using
business hour and weekend
filters, the reports can be generated only for the required time period.
1 Minute Average
The graph gives you traffic IN and Traffic OUT on an one minute average. The report also
displays the 95th percentile value for both IN and OUT traffic. The table below the graph
provide Total amount of Traffic IN and OUT along with the Min, Max and Average values. It
also calculates and displays Standard Deviation and 95th percentile value for the total amount
of IN and OUT traffic. The graph displays the traffic deviation from the average amount of daily
traffic.

Average Use (Daily)

The graph displays daily average use of bandwidth for the selected time period. You can view
the Traffic IN and OUT details for the selected time period.
Data Points This table provides individual data points for Traffic IN and OUT. The data points
are displayed a Min, Max and Average value for a selected time period.

Application Report
The pie chart displays the traffic associated each application. This is also calculated on the
basis of IN and OUT traffic. The table below displays the application name, the amount of
traffic and the total traffic percentage by each application.
Application Growth Report

Application Growth Report helps in identifying the usage of a specific application in the network
over the selected time period. It gives a graphical view shows the amount of bandwidth used
by each application. This helps in prioritizing the applications to suit your enterprise's need.
The table below report gives both application IN and OUT details and their usage over the
selected time period.

The report has 2 views, Graph view and Table view.
Graph view show the Graphical representation for graphs and pie charts to show the
information for each widget.
Table View show the detailed list output for the generated report. You can export each widget
in the list view as csv or excel format by clicking on the icon at the bottom
of the view.
Schedule Reports

Schedule feature in NetFlow Analyzer is an easy way to generate reports in Daily, weekly and
Monthly basis. A scheduler is configured to set the parameters for automating the generation of
reports.
To create an schedule navigate to reports tab and click on Schedule.
Netflow Analyzer calculates the bandwidth utilization on the specified Interfaces, Interface groups,
IP Group, WLC Devices, Access point groups, SSID groups for every minute. Based on the
schedule opted for, reports are generated at various time intervals.The Schedule Reports feature
lets you Create new Schedules and Delete existing ones. The Scheduler List page lists all
existing schedules , along with the Schedule details,Status, Report types,and the Last Report
Generated time.

Schedule Profile
Schedule Profile show the Schedule Profiles you have created and the status of the Profiles:
Column Description
Profile The name of the Schedule when it was created. Click on the Schedule's name to see more
Name information about the schedule's configuration
Description Show the Description you have set for the schedule
Schedule Show what type for schedule is created either Daily, Weekly, Monthly or Only Once
Details
Status
By default all schedules are Enabled, which means they are active. Click the icon to
disable a schedule. When this is done, reports will no longer be generated for
that configuration. Click the icon to enable the schedule again.
Last This column lists the last time when this schedule was run and a report created.
Report
Time
Generated By clicking on View Reports it is possible to view all the previous reports that have
Reports been generated. The number of reports that are stored is based on the user definition in
the Schedule Setting page. (By enabling the item "Enable older reports to be accessed
from UI" it is possible to retrieve even older reports.) For Daily Schedule up to 90 reports
can be stored. For Weekly Schedule up to 104 reports can be stored. For Monthly Schedule up
to 60 reports can be stored.
Edit
Click on this icon to edit the created schedule.

Delete
Click on this icon to delete the schedule

The various columns displayed in the Schedule Profile page are described in the table below:

Add Schedule
Add Schedule button on the right top to create an Schedule. Please give the blow parameter to
Add the schedule:

Par Description
ame
ters
Sch Provide an appropriate name to Schedule profile

edul
e
Na
me
Des Provide description of the profile to identify the purpose of the schedule created
cript
ion
Devi You can schedule reports for an Interfaces, Interface group, IP Group, WLC Devices, Access point groups, or
ce
Typ
e
Select the option based on you requirement.

Interface option allow you to select Interface for which you need the reports to be scheduled.

IP groups and Interface Groups will allow you to select the created IP and Interface groups for which you need to s

Access point groups and SSID Groups will allow you to select the created Access point and SSID groups for w
schedule the reports.

WLC devices option allow you to select WLC devices for which you need the reports to be schedu

Rep The type of report to be generated - Please select as per your requirement from the dropdown consisting th
ort
 Consolidated report
Typ
e Traffic report -> Contains the traffic graph with Total Volume, Min, Max, Avg, Standard Deviation and 95th
Percentile details and detailed list data points for the report period.
Application report -> Contains list of Application with volume of traffic utilized and percentage of total traffic
utilized by each application.
 Source report -> Contains list of Source IP with volume of traffic utilized and percentage of total traffic
utilized by each source IP.
Source network report -> Contains list of Source network with volume of traffic utilized and
percentage of total traffic utilized by each source network.
Destination report -> Contains list of Destination IP with volume of traffic utilized and percentage of total
traffic utilized by each destination IP.
Destination network report -> Contains list of Destination network with volume of traffic utilized and
percentage of total traffic utilized by each detination network.
 QoS report -> Contains list of DSCP with volume of traffic utilized and percentage of total traffic utilized b
each DSCP
 Conversation report -> Contains Detailed list of conversation.
Conversation network report -> Contains Detailed list of conversation based on source and destination
network.
 NBAR report -> Contains list of NBAR Application with volume of traffic utilized and percentage of total
traffic utilized by each NBAR app.
 CBQoS report -> Contains the CBQOS report based on IN out OUT policy collected for the In
 Compare report -> Allows you to create an schedule compare report for Interfaces, IP Groups, Interfac
Devices, Access Point Groups, or SSID Groups selected. Provide the required details for the report to be schedu
Custom Report -> Allows you to set the criteria for the report generated in the schedule. You can provide
below criteria to generate the reports: Sourc
Source Network Sourc
Destination Address Dest
Destination Node Appli
Port Port
DSCP
 Capacity Planning Reports -> Generates the Capacity Planning reports for the selected Interfaces, Interfac
WLC Devices, Access point groups, or SSID group.
 Medianet Reports -> Generates the Medianet reports collected for the Interface.

Rep You can select the format as PDF or CSV with which the reports will be exported to your email addr
ort
For
mat
Tim You can Select the Time Zone based for the reports to be generated. This will help operation to get reports who
e geographic locations.
Zon
e
Rep Select the report generation frequency as one from : Daily, Weekly, Monthly and Only Once. Depending on this
ort generated at the appropriate time intervals.
Day
s
Rep You can select the Date for which you need the report to be generated. This option is only available for the Only
ort
Dat
e
Rep Select the time period at which the reports has to be generated based on the schedule days you have s
ort
Tim
e
Rep You can select the Period for which for which the data should refelect in the Report to be generet
ort

Peri
od For Only Once Option you can select the Report Period to be Previous Day, Last 24 hours, Today, Last 6 hours, L
Week, Last 7 days, Previous Month, Last 30 days, Last Quarter and Custom. Custom Select allows you to sepcify
time period for which you need the report.

For Daily, weekly and Monthly reports you can select the time period to be Previous Day, Last 24 hours, Last 6 H

Mail You Can Select the Mail Notification to be ON or OFF.
Noti

ficat
ion If you select ON you will receive the reports generated in the schedule to the email address you will s

 Mail Address - This is the address to which the generated reports will be sent. You can specify multiple em
reports to be sent to by providing email address seperated by comma without space eg:
abc@example.com,abcd@example.com,abcde@example.com
 Mail Subject - The email subject can be customized according to the report selected.

Schedule Settings
This link lets you set parameters that could be applied across all the generated reports. The
parameters include:
 Host Name display in reports - This determines how the host name is displayed in reports.
It could be chosen as one of
o IP Address ( or )
o DNS Name

 Graph Options (Report Type to be shown in reports) - This determines how the data is to
be shown in the generated reports. This could be one of
o Utilization (in %) ( or )
o Speed (in bps)

 Mail Attachment option - The format in which the attachments are to be mailed. It
could be one of
o Zipped file ( or )
o PDF - The number of PDF files to be sent in a mail is to be specified. The number may range from
5 to 50 in increments of five

 Qos Options - This determines what the QOS report contains. This could be choosen from
one of below:
o DSCP ( or )
o TOS

 Enable older reports to be accessed from UI
Forecast Report
Forecasting has the potential to interfere in decision-making and gives a picture of what can
probably be expected. Every business decision depends upon forecast on future trends and
hence, it is important to give maximum attention to it.
To plan network resources, timely and accurate prediction of bandwidth is beneficial to avoid
network bottlenecks. Also, to handle the ensuing network needs efficiently and to regulate
traffic, it is of utmost importance to predict data.
While a time series can be forecast using statistics or machine learning, NetFlow Analyzer
employs techniques like autocorrelation, seasonality trend loss decomposition and regression
to forecast reports.
A forecast report can only be as accurate and reliable as the data provided. The granularity
and accuracy of the forecast differ based on the available data. The below given table speaks
on the accuracy of the forecast that would be generated based upon the availability of past
data.
Time period Past data granularity
1 week 36 days Hourly
2 weeks 70 days Hourly
1 Month 130 days Hourly
3 Month 180 days Daily
6 Month 180 days Daily
1 Year 5 years Weekly
Click on Reports -> NetFlow -> Forecast to generate the forecast report.

You can select the Source for which you need to generate the forecast.
Traffic Type gives the option to view the traffic graph details based on Speed, Volume or
Utilization.
Forecast reports can be generated for a period ranging from 7 days to a year. However, the
Forecast period cannot be customized and can only be viewed for a pre-defined set of data.
Business Hour Filters and the Exclude weekends option can also be enabled. By default,

Saturday and Sunday are set as weekends.
On enabling the Show History button, the users can view the past trends based on which the
forecast has been generated.
You can mail the report or export data as CSV, PDF by clicking on the icons in the top right
corner of the view.
Billing

Billing is the latest feature introduced in NetFlow Analyzer. This feature helps keep a tab on resource
usage and takes the bandwidth monitoring one step ahead - Accounting. It makes easy to understand the
reports in terms of cost incurred. Internally, organizations can use this feature for department-wise
billing.Also Internet Service Providers can use this to automatically generate reports for their customers.
Operations on Billing
Billing can be accessed through "Billing" in "Reports"
Creating a Bill Plan

A bill plan can be created on basis of either one of the following:
1. Speed
2. Volume
Bills can be generated in accordance with the local time zone. Localization is supported in the Billing
feature.
Speed Based Billing

The "Bill Plan List" tab lets you create a new bill plan. To create a bill plan, click on the "Add
Plan" tab. The Fields and their description are given below.
Enter Billing Details
Field Description
Bill Plan Enter the name you wish to assign for this bill plan
Bill Plan Description* Describe the plan for detailed understanding and for future reference
Billing Type Select "speed"
Base Speed
Enter the base speed of the connection in bps (bits per second)
Base Cost Select the currency from the drop-down box and enter the cost
Additional Speed* Enter the additional speed of the connection in bps
Additional Cost* Enter the cost for additional usage

Percentile Select one of the two options from the drop-down box.
Calculation Selecting "In & Out merge" will merge the In and Out values and calculate the 95 percentile value.
Selecting "In & Out separate" will calculate percentile value of IN and percentile value of OUT separately and
the higher of the two is considered. This is calculated using 5 minutes average data points. For better
understanding, see the example.In addition to 95th percentile value, 90th, 85th, 80th and 70th percentile values can
be calculated. The default percentile value is 95.
Billing Period Lets you select the option as quarterly or monthly. Incase you select the billing plan as quarterly, the bill will be
generated quartely on the dateyou specify in the "Bill generation date" option. Incase you select the billing plan
as monthly, the bill will be generated on a monthly basis on the date you specify in the "Bill generation
date" option.
Bill Generation Date Enter the date on which you want the bill to be generated either on monthly basis or quarterly basis.
* - optional fields. Other fields are mandatory.
Associated To
This has the list of Routers/interfaces and IP groups. You can select the interfaces and/or the IP groups
that is associated with this plan.
Once an Interface/IP Group is added to one bill plan, the specific interface/IP Groups does not get displayed while
other bill plans
Email ID To Send Reports
Enter the mail ID/IDs to which the generated Bill report needs to be sent. Multiple mail IDs should be
separated by comma ","
Example for the 95th Percentile calculation:
IN & OUT MERGE:

inbound = [0.139 0.653 0.201 0.116 0.084 0.032 0.047 0.185 0.198 0.203
0.276 0.370 0.971 0.233 0.218 0.182 0.169 0.126 0.131 0.157]
outbound = [1.347 1.435 1.229 0.523 0.438 0.231 0.347 0.689 0.940
1.248 1.385 1.427 3.988 1.265 1.221 1.013 0.992 0.874 0.896 1.002]

Inbound and Outbound merge
= [0.139 0.653 0.201 0.116 0.084 0.032 0.047 0.185 0.198 0.203 0.276
0.370 0.971 0.233 0.218 0.182 0.169 0.126 0.131 0.157 1.347 1.435
1.229 0.523 0.438 0.231 0.347 0.689 0.940 1.248 1.385 1.427 3.988
1.265 1.221 1.013 0.992 0.874 0.896 1.002]
Sorted_In & Out= [3.988 1.435 1.427 1.385 1.347 1.265 1.248 1.229
1.221 1.013 1.002 0.992 0.971 0.940 0.896 0.874 0.689 0.653 0.523
0.438 0.370 0.347 0.231 0.276 0.233 0.218 0.203 0.201 0.198 0.185
0.182 0.169 0.157 0.139 0.131 0.126 0.116 0.084 0.047 0.032]
Sorted In and Out contains set contains 40 samples--5% of 40 is 2, so

discarding the top 5% means we must discard the top two samples from
the data set. We are now left with:
Sorted_In & Out= [1.427 1.385 1.347 1.265 1.248 1.229 1.221 1.013
1.002 0.992 0.971 0.940 0.896 0.874 0.689 0.653 0.523 0.438 0.370
0.347 0.231 0.276 0.233 0.218 0.203 0.201 0.198 0.185 0.182 0.169
0.157 0.139 0.131 0.126 0.116 0.084 0.047 0.032]
The highest sample from remaining data set is the 95th percentile
value for the originating set. So we obtain the following value:
95th_in & out = 1.427 Mbps
IN & OUT SEPARATE:

inbound = [0.139 0.653 0.201 0.116 0.084 0.032 0.047 0.185 0.198 0.203
0.276 0.370 0.971 0.233 0.218 0.182 0.169 0.126 0.131 0.157]
outbound = [1.347 1.435 1.229 0.523 0.438 0.231 0.347 0.689 0.940
1.248 1.385 1.427 3.988 1.265 1.221 1.013 0.992 0.874 0.896 1.002]
After sorting, we obtain:
sorted_in = [0.971 0.653 0.370 0.276 0.233 0.218 0.203 0.201 0.198
0.185 0.182 0.169 0.157 0.139 0.131 0.126 0.116 0.084 0.047 0.032]
sorted_out = [3.988 1.435 1.427 1.385 1.347 1.265 1.248 1.229 1.221
1.013 1.002 0.992 0.940 0.896 0.874 0.689 0.523 0.438 0.347 0.231]
Each sample set contains 20 samples--5% of 20 is 1, so discarding the

top 5% means we must discard the top sample from each data set. We are
now left with:
remaining_in = [0.653 0.370 0.276 0.233 0.218 0.203 0.201 0.198 0.185
0.182 0.169 0.157 0.139 0.131 0.126 0.116 0.084 0.047 0.032]
remaining_out = [1.435 1.427 1.385 1.347 1.265 1.248 1.229 1.221 1.013
1.002 0.992 0.940 0.896 0.874 0.689 0.523 0.438 0.347 0.231]
The highest sample from each remaining data set is the 95th percentile
value for the originating set. So, for each set, above, we obtain the
following values:
95th_in = 0.653 Mbps
95th_out = 1.435 Mbps
The higher of the two computed 95th percentile values becomes the
final 95th percentile value used for billing:
95th percentile = 1.435 Mbps
Volume Based Billing

The "Bill Plan List" tab lets you create a new bill plan. To create a bill plan, click on the "Add
Plan" tab. The Fields and their description are given below.
Enter Billing Details
Field Description
Bill Plan Enter the name you wish to assign for this bill plan
Bill Plan Description* Describe the plan for detailed understanding and for future reference
Bill Type Select "Volume"
Base Volume
Enter the base volume in bytes
Base Cost Select the currency from the drop-down box and enter the cost
Additional Volume* Enter the additional volume in bytes
Additional Cost* Enter the cost for additional usage
Data transfer Select one of the three options from the drop-down box.
calculation Selecting "Download" will take only downloaded data for billing.
Selecting "Upload" will take only uploaded data for billing.
Selecting "Download & Upload" will take both uploaded and downloaded data for billing.
Alert Checking this box will activate threshold based alerting. This will send alerts, if the user specified threshold value
has been exceeded.
Billing Period Lets you select the option as quarterly or monthly. Incase you select the billing plan as quarterly, the bill will be
generated quartely on the date you specify in the "Bill generation date" option. Incase you select the billing plan
as monthly, the bill will be generated on a monthly basis on the date you specify in the "Bill generation
date" option.
Bill Generation Date Enter the date on which you want the bill to be generated either on monthly basis or quartely basis.
* - optional fields. Other fields are mandatory.
Associated To
This has the list of Routers/interfaces and IP groups. You can select the interfaces and/or the IP groups
that is associated with this plan.
Once an Interface/IP Group is added to one bill plan, the specific interface/IP Groups does not get displayed while
other bill plans
Email ID To Send Reports

Enter the mail ID/IDs to which the generated Bill report needs to be sent. Multiple mail IDs should be
separated by comma "," The email subject can also be customized as per the user requirement.
On-Demand Billing
Bills can be generated on demand. By clicking on "OnDemand" for a particular bill plan in the bill plan
list, a bill can be generated for the time period from the beginning of the billing cycle to the current date.
Editing Bill Plan

Bill plans can be edited by clicking Bill plans list and editing any particular bill as the need may be.
Adding an interface/IP group
An interface/IP group can be added during any point of the billing cycle. The bill will be generated for
this interface/IP group during the mentioned billing date for the billing plan.
Removing an interface/IP group
When an Intereface/IP group is removed from a bill plan, the bill for that interface is generated at the
same instant.
Other billing parameters

Editing base speed / volume, base cost, additional speed / volume, additional cost, billing
calculation (95th Percentile / Data transfer) will take effect only from the next billing cycle.
Editing email ID and threshold alerting will take effect at the same time.
"Billing period" and "Bill generation date" CANNOT be changed. When the interfaces/ IP groups are unmanaged/
bill is generated for the interface or IP groups at that instant. If you modify the cost in the bill plan, It will be effect
the next billing cycle and NOT at that instant.
Deleting Bill Plan

Deleting a bill plan will lead to deletions of all the reports generated by the particular bill plan.

Reports
Generated Reports can be viewed by clicking the "Report" tab on top.
Available plans
You can view all the plans or any one plan by selecting the suitable option from the drop-down box. By
default the "report" page shows only the recent report of all the bill plans. If you want to view all the
generated reports for a particular bill plan, select the bill plan from the drop-down box, next to "available
plans". The reports are arranged with the most recent report on top.
Show details
By clicking on "show details" a pop up window opens, wherein you can view a speed-time graph.This
shows all the bills generated for the particular interface.The report in can be generated in PDF format by
clicking on "PDF" and you can view the data at 5 minutes interval by clicking on the "Data points".
Forensics

The Forensics link lets you set criteria and view specific details about the traffic across a single
interface or WLC device. Data for Troubleshooting reports is taken directly from raw data. Which
means that Troubleshooting reports will be available only for the maximum time period for retaining
raw data, configured under Settings -> NetFlow -> Storage Settings -> Raw Data Settings.
Localization is supported in this report.
Click on Reports icon -> Forensics to generate the report , For Interfaces, click
the Select Devices link to change the interface that you want to troubleshoot. For WLC Devices,
select the Controller and Access Point to view the report. Under Search Criteria, enter the
criteria on which the traffic needs to be filtered.
The From and To boxes let you choose custom time periods for the report. Ensure that the time
period selected, falls within the Raw Data Retention Period set under Settings, otherwise graphs
will show no data.
Use the Traffic Type option to be either Speed, Volume, Utilization or Packets to show the traffic
graph generated in the report based on your selection.
Once you select all the desired criteria, click the Generate Report button to display the
corresponding traffic IN/OUT, Application IN/OUT, Source IN/OUT, Destination IN/OUT, DSCP
IN/OUT, TCP Flag IN/OUT, Next Hop, Conversation IN/OUT, Multicast IN/OUT and Medianet
IN/OUT.
The default report view shows the IP addresses of the hosts.
You can export ouput of each view in CSV or Excel by click on the icon at the
top right corner of the report.
Want to learn more about the feature? Check out this link.
WAAS: Introduction

WAAS Dashboard
WAAS reports details you on the central manager you have created and the devices
associated with it. You can access WAAS reports using Reports . Select WAAS
Dashboard from the Reports tab. You can view the reports based on hourly, daily, weekly,
monthly along with custom reports.
The Accelerator Group gives you the list of WAAS Accelerator Engines grouped together for
easy identification purposes. You can also view their reduction percentage, Status, and a brief
description about the group.
You can also view the top 10 WAE's by compression percentage as a pie chart. The report
displays WAN, LAN and compressed Traffic along with the reduction percentage.

WAAS Device List
The WAE devices List displays all the devices listed in the WAN Accelerator Engine. The top
ten devices are listed first. you can locate the devices using the simple search option by
indicating the name, IP address, Status, Location or MAC address of the device. By clicking on
the device name you can view the WAE Reports.

WAE reports
You can view these reports by clicking on any of the devices in the WAE device list. The WAE
reports page gives you detailed statistics of every device associated with a specific Central
Manager. This Report Details you on:

Application Reduction: The amount of compression each mapped application has gone
through. By Clicking on the application name you can view reports indicating bandwidth
reduction by location, bandwidth optimization trend and pass through summary trend of the
specific Application.

Bandwidth Reduction by Location: This details on the WAN, LAN, and amount of traffic
compression for each application along with the increase in bandwidth capacity due to
compression.

Pass Through Summary Trend: Denotes the unoptimized traffic that passes through the
WAE. You can view graph based on peer traffic, intermediate traffic,overload traffic and policy
applied.

WAE Device Connection Statistics:
Lists the conversations that passed through the selected WAE device and their corresponding
statistics. Using this you can view the Source, destination of the conversation, their respective
ports, type of policy applied, and the duration of each conversation. You can also view the type
of policy applied, the initial amount of traffic and compressed traffic in bytes along with the
compression ratio.
LAN WAN Report

LAN-WAN reports can be used to generate detailed traffic reports specific to LANs and WANs
in your network. This report gives detailed insights into the IN and OUT traffic between two
LAN IPs (the LAN-LAN report) or between a LAN and a WAN (the LAN-WAN report).
To generate these reports internationally predefined LAN IPs are preconfigured under Settings
> NetFlow > LAN IP Settings. Here the LAN IPs can be modified and configured individually
based on each router.

To generate this report, navigate to Reports > NetFlow > LAN WAN Report. Here select the
respective tab to generate the LAN-WAN or LAN-LAN report.
 Source: The category of source (here, Devices and Interfaces) for which you want the
report to be generated.
 Device: The specific device or interface under the category of sources for which the
report is to be generated.
 Time Period: The day(s) / the hours for which you wish to generate the report data.
 Business Hour Rules: You can configure Business Hours to filter out and view only
the reports generated within the business hours of your organization.
 Weekends: Weekends can be excluded or included from the period the reports
generated for.
Click here to learn how to configure LAN IPs.

NetFlow Analyzer

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

NetFlow Analyzer

Uploaded by

Copyright:

Available Formats

NetFlow Analyzer:

ManageEngine NetFlow Analyzer is a web-based bandwidth monitoring tool that performs in-

Why NetFlow Analyzer?

 Support for multiple flow exports

 Web-based API driven UI

 Real-time Traffic Graphs

 Historical Trend Reports

 Cisco Application Visibility and Control (AVC)

 Capacity Planning & Billing

 Network Forensics & Security Analysis

 Traffic Configuration & User Management

System Requirements for NetFlow

Hard-disk 1 TB SATA hard

2.4 GHz Quad

3.2 GHz Quad

3.2 GHz Quad

3.2 GHz Quad

3.2 GHz Quad

3.2 GHz Quad

3.2 GHz Quad

 Windows Server  Google Chrome  PG SQL -

This is the port on which you will connect to the

This is the listener port on which NetFlow exports

Embedded This is the default port used to connect to the

This is the port that connects NetFlow Analyzer

This is the default SNMP port to fetch the device

This is the port through which the collector

1. For production use 64 bit versions of SQL

Mixed mode (MSSQL and Windows Authentication).

Installation and Startup

1. Download NetFlow Analyzer for Linux

Step 3: Select the location

Step 4: Choose the installation directory

Step 5: Configure the Webserver and Listener Ports.

sudo ./ManageEngine_NetFlowAnalyzer_xxxx.bin -is:tempdir

For non-x11 machines, use the following command:

sudo ./ManageEngine_NetFlowAnalyzer_xxxx.bin -i console

1. Login as root user.

4. Then execute the command systemctl start NetFlow Analyzer service

Shutting Down and Uninstalling

Shutting Down NetFlow Analyzer

Uninstalling NetFlow Analyzer

NetFlow Analyzer - Supported Devices

NetFlow Analyzer leverages on NetFlow®, sFlow®, cflowd®, J-Flow®, IPFIX®, NetStream®

Cisco IOS Software Release Version Supported Cisco Hardware Platforms

12.0 Cisco 1720, 2600, 3600, 4500, 4700, AS5800

RSP 7000 and 7200 series

uBR 7200 and 7500 series

12.0T, 12.0S Cisco 1720, 2600, 3600, 4500, 4700, AS5800

RSP 7000 and 7200 series

uBR 7200 and 7500 series

RSM series, MGX8800RPM series, and BPx8600 series

RSP 7000 and 7200 series

RSM series, MGX8800RPM series, and BPx8650 series

12.0(4)T Cisco 1400, 1600, 1720, 2500, 2600, 3600, 4500,

4700, AS5300, AS5800

RSP 7000 and 7200 series

uBR 7200 and 7500 series

RSM series, MGX8800RPM series, and BPx8650 series

12.0(4)XE Cisco 7100 series

12.0(6)S Cisco 12000 series

Cisco IOS Routers, Cisco IOS Routers, ASR 1000

NetFlow-Lite Cisco 2960-X, 4948E switches

Cisco Meraki All Meraki NetFlow devices