Re: [Nfsen-discuss] looking for global configuration examples

[Peter H. <ha...@sw...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Cédric

- -------- Original Message  --------
From: "Cédric Delaunay" <ced...@gm...>
To: nfs...@li...
Subject: [Nfsen-discuss] looking for global configuration examples
Date: Thu Aug 10 2006 09:53:47 GMT+0200 (CEST)

> Hello All,
> 
> Up to today, I just tried to work with live profile and analyse, filter or
> list its content.
> Now I'd like to use the profile function but I don't know how to configure
> sources to create interesting graphs and profiles.
> 
> Here is the situation.
> We have a big 6513 router connecting all internal Vlans.
> One of this router interfaces is plugged (across a firewall) to our front
> router (a cs7200 connected with a Gigabit interface on Renater).
> Both are netflow enabled and, at the present time, my main sources in the
> live profile.
> 
> So here is some questions :
> - Have you an idea of the conf I should use (using samplicate and maybe
> nfsplit) to get representative graphs in nfsen ?

Samplicator or nfsplit is needed only, when your routers send the netflow data to the same port. But you can easily configure the routers to send the flows to different ports ( 9995/9996 ) so each
source has it's own port number, as configured in nfsen.conf.

> - What the most used filters you use to manage your network ?

Well - I think there is no global answer to this question. It depends on what you want to see.

> - Do I have to create a source containing only the output traffic and an
> other input representative and how (nfsplit interfaces separation or other
> method) ?

As far as I know, routers do export netflow data on configured interfaces - ingress as well as egress.
I you need to split the traffic in ingress/egress you need to to that in an NfSen profile for example.

A few notes on profiles:
Up to and including latest NfSen, a profile is a filtered view of the 'live' profile, where as the live profile contains all your netflows sources ( 2 in your case ). The profile filter applies to all
sources likewise, which mean the filtered profiles are also based on the netflow sources. See also some of my presentations I held. Maybe new NfSen will suit more your need: you will be able to create
a profile, independent of your original sources, containing any number of channels, where as each channel can have it's own filter. This will allow you to split up traffic more flexible in the way you
like, e.g. display the VLAN traffic and much more. But this is still in development - see the screeshot appended for an appetizer :)


> - How do you actually configure your routers, is only "ingress" traffic

As far as I know, you can not do that. However, I would like to see all traffic.
	
	- Peter

> collected or both "ingress" and "outgress" ?
> - Which solution is the most effective ?
> 
> What else do we have to know ?
> 
> 
> Thanks in advance for your answers. I think it could be usefull that the
> nfsen-masters explain how they work to the newbee like me.
> I'm a beginner in metrology science and dont know realy what are the
> important things I should manage and supervise.
> If an other newbee has other questions ideas, they are welcome :).
> 
> Bye
> Cédric
> 
> 
> ------------------------------------------------------------------------
> 
> -------------------------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Nfsen-discuss mailing list
> Nfs...@li...
> https://lists.sourceforge.net/lists/listinfo/nfsen-discuss

- --
_______ SWITCH - The Swiss Education and Research Network ______
Peter Haag,  Security Engineer,  Member of SWITCH CERT
PGP fingerprint: D9 31 D5 83 03 95 68 BA  FB 84 CA 94 AB FC 5D D7
SWITCH,  Limmatquai 138,  CH-8001 Zurich,  Switzerland
E-mail: pet...@sw... Web: http://www.switch.ch/security
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)

iQCVAwUBRNr4nv5AbZRALNr/AQLLZgP+I9jeFYubIh41Z4mfye03EuHuDwzZcGAa
IdYojzsp5/aukx4cSvRE+vejofR6sw+T8IpxnMGmwcL4jkocqY1CslsVy9UGn5dO
2b0KoTXhnsugcJOhKrxG4B4tIkE/ZRH6Fja37jNZJD+as8cB1nJEi8hCLi7RcMYA
7PRYTYzdwLc=
=JYWb
-----END PGP SIGNATURE-----