Guest

Cisco NetFlow Generation 3000 Series Appliances

Cisco NetFlow Generation Appliance 3240

  • Viewing Options

  • PDF (161.8 KB)
  • Feedback

General Overview

Q. What is the Cisco ® NetFlow Generation Appliance (NGA) 3240?
A. The Cisco NetFlow Generation Appliance 3240 is a scalable, cost-effective solution that helps enable flow visibility in today's high-performance data centers. Built on best-in-class Cisco Unified Computing System (Cisco UCS ) C220 M3 hardware, the NGA 3240 generates, unifies, and exports flow data, empowering network operations, engineering, and security teams to boost network operations excellence, enhance services delivery, implement accurate billing, and harden network security.
Cisco NGA consumes raw network data from platforms such as Cisco Nexus ® 7000, Cisco Nexus 5000, Cisco Nexus 3000, and Catalyst ® 6500 Series Switches to create and export NetFlow Data Export (NDE) records (Version 5 [v5], Version 9 [v9], IPFIX) for traffic analysis and other management needs. Flow visibility is dramatically amplified when the NGA is connected to multiple network devices to analyze flows hop by hop, essential for security, capacity planning, and troubleshooting. To simplify operational manageability, the appliances can be deployed at key observation points such as the server access layer, fabric path domains, and Internet exchange points.
Designed for high performance and maximum deployment flexibility, the appliance gathers network data using Switched Port Analyzer (SPAN) and network tap, implements a large active flow cache (80 million), and can be configured to export NetFlow data to multiple collectors. The NDE flows are exported in weighted round-robin fashion for load balancing and the exports can be customized to meet specific management application needs using 10 filters per destination.
Q. What are the key features and benefits of the Cisco NGA solution?
A. The Cisco NetFlow Generation Appliance 3240 redefines network visibility and sets a new standard for high-performance, cost-effective NetFlow generation. The key features and benefits are outlined in Table 1.

Table 1. Cisco NGA Features and Benefits

Feature

Benefit

Purpose-built appliance

Meets the rigorous performance demands of high-speed data centers
• Achieves 100 percent accuracy with full visibility into traffic flows

NetFlow v5, v9, and IPFIX export formats

• Preserve investments in your existing NetFlow collection infrastructure

SPAN and network tap support

• Integrate seamlessly with flexible setup and configuration options, and without affecting the existing infrastructure
• Quickly gather flow visibility into specific traffic of interest with ease of SPAN configuration
• Connect to multiple devices to unify flow visibility and allow hop-by-hop analysis
• Streamline flow collection with a single source of flow visibility for multiple management applications
• Customize the exports to address specific management needs
• Use an effective deployment design to maximize collection scalability

Advanced filters for custom exports

Load balancing and flow replication across multiple collectors (up to six)

Layer 2/Layer 3 NetFlow support

• Creates a comprehensive view of traffic flows in the data center

Up to 80 million active flow cache entries

• Mitigate the risk of compromising accuracy as a result of the cache becoming full
• Scale to a variety of traffic profiles with a mix of short-lived and long-lived flows

Application awareness

• Recognizes applications on the basis of port, port ranges, and built-in heuristics

Q. What are the new capabilities introduced with Cisco NGA Software Version 1.0.2?
A. The new capabilities introduced with software version 1.0.2 are listed in Table 2.

Table 2. New Capabilities in Cisco NGA Software Version 1.0.2

Feature

Description

Enhanced managed device support

• Extends the managed device support to include Cisco Nexus 3000 Series Switches, reinforcing consistent flow visibility across Cisco Unified Fabric Data Center Architecture
• For managed devices, the extracted interface information includes ifName, ifDescr, ifAlias, ifType, ifMtu, ifSpeed, and ifHighSpeed

TCP flag reset

• Inclusion of TCP flags only observed since the last export (based on timeout interval) for each export occurring over the lifetime of the flow. This implies that the TCP flag bits are reset after each flow export. The feature benefits the collectors used for security auditing and detecting security concerns

TCP session timeout based on detecting FIN packet

• TCP flow expiry from the cache based on FIN packet detection. This allows the collectors to instantly learn about the closing of the TCP session

Active flow cache size increased to 80 million entries

• Mitigates the risk of compromising accuracy as a result of the cache becoming full
• Scales to a variety of traffic profiles with a mix of short-lived and long-lived flows

Q. What are the business benefits of deploying Cisco NGA?
A. Cisco NGA helps to improve network return on investment (ROI), enhance operational efficiency, and reinforce network security. The key benefits are described in Table 3.

Table 3. Key Benefits of Cisco NGA

Benefits

Description

Improved network ROI

• Right-size physical and virtual network resources with true capacity planning
• Characterize network usage for accurate billing or chargeback implementation

Enhanced operational efficiency

• Gain comprehensive network visibility from multiple network observation points
• Create custom NetFlow exports to meet specific management needs
• Improve scalability and design efficiency with support of up to six collectors along with load balancing

Reinforced network security

• Help enable full network protection with visibility into every flow
• Isolate offending network behavior with detailed traffic visibility by protocol, endpoint, conversations

Q. What is the deployment benefit of using Cisco NGA compared to the NetFlow supported natively on the network devices?
A. Cisco IOS ® Software NetFlow supported natively on network devices provides valuable information about network users and applications, peak usage times, and traffic routing. Cisco invented NetFlow and is the leader in IP traffic flow technology. Cisco NGA complements native NetFlow with a cross-device architectural approach to flow analysis facilitating unified flow visibility for performance and security management. The key deployment benefits of Cisco NGA are listed below:

• Meets the rigorous performance demands of high-speed data centers

• Achieves 100 percent accuracy with full visibility into traffic flows

• Integrates seamlessly with flexible setup and configuration options, and without affecting the existing infrastructure

• Quickly gathers flow visibility into specific traffic of interest with ease of SPAN configuration

• Connects to multiple devices to unify flow visibility and allow hop-by-hop analysis

• Streamlines flow collection with a single source of flow visibility for multiple management applications

• Customizes the exports to address specific management needs

Q. What are the different management applications with which I can use Cisco NGA?
A. Cisco NGA can be used with any management application that consumes NetFlow v5, v9, or IPFIX. These applications may include network security monitoring, cloud services monitoring, capacity planning, performance troubleshooting, and others.

Technical Overview

Q. What software version is supported on Cisco NGA 3240?
A. Cisco NGA 3240 supports the software version starting with 1.0.2.
Q. What versions of NetFlow does Cisco NGA support?
A. Cisco NGA supports NetFlow v5, v9, and IPFIX.
Q. Does Cisco NGA support both Layer 2 and Layer 3 NetFlow?
A. Yes, Cisco NGA can provide visibility into the Layer 2 traffic by configuring NGA to set up a flow monitor with NetFlow v9 export and a "layer2" record. The configuration should include MAC addresses instead of IP addresses as match fields. Other Layer 2 fields that can be used for matching include "vlan," ethertype," and "cos."
Q. Does Cisco NGA support IPv6 traffic?
A. Yes.
Q. How does Cisco NGA gain visibility into network traffic?
A. There are multiple ways for Cisco NGA to gain visibility into traffic from more than one device:

• The appliance includes four 10 Gbps monitoring interfaces, which allow it to collect traffic from more than one network device.

• The appliance can also be used with a network tap to monitor traffic from/between multiple devices.

Q. What is the purpose of the management port on Cisco NGA?
A. Cisco NGA has one 1 Gbps management port used for NetFlow Data Export, supporting up to six collectors.
Q. Is there a limit on the number of SPAN sessions that Cisco NGA can support?
A. Cisco NGA has four physical 10 Gbps monitoring interfaces and can monitor up to four network devices using SPAN at one time. Check your switch documentation for the number of SPAN sessions it supports.
Q. Can Cisco NGA connect to Cisco Nexus switching with Virtual Port Channel (vPC)?
A. Yes, vPC can be configured with Cisco NGA as a SPAN destination. Please refer to the Cisco Nexus documentation on how to configure the vPC on the platform.
Q. What are the benefits of configuring a "managed device" on the Cisco NGA solution?
A. Configuring a network traffic source as a "managed device" allows Cisco NGA to gather the interface index from the device. Cisco NGA populates exported NetFlow records with the interface (ifIndex) value and other attributes from the device that is being monitored, rather than the interface attributes from the NGA appliance itself. For example, in a scenario where a flow enters the Cisco Nexus switch on interface 50 and leaves on interface 60, and it is also being replicated (through SPAN) to interface 2 of the NGA, if the Cisco Nexus switch is configured as the "managed device," Cisco NGA can report input interface 50 and output interface 60 for the flow. Otherwise, it will report interface 2 for both input and output, as this is the NGA interface on which a copy of the flow is received. Note that the "managed device" feature support is limited to platforms indicated in Table 4.

Table 4. Managed Device Support

Platform

Cisco Nexus OS Version

Supported with Cisco NGA Software Version*

1.0

1.0.2

Cisco Nexus 7000 Series

5.2(1), 5.2(4), 6.0(2), 6.1(1), and later

Cisco Nexus 5000 Series

5.1(3)N1(1), 5.1(3)N2(1), 5.2(1)N1(1b), and later

Cisco Nexus 3000 Series

5.0(3)U1(2), 5.0(3)U3(1), 5.0(3)U4(1), and later

 

* Cisco NGA 3240 supports the software starting with version 1.0.2.
Q. How is load balancing across multiple collectors achieved with NGA? What are the benefits?
A. When configuring a flow exporter on the NGA, you may select more than one collector as the export destination. You may select a round-robin policy for the exporter to achieve load balancing among those collectors. In this case, NetFlow packets being exported will rotate among the specified collectors according to the desired weighting. This may avoid overloading any one collector with too many exported records/minute. If, on the other hand, you wish every flow to be exported to all collectors, specify a multidestination policy instead.
Q. Does Cisco NGA provide application visibility?
A. Cisco NGA recognizes applications on the basis of port number or port number range. If NGA is not able to recognize an application using any of these mechanisms, the application type of the traffic is reported as unknown.
Q. What are the command-line interface (CLI) options available to configure Cisco NGA?
A. Cisco NGA can be fully configured using only the CLI if desired. The commands can be found under the "flow filter," "flow collector," "flow record," "flow exporter," "flow monitor," and "managed-device" top-level keywords. Please refer to the command-line reference manual for complete documentation of the CLI.
Q. Where can I find deeper technical details about Cisco NGA?
A. For more details, please refer to the Cisco NGA User Guide.

Deployment

Q. What is required to deploy the Cisco NGA solution?
A. The following are required to deploy the Cisco NGA solution:

• Cisco NGA 3240 hardware

• Microsoft Internet Explorer 9 or Firefox ESR 10+

Q. Where can Cisco NGA be deployed in the network?
A. Cisco NGA is targeted for deployment in high traffic throughput environments such as the data center and campus core. It can be deployed at key observation points such as the server access layer, fabric path domains, and Internet exchange points. To take full advantage of NGA's unified, cross-device approach for facilitating flow analysis, NGA can be deployed to observe flows across access switches, access and distribution switches, before and after a firewall, and so on.
Q. Can the Cisco NGA solution be used only with Cisco Nexus 7000, Cisco Nexus 5000, or Cisco Nexus 3000 Series Switches?
A. Cisco NGA can work with any switch that supports SPAN or network taps if that is available. However, NGA has been designed to obtain interface information from Cisco Nexus 7000, Cisco Nexus 5000, and Cisco Nexus 3000 Series Switches, thereby providing richer NetFlow analysis by allowing users to analyze specific interfaces associated with the flow information, for example, understanding interface utilization or traffic distribution by differentiated services code point (DSCP) on the interface. To obtain the interface information, the Cisco Nexus switch needs to be configured as the "managed device" on the Cisco NGA.
Q. Can the Cisco NGA be connected to multiple network devices?
A. Cisco NGA transforms packet data gathered from multiple devices into NetFlow records and exports the flow data to NetFlow collectors. Cisco NGA has four 10 Gbps monitoring ports that can be used to connect to multiple network devices. For example, Cisco NGA can be connected to four Cisco Nexus 5000 Switches in the data center access layer with each port connected to a switch. Different types of network devices can also be connected to NGA. For example, two NGA ports can be connected to a Cisco Nexus 5000 Switch in vPC mode, one NGA port connected to a Catalyst 6500 Switch, while the fourth NGA port is connected to a network tap. Using a network tap, additional devices can be connected to the Cisco NGA.
Q. What are the benefits of connecting Cisco NGA to multiple devices?
A. Cisco NGA can facilitate unified flow visibility using data gathered from multiple core/aggregation switches or a combination of core/aggregation and access switches. Flow visibility is dramatically amplified when multiple network devices are connected to the Cisco NGA to unify flows for a diverse set of business-critical applications such as security, troubleshooting, or capacity planning. As an example, Cisco NGA can be used to help analyze the flows before and after a firewall to determine whether the firewall is dropping the flow.
Q. Can multiple VLANs be spanned to the Cisco NGA?
A. Cisco NGA helps enable VLAN visibility when using SPAN to allow the user to select VLANs of interest. This is specifically useful when monitoring traffic on server VLANs.
Q. Can you provide more information on the use of a tap as a data source?
A. Based on a network tap infrastructure, SPAN collected from a central tap aggregator can be directed to the NGA. The tap can be connected to one or more of the four 10 Gbps monitoring ports on the NGA. SPAN through a tap is treated like SPAN from a switch. However, there is no support for switch interface learning when using a tap due to tap vendor design considerations. Commonly, a network tap could be used to gather traffic from multiple network devices.
Q. What taps does Cisco recommend that I use with my NGA hardware?
A. Cisco has tested several taps that can be used with the Cisco NGA. The list is documented in the NGA User Guide. Additional taps from the same vendors or taps from other vendors may also support the NGA hardware, but they have not specifically been tested by Cisco.
Q. How do I deploy my NetFlow reporting application if the collector does not scale to the performance of NGA?
A. Cisco NGA is designed to support high performance while offering deployment flexibility. In scenarios where a collector is not able to scale to handle the exported NetFlow records, the following options are available:

• Configure filters to limit the exported NetFlow records to the traffic of interest. These filters can be configured independently for each collector.

• Load balance exported NetFlow records across multiple collectors in a weighted round-robin fashion.

Q. What are the different export filters supported by Cisco NGA?
A. Cisco NGA supports a rich set of filters for NetFlow export. These filters can be applied independently for each collector. Please refer to the Cisco NGA User Guide for a list of filters.
Q. How can I use the filters to create custom exports for my management applications?
A. During the NetFlow export or collector configuration, the user can apply filters to permit only the flow records of interest to be sent to the collectors. Cisco NGA offers flexibility by allowing custom exports to be created to meet the requirements of specific management applications that consume the flow information. For example, all flows could be forwarded to a security application, while flows specific to an application or endpoint could be forwarded to a management application for capacity planning. Please refer to the Cisco NGA User Guide for details on how to configure the custom filters.
Q. To how many collectors can I export NetFlow from the Cisco NGA?
A. Cisco NGA can export NetFlow to up to six collectors. NGA can export the same NDE record to multiple collectors or load balance the records among multiple collectors using a weighted round-robin export policy.
Q. What are the configuration options available with the Cisco NGA solution?
A. Cisco NGA offers a comprehensive configuration including export filters, flow collectors, flow records, exporter policy, and monitor configuration. For more detailed configuration information, please refer to the Cisco NGA User Guide.

Reporting and Management

Q. What reporting applications does Cisco NGA support?
A. Cisco NGA exports standard NetFlow (v5, v9, IPFIX). Any NetFlow collector supporting these formats can be used for visualizing NetFlow data exported by the Cisco NGA. To expose the source device interface index in the NetFlow exports, the traffic source device must be configured as the "managed device" in the Cisco NGA.
Q. Can Cisco Prime Network Analysis Module (NAM) be used for collecting NDE from Cisco NGA?
A. Cisco Prime NAM can be used for collecting NDE from Cisco NGA. Note that Cisco Prime NAM uses NetFlow primarily for troubleshooting and traffic trend and optimization analysis. It does not retain raw NetFlow records and aggregated NetFlow statistics for historical reporting.
Q. What are the benefits of using Cisco Prime Infrastructure with Cisco NGA?
A. Cisco Prime Infrastructure provides end-to-end visibility for service-aware networking and assurance for applications, services, and end users. In addition, it integrates with network service lifecycle management, providing visibility across various phases, namely design, deploy, operate, and optimize. Deployed in conjunction with Cisco NGA, Cisco Prime Infrastructure offers customizable prepackaged dashboards for NetFlow analysis, along with the ability to retain raw NetFlow records and aggregated NetFlow statistics for historical reporting.
Q. What is Cisco Prime for IT?
A. Cisco Prime for IT is an innovative strategy and portfolio of management products that empower IT departments to more effectively manage their networks and the services they deliver. Cisco Prime is built on a network services management foundation and a set of common attributes. It delivers an intuitive workflow-oriented user experience across Cisco architectures, technologies, and networks. Cisco Prime simplifies network management, improves operations efficiency, reduces errors, and makes the delivery of network services more predictable.
Q. Is Cisco Prime a product?
A. Cisco Prime is a portfolio of integrated management products that are each licensed separately. The portfolio includes three solution families and their associated products:

• Cisco Prime Infrastructure includes Cisco Prime Infrastructure, Cisco Prime Network Analysis Module, and Cisco Prime Network Registrar.

• Cisco Prime Collaboration includes Cisco Prime Collaboration.

• Data Center includes Cisco Prime Network Analysis Module, Cisco NetFlow Generation Appliance, and Cisco Prime Data Center Network Manager.

Q. If I already have a NetFlow reporting solution from a Cisco partner, can I use it for Cisco NGA reporting?
A. Yes, any NetFlow reporting application that supports NetFlow v5, v9, and IPFIX can be used to visualize NetFlow data exported by the Cisco NGA. As mentioned above, to expose the source device interface in the NetFlow reports, the source device must be configured as the "managed device" in the Cisco NGA.

Ordering

Q. How do I order the Cisco NGA solution?
A. To place an order, visit the Cisco Ordering Homepage. To download software, visit the Cisco Software Center. Cisco NGA part numbers are indicated in Table 5.

Table 5. Ordering Information

Product Name

Part Number

Cisco NetFlow Generation Appliance (NGA) 3240

NGA3240-K9

NetFlow Generation Software Version 1.0

NGA-SW-NGA1.0N-K9

For ordering convenience, the Small Form-Factor Pluggable (SFP) part numbers listed in Table 6 are available on the Cisco Ordering Homepage when you order Cisco NGA. Please refer to Cisco 10GBASE SFP+ Modules Data Sheet for ordering information for these Cisco SFP+ modules and related cables.

Table 6. SFP Modules

Product Name

Part Number

10G base Short-Range SFP Module (Spare)

SFP-10G-SR=

10G base Long-Range SFP Module (Spare)

SFP-10G-LR=

Q. Must I purchase the SFPs from Cisco or can I purchase them elsewhere?
A. For your ordering convenience, the SFP part numbers (Table 6) are available as options when you order the Cisco NGA. The SFPs can also be purchased elsewhere, if desired. It should be noted that if the SFPs are not purchased from Cisco, they would not be covered by Cisco SMARTnet ®.
Q. How do I obtain access to new Cisco NGA software updates?
A. Customers who have purchased SMARTnet for their NGA are entitled to download software updates covered with the contract from the Cisco.com Software Center.

Additional Information

Q. Are any components of the Cisco NGA field replaceable?
A. Two components of Cisco NGA are field replaceable, namely the hard drive and power supply unit. For example, if a power supply fails, a new one will be shipped from the services depot for replacement assuming a valid SMARTnet services contract is in place.
Q. Where can additional information about the Cisco NGA be found?
A. For more information about the Cisco NGA, visit http://www.cisco.com/go/nga or contact either your local account representative or the NGA product marketing group at nga-info@cisco.com.
Q. Where can I get more information about Cisco Prime products?
A. For more information about Cisco Prime products please visit http://www.cisco.com/go/prime.