Avaya has released an updated technical configuration guide detailing how to configure IPFIX on the Ethernet Routing Switch 4500, 5000, 8300 and 8600. The document goes into detail documenting how to configure the different switch models. It also covers Avaya’s IP Flow Manager (IPFM) in significant detail.
I’m curious if anyone out there is using Avaya’s IP Flow Manager and has any thoughts and/or comments to share.
I remember a few folks either here or on the forums commenting that they were using nTop to collect the IPFIX flow information. Anyone have any thoughts about nTop/nProbe?
Cheers!
Image Credit to Network World
Hello,
The first link in your post goes to http://www.michaelfmcanmara.com/files/NN48500-595_2.0_IPFIX_TCG which doesn’t work. Can you post the correct URL?
Regarding nprobe, we tested a beta copy that exported some cool stuff with IPFIX (e.g. latency, URLs, etc.).
http://www.plixer.com/blog/netflow/scrutinizer-7-7-released-with-latency-and-url-netflow-analysis/
Jake
Hi Jake,
I’ve fixed the link in the post…. thanks for the heads-up!
Cheers!
Firstly Michael thanks for a great blog!
Last year I spent a few days on IP Flow Manager with our 8600’s, unfortunately I had real troubles getting consistent results. It could have been partly me but I did have assistance from my Nortel tech representative and he was unable to assist much. At that stage the feel of the software was really “beta”, and I eventually gave up and the trial license has since expired.
Would like to hear if others have been more successful or what they are using to collect IPFIX with.
Thanks for the comments Nug!
I’m excited that the ERS 8600 and 5000 series both support IPFIX but now I need to figure out what cost effective options are available.
Like yourself I’m waiting to see if anyone chimes in here… I’m probably going to evaluate a few different options later in the year. I need a tool that can provide more visibility than MRTG/RRD/PRTG/etc.
Cheers!
I just purchased the Solarwinds Orion Netflow Traffic Analyzer (NTA) plug-in for our Network Performance Monitor (NPM) console and will be using the technical document above to configure IPFIX on our ERS8600 Cores. I’ll follow up with my results.
The plixer team has worked extensively with the NetFlow/IPFIX from the 5500 and 8600 series Nortel gear. Blogs are here:
http://www.plixer.com/blog/index.php?s=nortel
Keep in mine that the 5500 only samples and the 8600 is supposed to collect 100%, but our customers are experiencing otherwise.
Scrutinizer does a great job at reporting on the data.
So far I turned on IPFIX on the port that forwards all the Intenet bound traffic and the results are good! I’m surprised to see so many protocols traversing my LAN outbound to the ‘net but it’s exactly what I was hoping to find.
Next step is to start tracking closet (edge) flows to see what my users are doing with our local resources…
I’m sure you’ll find some interesting stuff… a few months back we setup an evaluation copy of Websense so it could watch our 50Mbps Internet link. I can’t begin to tell you some of the stuff we saw, and the reaction from some folks was far from comical. It was as if it was their god given right to watch the Steve Harvey show every morning from 6AM ant 9AM over the Internet (video and all).
Thanks for keeping us in the loop… I need to find some time and start evaluating some products.
I have been using the OpManager software for a while now. There is a free download that monitors 2 ports. Produces good reports and statistics and is very “cost effective”
I’ve tested Avaya IPflow manager 2.0 and is very poor, Fluke netflow tracker is very good, but $$$ . I finally installed nfdump/nfsen and is a great tool, much better than ntop.
Hi Gus,
Thanks for the comment! I’ll need to look into nfdump/nfsen… I see nfsen is based on RRDtool which I already heavily use.
Cheers!
Hi,
I have been testing several IPFIX collectors for a few weeks now, both on ERS4500 and 5000.
So far, the only collector displaying the right size for the flows is the one from Fluke Network, I don’t know why, but others (such as Ntop, Solarwind, scrutinizer) are seeing the flows but not with the proper size (basically I see about 1Gbit/s with the first product (which is about right) whereas other products show around a MegaBytes/s).
Also, flows are sampled on ERS4500 and 5000 at a rate of 1:1000…
Hope that can help
Some products multiply the sampled packets by the sample rate to make up for the packets missed (e.g. 200 packets sampled * 1000 = 200,000 packets). I’m not a fan of this math tactic for reasons best left to a blog.
Some products display data in bytes by default. Besure to make note of this. Call plixer pre-sales support +1 (207) 324-8805 x3. They might have some insight (no obligation to buy).
Thanks, that’s some valuable knowledge! They may very well be using this trick.
Just to be sure I understand the way sampled netflow works correctly, every 1000 packet, the switch takes one and send it to the collector right? What about the size of the flow? Does the switch only add the size of the packets sampled to the total size of the flow or is there a counter that gets incremented for each packets (even the one that are not sampled)? The first one would make more sense….
It doesn’t sample flows, it samples every 1000 (configurable) packet. Only Cisco samples flows and only on some switches.
Hi everybody,
I’m wondering about the size of the packet sent ? I mean, have you some feedback about the bandwidth required, I think it depends on traffic but is there a “magic formula” to calculate this ?
Thanks for your help.
It depends on how many flows are seen by your switch…
For example, if you are doing a tcp port scan, you will see a lot of flows but basically no data whereas if you are downloading a file using http you will see only one flow with a lot of data transfered.
There is no real link between the throuput of the network and the number of flow created and thus the amount of ipfix data exported; it depends on the number of devices you have on your network, on the protocol used (p2p = lots of flows!)…
Hope that helped you a little bit…
Yes, it helps me to understand how it works. So in fact, an IPFIX paquet can be little if there is just one flow (http download) and it can be very heavy if there are many flows (p2p).
I don’t know if there is a maximum size for a IPFIX packet, I can’t find the information (even in the RFC).
By the way, thanks for your reply.
Hello,
Right now I try to import flows from a Nortel 8600 router but it turns out that I can choose between different protocols:
Protocol Version: IPFIX – preipfixv9 – preipfixv5.
I did a sniff with Wireshark and I can not view the templates correctly.
(visit http://www.plixer.com/blog/netflow/nortel-switches-and-ipfix-a-mixed-message/)
No detailed information about the content of the different protocols are available on the guide:
http://www.michaelfmcnamara.com/files/NN48500-595_2.0_IPFIX_TCG.pdf
I discovered that there were three types of sampling in the NetFlow protocol;
“Full”, “Sampled”, “Sampled random” but I don’t know the type of sampling used by NORTEL / AVAYA.
As I understand it, according to the documentation if I set the sampling-rate parameter to a value 1, I would get a netflow flows in real time?
This will then allow me to make reliable statistics on the speed of the router network in real time?
My goal is to calculate / show:
– The speed physical interface (by SNMP).
– The flow in real networks:
According to the manufacturer’s documentation, it should have the “Ingress VLAN ID field,” but it was unfortunately not present in the frame. (Is it possible to have the speed VLAN interface?)
Are there any Netflow mibs for Nortel / Avaya as is the case for cisco?
http://www.cisco.com/en/US/docs/ios-xml/ios/netflow/configuration/12-4t/cfg-snmp-mib-mon-nf.html
If mibs netflow diponibles which, I might have the speed VLAN interface snmp, it would be really cool!
Hi Denis,
I’m not sure I understand the question (is there a question in there?) What do you mean by “view templates correctly”?
If you look at the comments you’ll see that multiple people have already commented that the ERS 5000 series is sampled while the ERS 8600 series is a full feed.
You need to enable IPFIX globally, enabled it at the port level and the configure a collector which the switch will send the IPFIX information to. The technical configuration guide points all that out pretty clearly.
I don’t believe the ERS 8600 supports the collection of IPFIX data locally which it what you are referring to with your reference to Cisco. The only option is to send the data off to a collector.
Good Luck!
Hi,
Does it make sense to run IPFIX on SPBM links since packets on SPBM links are encapsulated MAC in MAC?
That’s a great question… unfortunately I don’t have the answer, you should need to talk to the talented engineers at Extreme.
Sorry.