For more information on NTA, visit: http://www.solarwinds.com/products/network-traffic-analyzer/info.aspx Watch this webcast: http://www.solarwinds.com/resources/videos/video-tutorial-netflow-training-part-i.html This video tutorial covers NetFlow best practices for planning and deployment and is Part 1 of the NetFlow training series.

2. Introduction
 A big “Howdy” from SolarWinds
based in Austin, Texas
» Josh Stephens, Head Geek, Monster Blogger,
Constant Tweeter
» Chris LaPoint – Senior Product Manager, lover of
island living, beaches, and sand…
 Today’s Topic: Training on the Orion
NetFlow Traffic Analyzer
 Who is SolarWinds?
» Dude, if you don’t’ know this
you’re on the wrong webcast…

3. Housekeeping
 Can you hear me now?
 If not, use the GoToWebinar chat or Q&A
panel to let us know.
 How do you win the free stuff?
 How do you ask questions?
 Will this thing be recorded?
 Ask lots of questions, if needed
we’ll do a part #2…

4. Agenda
 What is NetFlow and Why Do I Need It?
 NMS Deployment Preparation
 Installing and Configuring NTA
 Enabling Devices for NetFlow
 Maximizing the benefits of NTA
 Optimizing the User Interface
 Best Practices for using NTA data
 Q&A

5. Basics of Traffic Flow Technologies
 Keeps track of the traffic flowing from place to place
 Traditionally leveraged on to monitor layer 3 (routed)
traffic flows
 Recent addition of layer 2 (switched) traffic detail

6. What is a “Flow”
 A flow is identified by NetFlow v5 Key Fields
combining a set of key Source IP Address
Destination IP Address
fields from the network Source Port Number
packets Destination Port Number
Layer 3 Protocol Type
ToS byte
 A flow has a set of Logical Interface Index
statistical data NetFlow v5 Flow Statistics
System uptime start of flow
System uptime end of flow
# of packets in flow
# of bytes in flow

7. Shared Technical Details
 Transport Protocol is UDP
» Some newer versions optionally support TCP and SCTP
» UDP Port numbers are generally configurable
 Technology included within router/switch software
» Check your IOS feature set if using Cisco gear
» Some implementations in software, some on ASIC
 Easy to configure/enable on network gear
» Usually only a few CLI commands
» Some devices configurable via SNMP and/or web services interface

8. Top 5 Reasons to use Flow Technology
Boss Reasons Geek Reasons
#5 Helps meet compliancy needs #5 Helps you keep hackers out
#4 Enables cost savings on service #4 Points out the bandwidth hogs
provider costs
#3 Aids with capacity planning #3 Helps you fine-tune your QoS
implementations
#2 Identify non-essential traffic #2 Immediately know when a cool
new YouTube video is discovered

9. Top 5 Reasons to use Flow Technology
Boss Reason #1 Geek Reason #1
You already own the hardware It’s just plain cool!!

10. Possible Downfalls – Rumors and Facts
 Turning on NetFlow will kill my routers…
 sFlow data isn’t valuable because it doesn’t
include all of the data…
 Collecting NetFlow data can generate a very
large database…
 I need to buy a complicated and expensive
piece of software to leverage the flow data…

11. Comparison of Flow Analysis Technology
 NetFlow Version 5
» Developed by Cisco Systems but now in use by several vendors
» Includes details for all traffic flows
» Reports data including source and destination interfaces, IP
addresses, protocol, port numbers, AS numbers, and TOS/DSCP
information.
 NetFlow Version 7
» Rarely seen today
» Specific to Cisco Catalyst Switches
 NetFlow Version 8
» Rarely seen today
» Aggregation Technology introduced
 NetFlow Version 9
» Introduces flexible NetFlow concepts
» Mainstream availability of aggregation features

12. Comparison of Flow Analysis Technology
 J-Flow
» Developed by Juniper Networks
• Effectively the same as NetFlow Version 5
 sFlow
» Standards based (RFC 3176)
• Supported by many vendors including HP,
Extreme, Foundry, Juniper, Nortel
» Is based on a statistical sampling of the data flows
» Implemented primarily for layer 2/3 switches passing very large
amounts of traffic
 IPFIX
» Sometimes referred to as NetFlow Version 10
» Uses NetFlow v9 as a starting point
» Template based exporting

13. Comparison of Flow Analysis Technology
 J-Flow
» Developed by Juniper Networks
» Effectively the same as NetFlow Version 5
 sFlow
» Standards based (RFC 3176)
» Supported by many vendors including HP, Extreme, Foundry, Juniper,
Nortel
» Is based on a statistical sampling of the data flows
» Implemented primarily for layer 2/3 switches passing very large
amounts of traffic
 IPFIX
» Sometimes referred to as NetFlow Version 10
» Uses NetFlow v9 as a starting point
» Template based exporting

14. NMS Deployment Preparation
 Step One – Define and document that scope of the
network you’re managing
 Step Two – Identify the system requirements for Orion
based upon the managed scope
 Step Three – Assess your current installation
environment
 Step Four - Evaluate the gap (if any) and make plans for
deployment

15. Step One – Scoping the Environment
 Discover/document the network
» Number of nodes
» Number of interfaces
» Number of NetFlow nodes and interfaces
» Speed of NetFlow interfaces
 Document and prioritize the best places to analyze traffic
» Most expensive links
» Internet connections
» Junction points between networks
 Document the aggregate bandwidth that you’re trying to
analyze (or number of flows if you can)

16. Step Two – Orion’s System Requirements
 Leverage the Orion NPM and NTA Administrator’s
Guides
» System requirements are well laid out within these manuals
» Remember – these are minimum requirements. If you want better performance,
you need to step up the hardware.
 Leverage your SQL Server admin’s expertise
» Building high-performance SQL Servers is a form of art…
» Explain to them the I/O requirements of your NMS

17. Step Three – Document the current setup
 Document what you have available today
» What sort of server is Orion on?
» Is SQL on the same machine?
» What sort of server is SQL on?
» What sort of storage system is in use?
 What do you have that you’re not using?
» Corporate SQL server implementations…
» Decommissioned HPOV or Exchange servers?

18. #5 Add more RAM. It’s almost always a good thing…
#4 Disk controllers – use disk controllers with at least 256MB of battery-
backed up write back cache enabled. Put the data and log files on
separate controllers.
#3 RAID – RAID 5 is OK for the OS, but don’t use it for data storage.
RAID 1,0 offers significantly better I/O.
#2 Use Ramdisk. It significantly speeds up the SQL Server.
#1 Be very wary of SANs… Most aren’t optimized for this sort of use.

19. Step Four – Evaluate the gap
 Where is your current implementation deficient?
» Is the Orion server sized correctly?
» Does SQL need to be moved?
» Is the SQL server sized correctly?
» Do you need additional pollers/collectors?
 Prioritize your deployment
» Start by enabling NetFlow on a single device/interface
» Use the best practices for deploying in a “lean” environment
» Ramp up your deployment as your hardware can support them

20. Installing and Configuring NTA in a Lean Environment
 Enable NetFlow collection pragmatically
 Go short on data retention
» How much data can you really look at?
» You can always increase it later…
 Enable “On Demand DNS Resolution”
 Use “Allow Monitoring of Flows from Unmanaged
Interfaces”
 Use “Smart Traffic Filtering”

21. Smart Traffic Filtering
 In most networks, 95% of the traffic traversing the
network is represented in only 4% of the flows
 Why store the noise?
 Smart Traffic Filtering uses 20x less data storage and
I/O.
 Doesn’t change the use case for most customers…
 This is how you do it…

22. Smart Traffic Filtering
To enable this feature, please follow these steps:
 Find file NetFlowService.exe.config by default located at “C:Program
FilesSolarwindsOrionNetFlowTrafficAnalysis” and make backup copy of it
 Open this file in notepad
 Also, find the following line in the file and change options as specified below:
 <pduLimiter enabled="true" globalRestriction="1"
dataPercentageRestriction="95"
 Save this file
 Restart NTA service

23. Enabling Devices for NetFlow
Step #1 – be sure that the device supports NetFlow, J-
Flow, sFlow, or IPFix.
For Cisco devices – http://www.cisco.com/go/fn
Step #2 – leverage the hardware manufacturers
documentation for enabling NetFlow on the device. Start
with a single interface on that device.
Step #3 – if you’re having trouble configuring the device,
leverage video support
Step #4 – be sure the device and interfaces are managed
within Orion and that the interface is specified as a
“NetFlow managed interface”

24. Analyzing traffic thru non-NetFlow devices
 Be sure the device doesn’t support flow analysis
» Does it support J-Flow, sFlow, or IPFix instead?
» Is it by chance a Cisco ASA?
 Analyze from an adjacent device
 Consider adding a capable device instream
 Advanced tactic – leverage an open source tool to
convert packet streams to NetFlow

25. Optimizing the Orion NTA Website
 For most use cases, drill down vs. using the NetFlow
tab…
 Decide how important UI performance is to you and
optimize views accordingly
 Avoid “Network Wide” resources where you can
 Don’t put “heavy” resources on heavily displayed pages
 Let’s go see what I mean…

26. Using the Information NTA Provides
 What each of the resources mean…
 Using NPM and NTA together
 Using the Traffic View Builder
 Solving problems

27. Summary and Q&A
Thank you for attending!
To learn more or to download free 30-day trials of
SolarWinds products visit: www.SolarWinds.com
Contact information
Josh Stephens, Head Geek
headgeek@solarwinds.com
twitter: sw_headgeek
Blog: http://thwack.com/blogs/geekspeak/
p.s. Remember to renew your maintenance!!!