Lets use netflow to find an application

It’s hard; I mean really hard to find out who is using unwanted applications on your network.

The tedious process of finding people using applications that consume your network bandwidth is nerve wracking, and to be honest with you, less then efficient.

The good news is that with NetFlow and CISCO CAR you can manage, and in most cases, eliminate the issue.

The first step in this battle is to use the “Top Application” gadget which is part of the new Flow Analytics 2.0.

This tool is designed to help with management of applications on the network. The algorithm scans the NetFlow traffic for known application types and alerts when it finds an unknown or undesirable application.

The gadgets usefulness doesn’t stop there. At first glance, you will be able to see the amount of bandwidth consumed by the application in that last poll cycle. You also have the ability to drill down on that application and determine who on your network was using it. In a short period of time, you are able to find your issue.

Managing known or acceptable application types is simple too. If an application type is highlighted in yellow, then it has been marked as unknown and an alert has been generated. Clicking on the small plus sign located on the right hand side of the the label will add that type to the known applications list.  From then on, when the application is detected, Flow Analytics will no longer post an alert.

So what do you do when you find an unwanted transport? Well, the goal is to prohibit or limit the use of the application. This can be done by enabling the Cisco CAR function.

For example, let’s say you have quickly determined that a host is using an unknown protocol or application group to download movies from the web and this has left your internal servers inaccessible over your network.

CAR controls the bandwidth of  certain types of traffic. In our case, that would be transports. It also controls an access control list (ACL) that defines which traffic it regulates. Once you’ve created the ACL, you can use CAR to enforce a bandwidth rate on that traffic for either an INBOUND or OUTBOUND direction; according to the interface on which you applied CAR. You can learn more about CAR and its functions by visiting Cisco’s IOS 12.0 documentation.

There are many QoS functions on a Cisco router, and there are many third-party applications and appliances that can help solve this problem. However, the simplest solution to this problem is to use Flow Analytics to find the transports in question and then use CAR to prohibit their use. You save time and money, and it only takes about two minutes to implement.

Jim D author pic

James Dougherty

I have worn many hats in my professional life. Support engineer, developer, network admin and manager are all points on my resume, but the one common thread with all of these jobs is that I enjoy working with people; that is what I do here at Plixer. I make sure that everyone understands our product and can get the most out of it. It's just simple 'no bull' support!

Let me know if you have any questions, I would be happy to help.

- Jimmy D


Leave a Reply