Let’s discuss configuring Plixer’s NetFlow Replicator.  This UDP replicator provides NetFlow duplication and forwarding to multiple collection points.  The Appliance doesn’t just stop there.  It can also serve as central staging point for syslogs, SNMP, and other UDP messages.  This simplifies your network configuration and reduces the traffic load on your routers and switches.  While the Replicator boasts many powerful qualities, command-line verbosity isn’t one of them.  So if you’re staring at the command prompt and wondering, “I have a Replicator up and running, now what do I do?” here are some quick examples on how you can configure your replicator to get the most out of this dynamic tool.

This guide assumes you’ve got the Replicator appliance up and running.  If you haven’t reached this point you can start with the README that’s bundled with the replicator.  We’ll pick up from the Replicator’s command line interface, logged in as the user ‘replicator’.

NetFlow Duplication: Forwarding from all hosts to multiple Collectors

NetFlow duplication increases data security by providing redundancy.  With the UDP Replicator, you can forward NetFlow packets to an unlimited number of collectors.  For this example, a humble pair of collectors will do; we’ll start by creating a profile that listens and forwards on port 2055:

profile add fwdallhosts 2055 2055

Commenting is always a good practice.  We’ll notate the profile to help out anybody who comes by later.  You’ll be grateful if that person is you and you haven’t thought about your configuration for a good, long time:

notate profile fwdallhosts this profile will forward 
netFlow from all hosts to two collectors

Next we’ll create a policy for the profile that includes all hosts:

policies add 0.0.0.0/0 fwdallhosts include

Now specify the collectors that this profile will forward to.  You’ll want to replace A.B.C.D and E.F.G.H with the IP addresses of your collectors.  Simply repeat this command for as many collectors you’d like to forward your NetFlow data to:

collector add A.B.C.D fwdallhosts
collector add E.F.G.H fwdallhosts

All that’s left is to check our work:

Show profile fwdallhosts

If our syntax was correct we should see something like this:

2014-07-14 10_09_23-2014-04-17 15_04_57-2. replicatorJoshTest

Network Simplification: Forwarding syslogs

Redundancy isn’t a best practice reserved solely for NetFlow duplication, either.  Duplicating system messages and notifications ensures backups and can help meet the needs of regulatory compliance.  By extracting details from syslogs and forwarding them inside IPFIX datagrams, the UDP Replicator serves as a single, central location to send syslogs.  This helps simplify your network configuration and reduces unnecessary traffic.

First we need to enable syslog to IPFIX conversion on the replicator:

setting enable convertsyslog

The UDP Replicator’s default syslog port is 514.  If you use a different port for syslogs you can configure this variable in the Replicator settings with:

setting set convertSyslog <your new port number>

Then we’ll make another profile, this time listening to port 514:

profile add fwdsyslogs 514 2055

Again, you’ll be glad you’ve notated when you return at a later date:

notate profile fwdsyslogs this profile will forward syslogs 
from single host to two collectors as IPFIX

Add collectors to the profile:

collector add A.B.C.D fwdsyslogs

collector add E.F.G.H fwdsyslogs

We’ll need to include exporters to the profile, one for each server we expect to receive syslogs from:

exporter add A.B.C.D fwdsyslogs

Again, many a heart-ache can be avoided with a simple proof-read:

Show profile fwdsyslogs

Your output should be similar to this:

UDP replicator

Forwarding SNMP traps from a single host to two collectors

Akin to network simplification with syslog forwarding, the Replicator provides a great way to consolidate SNMP.  This profile will be very similar to the one we just created for syslogs.

Create the profile.  This one will listen on port 162.  By now you should see a trend in the naming scheme:

profile add fwdsnmp 162 2055

Notate it.  Trust, me; you’ll be glad you did:

notate profile fwdsnmp this profile will forward snmp traps to two collectors

Add Collectors to the profile:

collector add A.B.C.D fwdsnmp

collector add A.B.C.D fwdsnmp

Add the exporters you expect to receive SNMP messages from:

exporter add A.B.C.D fwdsnmp

Confirm our configuration:

Show profile fwdsnmp
Network simplification

Forwarding the UDP Replicator alerts to a Scrutinizer server

The previous examples addressed messages originating from other hosts.  What about alerts and notifications from our UDP Replicator?  Fortunately, this is handled quite efficiently within the “settings” command.

The Replicator’s primary setting for handling alert messages is notificationsent.  This setting designates an IP address that the UDP Replicator will forward alerts and notification syslogs to.  The syntax is fairly straight forward:

setting set notificationsent A.B.C.D:2055

Now that we have the UDP Replicator configured to forward alarms, let’s take a look at some of the specific alarms we can configure.

flowStopAlert

This setting establishes how many minutes an incoming stream has stopped or a collector is unreachable before the Replicator considers the device down and sends an alert.  If you would like to set this to five minutes, the command would be:

Setting set flowStopAlert 5

highCPUThreshold

As the name clearly implies, this alert is triggered when the Replicator’s CPU utilization surpasses the designated threshold.  Here’s how to set it for 90%:

Setting set highCPUThreshold 90

pingCollectors & noRepWhenDown

The Replicator’s Deterministic Packet Forwarding feature detects when destination hosts are offline and stops forwarding traffic to them.  Enabled by default, the Replicator routinely pings your declared collectors for availability.  If “noRepWhenDown” is enabled, the UDP Replicator will stop replicating data to devices it cannot ping.  Configuring either of these two settings is easy:

Enabling:

setting set pingCollectors 1

setting set noRepWhenDown 1

Disabling:

setting set pingCollectors 0

setting set noRepWhenDown 0

metricsSent

Not an alarm per say, this will export Replicator statistics as IPFIX data to the IP and port specified:

setting set metricsSent A.B.C.D:2055

Go forth and Replicate!

By now you should see that the Plixer UDP Replicator is more than just a simple Netflow duplication device.  Properly configured, the Replicator can become a critical component of your network.  From serving as a central data collection point, consolidating system logs, to providing a clearer view of what’s going on.  Paired with a NetFlow Analyzer, the Replicator gives you unsurpassed oversight and control of your NetFlow data and network status.

Don’t hesitate to contact us if you’d like to find out more information on our UDP Replicator Appliance.

Ryan Slosser author pic

Ryan Slosser

My name is Ryan. I work in development here at Plixer. I mostly deal with hardware deployment. I enjoy kayaking and fishing during the summer and skiing in the winter. People can count on me and I always give 100% unless I'm donating blood.

Related

Leave a Reply