Cisco OL-11399-01 User Manual

CHAPTER

2

Using the NetFlow Collector User Interface

Cisco NetFlow Collector (NFC), Release 6.0 has a web-based user interface (UI) for configuration,
control, and reporting. Each collector instance has a web server that the user can start to enable the
web-based UI.

This chapter includes the following sections:

• Starting the Cisco NetFlow Collector User Interface, page 2-1

• Customizing the Cisco NetFlow Collector Interface, page 2-2

• Using the Cisco NetFlow Collector User Interface, page 2-3

• Configuration, page 2-5

• Reports, page 2-31

• Status, page 2-45

Starting the Cisco NetFlow Collector User Interface

To start the Cisco NetFlow Collector User Interface, do the following.

Note The Cisco NetFlow Collector UserInterface requires JRE 1.5 or higher.You can download a plug-in for

Java 1.5 or higher from java.sun.com, section Downloads, J2SE folder; and install it on the platform on
which the browser will run.

Step 1 To run Cisco NetFlow Collector, log in as the user specified during installation.
Step 2 Enter the following command:

/opt/CSCOnfc/bin/nfcollector start all

Step 3 From a web browser enter:

//<nfc-hostname>:8080/nfc

OL-11399-01

Cisco NetFlow Collector User Guide

2-1

Chapter 2 Using the NetFlow Collector User Interface

Customizing the Cisco NetFlow Collector Interface

Note The web-based UI only works with the collector located on the same machine. To access a different

instance of Cisco NetFlow Collector you must start that collector’s web server and access it through the
corresponding URL.

Customizing the Cisco NetFlow Collector Interface

The NFC application includes the tool /opt/CSCOnfc/bin/webconfig.sh for configuring HTTP or
HTTPS and the port number for accessing the web UI.

For example, to enable HTTPS access, do the following:

Step 1 To run the tool, enter the following:

/opt/CSCOnfc/bin/webconfig.sh

Step 2 You are prompted to configure HTTP or HTTPS access to the NFC web server.

Configure http or https access to the NFC web server:

[1] Access the NFC web server with http (unencrypted)

[2] Access the NFC web server with https (encrypted)

Select one:

Step 3 To select HTTPS, enter 2.
Step 4 Enter the port number for web access.

Enter port number for web access [8443]

Step 5 Enter the keystore and certificate password. It must be at least 6 characters.
Step 6 Select a certificate type.

Certificate type:

[1] Create a self-signed certificate

[2] Import an existing certificate

Select one:

If you select 1, the window displays:

Creating keystore with self-signed certificate

Enter certificate validity period in days: [3650]

2-2

The subject name in the certificate is based on the hostname of this device
by default. If the URL used to access NFC on this host contains a different
name e.g. IP address, the browser will report a site name mismatch.

Step 7 Enter the subject hostname or IP address.

Cisco NetFlow Collector User Guide

OL-11399-01

Chapter 2 Using the NetFlow Collector User Interface

Step 8 When the web configuration is complete, the following is displayed:

NFC web configuration has been updated.

Table 2-1 describes additional settings that can be customized for the Cisco NetFlow Collector

web-based UI.

Table 2-1 Cisco NetFlow Collector User Interface Settings

Setting Description Default Value File

intfc- password Digest password for the

CNS/XML interface. Stored
as a parameter to the
InitServlet in the servlet
configuration file. This
setting must match the md5­password value of the
CNS/XML interface.

session­timeout

A session is started after a
userlogsin to the web-based
UI. This timeout indicates
the duration of inactivity
allowed before a session
expires and the user is
automatically logged out.
Add:<session-

config><session­timeout>30</session­timeout></session­config> after all
<servlet-mappings>.

Using the Cisco NetFlow Collector User Interface

password NFC_DIR/tomcat/webapps/nfc/

WEB- INF/web.xml

30 minutes NFC_DIR/tomcat/webapps/nfc/

WEB-INF/web.xml

Using the Cisco NetFlow Collector User Interface

The following sections describe using the Cisco NetFlow Collector User Interface.

The NFC Login Window

When starting the Cisco NetFlow Collector, the first window that appears is the NFC login window, as
shownin Figure 2-1. For security purposes, to use the web-based UI you must authenticate yourself with
a user ID and password. These values are configured as described in Table 2-1.

Cisco NetFlow Collector User Guide

OL-11399-01

2-3

Using the Cisco NetFlow Collector User Interface

Figure 2-1 Cisco NetFlow Collector User Interface Login Window

Chapter 2 Using the NetFlow Collector User Interface

Step 1 From the Login window, enter your User ID and Password.
Step 2 Click Login.

Navigation

To log in to Cisco NetFlow Collector, do the following:

The Cisco NetFlow Collector Main window appears. From this window, you can select from the
following tabs:

• Configuration

• Reports

• Status

See the following sections for information on these functions.

You can move around the NFC web-based user interface (UI) from two levels.Across the top of all NFC
windows are the NFC UI navigation tabs. These tabs are the first level of navigation in to the NFC UI,
as shown in Figure 2-2. From here you can select the Configuration, Reports, and Status tabs. The
toolbar at the far right includes links to Logout, Help, and About windows.

2-4

Figure 2-2 NFC UI Navigation Tabs

Each section of NFC User Interface has a navigation tree on the left-hand side, as shown in Figure 2-3.
This second level of navigation lets you focus in on a specific aspect of collector configuration,
reporting, or status.

Cisco NetFlow Collector User Guide

OL-11399-01

Chapter 2 Using the NetFlow Collector User Interface

Figure 2-3 NFC UI Navigation Tree

Configuration

Configuration

From the Configuration window you can perform tasks including specify global parameters; define
fields, key builders, value builders and aggregators; and create filters.

From the Cisco NetFlow Collector Main window, click the Configuration tab. The Configuration
window appears, as shown in Figure 2-4.

OL-11399-01

Cisco NetFlow Collector User Guide

2-5

Configuration

Chapter 2 Using the NetFlow Collector User Interface

Figure 2-4 NFC Configuration Window

From this window you can access or configure the following:

• Aggregators, page 2-7

• Fields, page 2-10

• Key Builders, page 2-11

• Value Builders, page 2-21

• Aggregation Schemes, page 2-25

• Filters, page 2-26

• NetFlow Export Source Groups, page 2-27

• NetFlow Export Source Access List, page 2-28

• BGP Peer, page 2-29

• Global, page 2-30

• Advanced, page 2-30

2-6

Cisco NetFlow Collector User Guide

OL-11399-01

Chapter 2 Using the NetFlow Collector User Interface

Aggregators

Aggregators define how the Cisco NetFlow Collector receives NetFlow data, aggregates or combines the
data, and generates output files. Click on the Aggregators folder of the NFC UI navigation tree to
display a table of all existing aggregators, as shown in Figure 2-5.

Figure 2-5 Aggregators Window

Configuration

Adding Aggregators

From the Aggregators window, click on Add Aggregator to bring up the Add Aggregator window to
define a new aggregator. See Figure 2-6.

OL-11399-01

Cisco NetFlow Collector User Guide

2-7

Configuration

Chapter 2 Using the NetFlow Collector User Interface

Figure 2-6 Add Aggregator Window

Fill in the fields and click Submit to complete the operation.

Editing an Aggregator

To modify or remove an existing aggregator, click Edit for the aggregator which you wish to modify or
remove from the list of aggregators displayed in the Aggregator window (Figure 2-6). The Modify
Aggregator window displays, as shown in Figure 2-7.

2-8

Cisco NetFlow Collector User Guide

OL-11399-01

Chapter 2 Using the NetFlow Collector User Interface

Figure 2-7 Modify Aggregator Window

Configuration

Thresholds

To modify the selected aggregator, fill in the fields and click Modify to complete the operation. To
remove the selected aggregator, click Remove.

Note When a key or value builder, filter, or aggregation scheme is modified through the web-based user

interface, collector configuration is updated immediately. However, for the update to have an affect on
aggregation and output, the aggregator must be modified or the collector must be restarted.

Thresholds provide a way to generate events when values in the NetFlow Collector output cross a
specified target value. You configure thresholds for each aggregator. A list of thresholds for an
aggregator is displayed in the Add Aggregator window.

From the Add Aggregator window, click Add Threshold to add a new threshold. Click on the
appropriate link in the threshold list to modify or remove an existing Threshold.

When adding and editing thresholds the windows are identical with the exceptionthat you cannot change
the threshold ID when modifying a threshold. Use this window to add, remove, and order threshold
conditions.

The threshold editor is applet-based. A tree on the left-hand side of the threshold editor shows the
elements of the threshold. A form on the right-hand side of the threshold editor contains the attributes
for the currently selected item in the tree.

OL-11399-01

Cisco NetFlow Collector User Guide

2-9

Configuration

Chapter 2 Using the NetFlow Collector User Interface

The top item in the tree is the name of the threshold. Directly beneath this is a top-level threshold
condition or expression. Add the top-level threshold condition or expression by selecting Add condition
or Add expression when the top item is selected. If the top-level threshold condition or expression
evaluates to true when the threshold is evaluated, a threshold-crossing log is created. See the “Creating

a Threshold” section on page 4-26 for more information about thresholds.

A threshold expression contains two or more expressions or conditions. Arbitrarily complex threshold
evaluation logic can be specified in this way.

When creating a threshold condition, specify:

• Whether the comparison is greater than, less than, equals, or not-equals

• Which key or value is compared

Directly beneath the threshold condition is one or more value or range items. These determine the set of
target values to which the comparison is applied. Add a value or range to the threshold condition by
selecting Value or Range. For an integer condition, only integer values and ranges can be entered; only
IP address values can be entered for address conditions.

Boolean logic is applied to two or more conditions using an expression. An expression can also appear
within an expression in place of a condition.

To create an expression, specify the logical operator and, or, not-and, or not-or and select Add
expression. An expression must contain at least two other conditions or expressions.

The conditions and expressions within an expression are evaluated in top-down order. Evaluation
performance for an expression can be optimized by placing conditions and expressions which are more
likely to occur closer to the top. Select an item then select Move to move the item up until it reaches the
top; selecting Move again cycles the item to the bottom.

Any item in the tree including the items beneath it can be removed by selecting Remove. Pressing the
back button on the browser also causes any changes to be discarded.

Fields

Note Remove items with care because no cut, paste, or undo capability is provided. Changes are not

committed until you select Update Threshold or Remove Threshold.

The symbol ! at the beginning of any item in the tree indicates that the configuration specified at that
level of the tree is incomplete and must be updated before the threshold can be added or updated.

Fields represent individual items of data exported by a device in a NetFlow flow, and are the building
blocks upon which the keys and values referenced by aggregation schemes are based.

Clicking on the Fields folder of the NFC UI navigation tree displays a table of currently defined fields
as shown in Figure 2-8. Click Edit to modify a specificfield,orRemoveto remove a selected field. Click
Add Field to bring up an empty form for defining a new field.

Aliases, alternate names for fields,are also shownin the navigation tree and table and can be added when
a field is defined or modified

2-10

Cisco NetFlow Collector User Guide

OL-11399-01

Chapter 2 Using the NetFlow Collector User Interface

Figure 2-8 Fields Window

The NetFlow Export Field window, Figure 2-9, is displayed when adding or modifying a field.Fill in the
form and click Add or Modify to complete the operation. From the Modify window you can also remove
the currently displayed field. Click Add Alias or Remove Alias to add or remove an alias (alternate
name) for this field. See the “Fields” section on page 4-4 for additional information about field
definitions.

Configuration

Key Builders

Figure 2-9 NetFlow Export Field Window

An aggregation scheme consists of keys and values. Within an aggregation period, each value within
flows having the same set of keys is aggregated (typically summed) together with the corresponding
values from earlier matching flows within an aggregation period.

Fields are not referenced directly by an aggregation scheme; instead, a key builder or value builder
references a field, and one or more aggregation schemes references the builder.

Clicking on the Key Builders folder of the NFC UI navigation tree displays a table of currently defined
key builders as shown in Figure 2-10. Click Edit to modify a specific key builder,or Remove to remove
a selected key builder.Click Add Key Builder to bring up an empty form for defininga new key builder.

OL-11399-01

Cisco NetFlow Collector User Guide

2-11

Configuration

Chapter 2 Using the NetFlow Collector User Interface

Figure 2-10 Key Builders Window

All key builders have a unique ID and a type. The ID is displayed in the navigation tree and the key
builder table. The attributes shown in the form depend on the type that is selected; different key builder
types have different attributes. The following sections describe the attributes for each type of key
builder:

• BGP Attribute, page 2-13

• Bit Field, page 2-14

• Boolean, page 2-14

• Byte Array, page 2-14

• Customer Name, page 2-15

• Egress PE, page 2-15

• Ingress CE, page 2-16

• Integer, page 2-16

• Integer Range Map, page 2-17

• Interface SNMP Name, page 2-17

• IP Address, page 2-17

• IP Address Range Map, page 2-18

• Mac Address, page 2-18

• Masked IP Address, page 2-18

• Multi-Field Map, page 2-19

• Option Data, page 2-20

• Site Name, page 2-20

• String, page 2-21

• Subnet Address, page 2-21

2-12

Cisco NetFlow Collector User Guide

OL-11399-01

Chapter 2 Using the NetFlow Collector User Interface

BGP Attribute

A BGP Attribute key builder looks up a BGP attribute from the Cisco NetFlow Collector BGP peer
using an address from a flow. The complete AS path is a special case that uses both a source and a
destination address from a flow. The BGP Attribute key builder has the following attributes.

Attribute Description

Output name Column name in output; defaults to the field ID if

Attribute type One of the following radio buttons:

Source address key ID of a key builder that returns the source address

Destination address key ID of a key builder that returns the destination

Post-aggregation Determines whether look ups are performed for

Configuration

not specified.

• Complete AS Path

• Well Known Name—Select from ORIGIN,

AS_PATH, NEXT_HOP,
MULTI_EXIT_DESC, LOCAL_PREF,
ATOMIC_AGGREGATOR,
AGGREGATOR, COMMUNITY,
ORIGINATOR_ID, or CLUSTER_LIST

• Integer Type ID.

for a complete AS path look up, otherwise
disabled.

address for querying the attribute.

each flow or at the end of the aggregation period;
this should always be selected, otherwise
attributes are queried from the Cisco NetFlow
Collector BGP peer as flows arrive resulting in a
significant performance impact.

OL-11399-01

Cisco NetFlow Collector User Guide

2-13

Configuration

Bit Field

Boolean

Chapter 2 Using the NetFlow Collector User Interface

The Bit Field key builder obtains a subset of bits from a field in a flow. It has the following attributes.

Attribute Description

Output name Column name in output; defaults to the field ID if

not specified.
Field ID of the field in a flow from which to extract bits.
Least significant bit Least significant bit of interest (starts at 0).
Number of bits Number of bits of interest.
Format Decimal or hexadecimal.
Allow null value If not selected, an error is logged if a flowdoes not

contain the indicated field.

A Boolean key builder maps flow values to true, false,orundefined. The Boolean key builder has the
following attributes.

Byte Array

Attribute Description

Output name Column name in output; defaults to the field ID if

not specified.
Field ID of the field in a flow containing the value of

interest.
Allow null value If not selected, an error is logged if a flowdoes not

contain the indicated field.

A Byte Array key builder outputs bytes from flow data in hexadecimal format. The Byte Array key
builder has the following attributes.

Attribute Description

Output name Column name in output.
Field ID of the field to obtain from a flow.
Offset Starting byte offset from the beginning of the field

in the flow. Set to zero if not specified.
Length Number of bytes of interest, from the offset to the

end of field data if not specified.
Allow null value If not selected, an error is logged if a flowdoes not

contain the indicated field.

2-14

Cisco NetFlow Collector User Guide

OL-11399-01

Chapter 2 Using the NetFlow Collector User Interface

Customer Name

The Customer Name key builder resolves the customer name from the input interface field. It has the
following attributes:

Attribute Description

Output name Column name in output.
Field ID of the field to obtain from a flow.
Allow null value If not selected, an error is logged if a flowdoes not

The Customer Name key builder requires configuration in the config/vpn.conf file. You must include
one row to correspond to each PE device VPN interface that export NetFlow packets to this NFC server.
The rows in this file contains five fields, in the following order: exporting device (PE) IP address,
interface name, name of the site to which this interface is connected, CE to which this interface is
connected, and customer name. These fieldsshould be separated by commas. See the following example:

172.20.98.250,FastEthernet0/1.401,vpn1-branchB,CERouter-3,Cisco

172.20.98.250,FastEthernet0/1.601,vpn2-branchB,CERouter-4,IBM

172.20.98.248,FastEthernet2/1,vpn2-branchA,CERouter-2,IBM

172.20.98.246,FastEthernet0/1,vpn1-branchA,CERouter-1,Cisco

Configuration

contain the indicated field.

Egress PE

The exporting device (PE) IP address and interface name fields are required. You can include empty
strings for the remaining fields in each row if those fieldsdo not need to be resolved. For example, if you
do not need to specify a site name, the site name fields can be left empty.

Note Each row must contain four commas. Empty fields must be separated with commas.

The Egress PE key builder resolves the egress PE from the BGP nexthop field. It has the following
attributes:

Attribute Description

Output name Column name in output.
Field ID of the field to obtain from a flow.
Allow null value If not selected, an error is logged if a flowdoes not

contain the indicated field.

This key builder requires configuration in the config/peList.conf file. This file should include the
loopback addresses or hostnames of all PEs in the network. See the following sample:

# This file is for the PE-PE traffic summary only # It should contain a list of IDs
for all PE devices in the provider network # ID of PE device can be either host name
or IP address

192.168.200.2

192.168.200.3

192.168.200.4

OL-11399-01

Cisco NetFlow Collector User Guide

2-15