When I point a NetFlow sender at an nProbe instance, I would like to send flows from each interface on that device:
Nexus9396PX# show run | include sflow
feature sflow
hardware access-list tcam region sflow 256
sflow collector-ip 10.12.4.12 vrf default source 10.12.0.10
sflow agent-ip 10.12.0.10
sflow data-source interface port-channel1
sflow data-source interface port-channel2
sflow data-source interface port-channel3
sflow data-source interface port-channel16
sflow data-source interface port-channel24
sflow data-source interface port-channel28
sflow data-source interface port-channel36
[...]
In my configuration, the nProbe instance receives those flows and makes them available to ntopng for consumption via zmq:
/usr/local/sbin/ntopng --local-networks=10.0.0.0/8 --redis=localhost --aggregation 1/1/1/1/0/0 --zmq=tcp://*:5551 -i none -n none -b 0 --collector-port=5551 --pid-file=/var/tmp/nprobe-5551.pid
But it seems to me that ntopng has no mechanism for separating those per interface flows:
cat /etc/ntopng/ntopng.conf
--pid-path=/var/tmp/ntopng.pid
--dns-mode=1
--interface=tcp://127.0.0.1:5551
--interface=tcp://127.0.0.1:5552
--interface=tcp://127.0.0.1:5553
--interface=tcp://127.0.0.1:5554
--interface=tcp://127.0.0.1:5561
--interface=tcp://127.0.0.1:5562
--interface=tcp://127.0.0.1:5563
--interface=tcp://127.0.0.1:5564
--interface=tcp://127.0.0.1:5565
--interface=tcp://127.0.0.1:5566
--interface=tcp://127.0.0.1:5567
--interface=tcp://127.0.0.1:5568
--interface=tcp://127.0.0.1:5569
--interface=tcp://127.0.0.1:5570
--interface=tcp://127.0.0.1:5571
--categorization-key=[...]
--daemon
--http-port=8080
--disable-login=1
--local-networks=10.0.0.0/8
--redis=localhost
So the result is an 'aggregation' of all the flows into a single view of the box.
? Is this the current state-of-the-product? Or is there a way to configure ntopng to display traffic on a per device interface basis?
Seems to me that:
(a) Ntopng could be enhanced to pay attention to {device}:{source interface} tags in the NetFlow input stream and present this distinction in the GUI ... although that sounds to me like a substantial enhancement
(b) The NetFlow sender could be enhanced to permit specifying different collectors for each interface, e.g.
sflow data-source interface port-channel1 collector 10.12.4.12
sflow data-source interface port-channel1 collector 10.12.4.13
sflow data-source interface port-channel1 collector 10.12.4.14
[...]
And then I would set-up an nProbe instance at 10.12.4.12, 10.12.4.13, 10.12.4.14 ...
(c) Something I haven't thought of
--sk
Nexus9396PX# show run | include sflow
feature sflow
hardware access-list tcam region sflow 256
sflow collector-ip 10.12.4.12 vrf default source 10.12.0.10
sflow agent-ip 10.12.0.10
sflow data-source interface port-channel1
sflow data-source interface port-channel2
sflow data-source interface port-channel3
sflow data-source interface port-channel16
sflow data-source interface port-channel24
sflow data-source interface port-channel28
sflow data-source interface port-channel36
[...]
In my configuration, the nProbe instance receives those flows and makes them available to ntopng for consumption via zmq:
/usr/local/sbin/ntopng --local-networks=10.0.0.0/8 --redis=localhost --aggregation 1/1/1/1/0/0 --zmq=tcp://*:5551 -i none -n none -b 0 --collector-port=5551 --pid-file=/var/tmp/nprobe-5551.pid
But it seems to me that ntopng has no mechanism for separating those per interface flows:
cat /etc/ntopng/ntopng.conf
--pid-path=/var/tmp/ntopng.pid
--dns-mode=1
--interface=tcp://127.0.0.1:5551
--interface=tcp://127.0.0.1:5552
--interface=tcp://127.0.0.1:5553
--interface=tcp://127.0.0.1:5554
--interface=tcp://127.0.0.1:5561
--interface=tcp://127.0.0.1:5562
--interface=tcp://127.0.0.1:5563
--interface=tcp://127.0.0.1:5564
--interface=tcp://127.0.0.1:5565
--interface=tcp://127.0.0.1:5566
--interface=tcp://127.0.0.1:5567
--interface=tcp://127.0.0.1:5568
--interface=tcp://127.0.0.1:5569
--interface=tcp://127.0.0.1:5570
--interface=tcp://127.0.0.1:5571
--categorization-key=[...]
--daemon
--http-port=8080
--disable-login=1
--local-networks=10.0.0.0/8
--redis=localhost
So the result is an 'aggregation' of all the flows into a single view of the box.
? Is this the current state-of-the-product? Or is there a way to configure ntopng to display traffic on a per device interface basis?
Seems to me that:
(a) Ntopng could be enhanced to pay attention to {device}:{source interface} tags in the NetFlow input stream and present this distinction in the GUI ... although that sounds to me like a substantial enhancement
(b) The NetFlow sender could be enhanced to permit specifying different collectors for each interface, e.g.
sflow data-source interface port-channel1 collector 10.12.4.12
sflow data-source interface port-channel1 collector 10.12.4.13
sflow data-source interface port-channel1 collector 10.12.4.14
[...]
And then I would set-up an nProbe instance at 10.12.4.12, 10.12.4.13, 10.12.4.14 ...
(c) Something I haven't thought of
--sk