The purpose of this guide is to discuss the next steps after installing Noction Flow Analyzer (NFA) on Ubuntu Linux. In addition, we will test some of the new features available in the latest version 21.11.0. Let's start where the previous article on installing NFA ended. We have our NFA version 21.10.0 installed on Ubuntu 20.04.3 LTS and NFA receives NetFlow from the flow exporter. NFA is in the default state; we have not done any configuration yet.
To discuss the configuration of the Cisco-based flow exporter, we will replace nProbe with the Cisco CSR1000v (Figure 1). The router is running Cisco IOS-XE and is configured as an IPFIX exporter. The NFA is connected to the router and collects the IPFIX flows generated by the exporter. Flows are generated from packets captured on GigabitEthernet1. The Gi1 interface is connected to a local area network (LAN); subnets 192.168.88.0/24 (Figure 1).
Figure 1 - Network Infrastructure with Flow Exporter and Analyzer
1. IPFIX Export Configuration on Cisco CSR1000v
The Flexible NetFlow IPFIX Export Format feature enables sending export packets using the IPFIX export protocol. The export of extracted fields from Network Based Application Recognition (NBAR) is only supported over IPFIX.
1.1 Flow Exporter
The router is configured for capturing packets on the interface GigabitEthernet1, generating IPFIX flows from packets and exporting flows via GigabitEthernet2 to NFA which is listening on the IP 10.0.0.1 UDP port 2055. The Export protocol can be either legacy NetFlow, NetFLow v9 or IPFIX.
flow exporter EXPORTER-1
destination 10.0.0.1
source GigabitEthernet2
transport udp 2055
export-protocol ipfix
option interface-table
option application-table
1.2 Flow Record
flow record RECORD-1
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match application name
collect counter packets long
collect interface input
collect interface output
collect counter bytes
collect datalink mac source address input
collect datalink mac destination address input
collect flow direction
Match statements define key fields. A new flow is created when all the match conditions are matched. Non key fields below do not have to be matched; they are just collected and exported in flows.
The option application table lists NBAR ID with the name of the application. This is necessary for the collector to identify NBAR applications by name.
The option interface-table exports the interface instances such as names and descriptions (i.e. just like via SNMP).
1.3 Flow Monitor
flow monitor FLOW-MONITOR-1
exporter EXPORTER-1
record RECORD-1
1.4 Interface
Select he interface where packets are captured, configure flow monitor under the interface and apply the flow monitor on input traffic.
interface GigabitEthernet1
ip flow monitor FLOW-MONITOR-1 input
ip address 192.168.88.101 255.255.255.0
2. NFA Upgrade and Interfaces Name/Description
As of version 21.11.0, NFA includes a number of new features and capabilities. For example, it supports interface name/description identification via NetFlow v9, IPFIX and NetStream. To test this, we will upgrade our NFA packages to the version 21.10.0.
NFA upgrade is pretty easy and straightforward. To upgrade our NFA installation to version 21.11.0, enter the commands below from Ubuntu CLI.
$ sudo apt update
Upgrade only nfa packages:
$ sudo apt-get --only-upgrade install nfa
Note: Restart Noction Flow Analyzer BGP Daemon manually once the upgrade is complete.
$ sudo systemctl restart nfabgpd
To check if NFA is upgraded, connect via we browser to NFA web server and navigate to Management-> Version (Figure 2).
Figure 2 - Checking NFA Version Using Web Interface
Another option is check installed NFA packages via CLI.
$ dpkg -l | grep nfa
Figure 3 - Checking NFA Version From Linux
3. Changing Default Password and User Management
NFA is installed with the default username/password: admin/admin. This account is an administrator account and we strongly recommend to change its password. To change the password for the currently logged in user, click on the "first and last name" button in the upper right corner and go to Profile. Enter the old password and select the new one and save your preferences.
You can also select the Interface theme under profile, e.g. switch from the default light theme to a dark theme.
Note: The password must be between 8 and 64 character, it should contain at least one upper, lower character and number.
To create a new user, Navigate to Management-> User Management and click ADD USER button. The role of the user is either user or admin. Admin role allows administrators to change passwords for other admins and users, while the user role allows only to change password for current logged user.
Figure 4 shows the options under the Management button that are available for admins. The options marked with a red box are available to users.
Figure 4 - Management Options for Admin and User Roles
3. Adding New Flow Exporter into NFA
Although NFA can accept flows without prior configuration, we will add a new flow exporter into NFA. Navigate to Administration->Inventory section (Figure 5). The IP address of the exporter is the IP address of the router from which the flows are sent to the NFA. In our case it is 10.0.0.2 (not 192.168.88.101).
Figure 5 - Adding Flow Exporter into NFA
The Location tab allows us to create a new location or assign an exporter to the existing location (Figure 6). Multiple exporters can be assigned to a single location. If there are hundreds of exporters, it is probably a good idea to split them into multiple locations, which in turn allows us to quickly discover a specific exporter using the "Narrow by" button in Data Navigation -> Data Explorer section.
Figure 6 - Selecting Existing Location - Home lab for New Exporter
The last tab under Add Device New section is the table BGP Settings. Here we configure NFA to peer with an exporter using BGP. This allows the collected flows to be enriched with BGP AS_PATH attribute for a particular prefix. The BGP session parameters such as KeepAlive message and Hold time intervals can be configured under BGP section in Management-> Configuration Settings. However, we do not need BGP AS_PATH so we omit the option.
Once the device configuration is complete, we should be able to check the status of the exporter along with the number of flows and the type of flows (Figure 7):
- green - flows received from the exporter
- yellow - flows received but some problems occur
- red - flows are not received
Figure 7 - IPFIX Flow Received from Configured Exporter
4. Filtering IPFIX Flows Based on Exporter/Collecting Interface Name/Flow Direction
To narrow down the results in Data Explorer by the specific interface parameters obtained via the flow options template, go to the “Narrow by” tab and expand the dropdown. Open up the desired location device and mark the checkboxes adjacent to the interfaces of interest. Indicate the input, output, or leave the default input/output value for each selection (Figure 8).
Figure 8 - Filtering IPFIX Flows Based on Location/Exporter/Collecting Interface Name/Flow Direction
We narrowed the flow results for the GigabitEthernet interface on the device CSR1000v-homelab for the input direction (Figure 9). The exporter is assigned to a "home lab" location.
Figure 9 - IPFIX Flows Narrowed Down by Interface Name
Conclusion