Recently VPN abnormal occurrence points outside the company,After the manufacturer to assist the inquiry,Was due to a specific point outside the bandwidth occupied by user caused by。At the moment the problem occurred,In fact, manufacturers have seen through MRTG statements are traffic issues,But did not clarify further what is causing traffic anomaly reason,They are not thinking about what their own way can be a simple traffic monitoring,When the problem is to occur,You can find out what is causing IP,Even able to detect the use of the service why。
After thinking about the company's network infrastructure,Feel should be able to start from the Core Switch。HP checked 5130 EI data,This sFlow standard for traffic information is used,As for data acquisition end(Collector),I originally wanted to adopt ntopng,但不知為何,After the new windows installed to enable,Udp 6343 have not appeared in the case of Listening,Lane did not see the console settings,Internet climb the text also only see the old version is the default listens udp 6343,In order to avoid will be no one to get a good job sFlow data,Also check which end is the question,It changed the use of sFlowTrend inMon。
sFlowTrend free of restrictions to monitor up to 5 Switch,Records can only be rendered nearly one hour traffic,But it is good enough for me。Installed after you can see”sflowtrend-server.exe”This master program in listening udp 6343。Into the main screen,As long as the "Tools" - "Configure agents" of the new IP Swtich,Remember to re-set the firewall exception。
The next step is connecting with telnet into HP 5130,Accordance with the following instruction set:
# 如進入enable模式 system-view # 設定此Switch本身要發送資料的IP(就是Switch的IP) [Device] sflow agent ip 3.3.3.1 ########## 新增 sFlow collector ########## # 新增一個 ID 為 1 的 sFlow collector (collector可以有多個) # IP 為 3.3.3.2, port 預設為 6343, # 另註明這台名稱為netserver. [Device] sflow collector 1 ip 3.3.3.2 description netserver ########## 為每個 port 設定監控參數 ########## # 進入要監控的介面 [Device] interface gigabitethernet 1/0/1 # 設定取樣間隔時間為20秒(網路上的文件多是說設20或30秒, # HP官方文件範例是設120秒) [Device-GigabitEthernet1/0/1] sflow counter interval 20 # 設定至 sFlow collector 1 [Device-GigabitEthernet1/0/1] sflow counter collector 1 # 設定取樣模式為"隨機取樣" (HP官方文件很妙, # 指出另外一個模式為determine,但你也不用設, # 因為目前的版本都不支援) [Device-GigabitEthernet1/0/1] sflow sampling-mode random # 設定取樣數為1000 # sFlow官方文件建議取樣值: # 10Mb/s: 200 # 100Mb/s: 500 # 1Gb/s: 1000 # 10Gb/s: 2000 # HP官方文件範例為4000 [Device-GigabitEthernet1/0/1] sflow sampling-rate 1000 # 設定至 sFlow collector 1 [Device-GigabitEthernet1/0/1] sflow flow collector 1 # 離開此介面,換下一個,直到全部要監控的介面都設好 # 如果有做Link Aggregation,切到該LAG介面後, # 會有沒有 sFlow 指令可用,所以只能認命的一個一個介面設。 [Device] quit [Device] interface gigabitethernet 1/0/2 ########## 檢視設定 ########## # 確認 sFlow 運作情形 [Device-GigabitEthernet1/0/1] display sflow
After setting,Switch the setting save,Then you can see the flow of information came in sFlowTrend
【參考連結】