- Created by Vladimir Stanković on 22 07, 2019
Mandatory criteria needed for creating a Traffic Pattern is the IP address criteria. Namely, it is mandatory to enter at least one address range in the Internal Address range field.
Also, it is possible to set up additional filters using the include and/or exclude commands. Additional filters are based on:
Exporter and its interfaces
Service
AS
Protocol
QoS
Next Hop
These filters can be freely combined to make very specific Traffic Patterns which are matching the traffic you are interested in. For instance, by combining first three filters, you can monitor the traffic from a single network device that uses a specific service in communication with a specific Autonomous System.
Bare in mind that this filters are for fine-tuning your Traffic Patterns. In particular, this means that the filter is applied only to the traffic matched by a given Traffic Pattern IP address range. In other words, an IP address from the Traffic Pattern definition is applied first, and then the filters are applied.
Therefore, if you want to monitor all traffic that goes from your internal network via certain exporter/service/AS/protocol/QoS, you need to apply that filter to a Traffic Pattern that covers all traffic (such as All traffic Traffic Pattern). Likewise, if you want to monitor the traffic from a particular Traffic Pattern via certain exporter/service/AS/protocol/QoS, apply that filter to that Traffic Pattern.
Filtering Based on Exporter and its Interfaces
To create a filter based on the IP address of the exporter or its interface:
- Go to > Settings > NetFlow Settings > Patterns
- Add new or Edit existing pattern
- Click the Exporter tab.
You can monitor the traffic that has been exported by a single device (exporter) or that has entered/exited a specific interface of that particular device (exporter).
The Exporter IP field is used to specify the IP address of the exporting device, while Interface In and Interface Out fields are used to specify the SNMP ID of one or more interfaces of the device. Use the Include and Exclude options to include or exclude several interfaces of the exporter from the filter.
This filter is most commonly used to remove duplicate flows. Read more at Manual Deduplication.
An Exporter filter example is given on the figure below: the Traffic Pattern with this filter will only match flows that pass through exporter X.Y.4.38 and only if the flow passed through interface 2 in ingress (In) direction and passed through interface 5 in egress (Out) direction.
- You can either include one or more exporters, or exclude one or more exporters. It is not possible to have included and excluded exporters in a single Traffic Pattern.
- Device must be an exporter (actually export netflow data to the NetFlow Server) in order for filtering to have any effect.
- IP address used to identify the exporter is the IP address the router has been configured to export the netflow data from.
Example 1
We want to monitor all traffic exported by a network device with the IP address 10.1.1.1. Furthermore, we are only interested in the traffic that has entered through interfaces with SMNP IDs 1 or 2 and exited through interface 4.
Here is how to make the filter:
- Type in 10.1.1.1 into Exporter IP field
- Type in 1,2 into Interface In field
- Type in 4 into Interface Out field
- Select Include radio button (default)
Click Add
- Click Save
Example 2
To monitor the traffic that entered through the Interface with SNMP ID 1 on any/all exporters:
- Leave the Exporter IP field empty
- Type in 1 into the Interface In field
- Leave the Interface Out field empty
- Select Include radio button (default)
- Click Add
- Click Save
Example 3
To exclude the traffic entering through a specific interface on a specific exporter:
- Type in 10.1.1.1 into the Exporter IP field, where 10.1.1.1 is Exporter's IP address
- Type in 1 into the Interface In field, where 1 is SNMP ID of interface we are not interested in
- Leave the Interface Out field empty
- Select Exclude radio button (default)
- Click Add
- Click Save
Filtering Based on Service
To create a filter based on the service:
- Go to > Settings > NetFlow Settings > Patterns
- Add new or Edit existing pattern
- Click the Service tab.
You can filter traffic based on services by including or excluding one or more service ports. Filtering is done by inserting service port numbers for the source and destination AS. This enables you to monitor the traffic utilizing certain service ports or services only.
Screenshot below shows the an example of service filter.
Example
We want to monitor all traffic exported by a network device with IP address 10.1.1.1. Furthermore, we are only interested in the traffic that has entered through interfaces 1 and 2 and exited through interface 4:
- Type in 10.1.1.1 into the Exporter IP field
- Type in 1,2 into the Interface In field
- Type in 4 into the Interface Out field
- Click on the Include radio button (default)
- Click Add to add this filter to the filter list
- Click Save
Filtering Based on AS
You can filter traffic based on AS, by including or excluding one or more Autonomous Systems. Filtering is done by inserting AS numbers (ASN) for the source and destination AS. This enables you to monitor the traffic between going to or coming from a certain AS or AS group and the traffic between two AS or AS groups.
Screenshot below displays an example of AS filter:
- Leaving the Source/Destination AS Number(s) field empty will have a meaning equal to inserting all Autonomous Systems
- If you do not know the ASN of the AS you wish to include/exclude, go to > Settings > Display Names > AS tab and do a search on the desired ASN
Filtering Based on Protocol
You can filter the traffic based on the protocol, by including or excluding one or more protocols. Filtering is done by inserting protocol numbers into the Protocol Number(s) field. This enables you to only monitor the traffic including a certain protocol or protocols, or to monitor the traffic excluding a certain protocol or protocols.
This screenshot shows the configuration of the protocol filter:
Filtering Based on QoS
You can filter the traffic based on QoS, by including or excluding one or more QoS markers. Filtering is done by inserting the ToS field into the ToS list field. This enables you to only monitor the traffic including or excluding a certain level(s) of QoS, or in other words including or excluding certain ToS fields.
The configuration of the QoS filter:
Filtering Based on Next Hop
You can filter the traffic based on next hop, by including or excluding one or more next hop IP addresses. Filtering is done by inserting the IP address for next hop field into the Next Hop IP field. This enables you to monitor only traffic including or excluding a certain next hop.
The configuration of the Next hop filter:
- No labels