No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

eSight V300R010C00 Operation Guide 07

Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Network Traffic Analysis Introduction

Network Traffic Analysis Introduction

This section describes the definition, functions, application restrictions, and key indicators of network traffic analysis.

Definition

The network traffic component offers a reliable and convenient traffic analysis solution that monitors network-wide traffic in real time and provides multi-dimensional top N traffic analysis reports. With this component, users can promptly detect abnormal traffic on the network and keep abreast of the network bandwidth usage.

The network traffic component consists of two functional modules: NTC and NTA.

  • NTC

    Receives NetStream packets reported by network devices, aggregates the packets into data files by dimensions such as host and application, and sends the data files to the NTA.

  • NTA

    Imports data files into the database and monitors network traffic in real time.

Network devices that can be monitored by the network traffic component are as follows:

  • Huawei S-series switches, including S77, S93, and S97-series switches
  • Huawei CE switches, including CE5850, CE5810, CE6850, and CE12800
  • Huawei NE routers, including NE16, NE20, NE40, and NE80
  • Huawei AR routers, including AR160, AR200, AR1200, AR2200, and AR3200
  • Huawei wireless ACs, including ACU2, AC6605, and AC6005

Functions

eSight Network Traffic Analyzer (NTA) can quickly and efficiently analyze top N network traffic and generate detailed traffic reports. It enables users to detect abnormal traffic in a timely manner based on the real-time top N application traffic distribution on the entire network and plan networks based on the long-term network traffic distribution. Therefore, NTA can implement transparent network management.

Enabling NetStream on a Device

eSight delivers NetStream commands to devices through the smart configuration tool. You do not need to configure NetStream on each device, implementing quick deployment of NetStream.

Figure 12-53 Enabling NetStream on an interface

Configuration Management

eSight NTA provides the configuration capability for the collector, device, interface, AP, protocol, application, SDCP, alarm, host name resolution, interface group, application group, IP group, IP group-IP group, and DSCP group.

Figure 12-54 Configuration navigation
  • Configuration navigation

    When you are using eSight for the first time, follow the configuration navigation on the GUI to complete traffic monitoring settings step by step.

  • Collector configuration

    You can view the IP address and status of the current collector and set the top N count for interface session collection (top 30 by default). After the traffic forensics function is enabled, the original flow files of the collector are uploaded to the analyzer.

  • Device configuration

    eSight displays all devices that report traffic. You can monitor specific devices.

  • Interface configuration

    eSight displays the device interfaces which send network traffic packets to the analyzer. You can set the incoming traffic rate, outgoing traffic rate, and sampling ratio on interfaces to ensure that eSight NTA can correctly collect traffic data. The sampling ratios on eSight must be the same as those on devices. Telnet login user name and password are configured for Huawei devices, and eSight can synchronize sampling ratios from device interfaces.

  • AP configuration

    eSight displays the list of APs that send network traffic packets to the analyzer through an AC. You can set the sampling ratio to ensure that eSight NTA can correctly collect traffic data. The sampling ratios on eSight must be the same as those on devices.

  • VXLAN tunnels

    eSight displays the list of VXLAN network identifiers (VNIs) where network traffic packets are sent to the analyzer. You can manually synchronize VNIs on devices.

  • Protocol configuration

    You can monitor specific protocols as needed.

  • Network application

    eSight lists more than 500 frequently-used network applications and classifies them into pre-defined applications and user-defined applications. You can define important applications.

    • Pre-defined application: preset applications and applications identified and reported by devices
    • User-defined application: network application that is added by users and can be defined based on the protocol (UDP/TCP), port range, and IP address range
  • DSCP configuration

    eSight lists 64 frequently-used DSCPs and allows you to rename DSCP names.

  • IP group configuration

    Groups IP addresses that have certain common attributes, which helps users to view traffic information about IP address groups.

  • IP group-IP group configuration

    You can define the source and destination IP groups, for example, from one department or floor to another to view traffic information between two regions.

  • Application group configuration

    You can classify applications into an application group as required to view traffic information about a specified application group, such as the email group.

  • DSCP group configuration

    You can classify associated service types into a DSCP group to view traffic information about a specified DSCP group, such as the voice group.

  • Interface group configuration

    You can add related interfaces to an interface group to view traffic information about a specified interface group.

  • Alarm configuration

    You can specify the rate thresholds for triggering alarms for certain applications, hosts, sessions, DSCPs, application groups, IP groups, and DSCP groups and the conditions for clearing the alarms.

  • Host name resolution configuration

    You can specify whether to enable DNS and NetBIOS resolution to resolve IP addresses into DNS domain names or NetBIOS host names. After DNS and NetBIOS resolution is enabled, eSight can display traffic by host name.

Traffic Dashboard

NTA provides the traffic dashboard function and displays the real-time traffic on the entire network.

Figure 12-55 Traffic analysis by Dashboard
  • The dashboard offers rankings about the interface traffic, interface utilization, device traffic, application traffic, host traffic, DSCP traffic, and session traffic.
  • You can customize the display format and content. The following operations are available: links, maximize, and minimize.
  • Top N application traffic, top N host traffic, top N session traffic, and top N DSCP traffic portlets support multi-instance display on the traffic analysis dashboard. In addition, traffic can be filtered by interface group.
Traffic Analysis

eSight NTA can analyze traffic on enterprise WAN egress links and wireless campus network from multiple dimensions.

1. Traffic analysis on enterprise WAN egress links

eSight NTA offers drill-down network traffic analysis capabilities. You can view more details about traffic step by step. eSight NTA can analyze detailed top N traffic information on egress devices, link interfaces, applications, DSCPs, hosts, sessions, interface groups, IP groups, and application groups.

You can obtain traffic distribution on WAN links and view traffic information on link interfaces.

Figure 12-56 Interface traffic analysis

eSight can work with Huawei devices to analyze bandwidth usage of dynamic applications, such as BT, eMule, and other P2P applications.

The drilling-down function enables you to set filter criteria to view session details.

Figure 12-57 Session details

2. Traffic analysis on a wireless campus network

eSight works with Huawei WLAN devices AC6005, AC6605, or ACU2 to display the top N application traffic distribution on a wireless enterprise campus network. You can select a region or SSID to view top N application traffic in the region. You can also click an AC or AP to view top N application traffic of the AC or AP.

Figure 12-58 Traffic on a wireless campus network

3 Traffic analysis on a data center VXLAN network

eSight works with Huawei CE switches to display application traffic distribution on a data center VXLAN network. You can click a VNI to view application traffic on the VNI.

Figure 12-59 VNI traffic trend
Network Traffic Report

NTA provides a configuration wizard for customizing top N traffic reports. NTA can export reports and send reports to users through emails. The following figures show how to create and view traffic reports.

Figure 12-60 Creating a network traffic report
Figure 12-61 Viewing a network traffic report
  • Supports multiple modes of displaying the traffic data: pie, table, line chart, and region chart.
  • Supports multiple summary types: application summary, session summary, DSCP summary, host summary, and interface summary.
  • Supports multiple filtering conditions: by source address, by destination address, by application, and by DSCP.
  • The report system can generate instant reports and periodic reports.
    • Instant report

      Users need to manually run an immediate report task. Once an immediate task is executed, a report reflecting the statistics at that time is generated. After the task is performed successfully, the status is displayed on the page. The report contains detailed traffic statistics and figures.

    • Periodic report

      After eSight performs a task at an interval specified by the user, traffic statistics of a specified period is displayed.

  • You can export a single report or batch reports.
  • eSight can send reports by emails.
Traffic Forensics

When detecting abnormal traffic on the network, the system allows you to obtain original traffic data which helps you locate the network fault.

The system displays traffic forensics results by seven key fields. For example, you can check whether viruses exist by comparing protocols, ports, and packet rates, and check whether protocol attack threats exist by TCP flags.

Figure 12-62 Traffic forensics page
  • Obtains original packets by time range.
  • Supports diverse filter criteria: source IP address, destination IP address, source interface, destination interface, source port, destination port, protocol, application, DSCP, and TCP flag.
  • Sets the storage duration for query results. The maximum value is 30 days.
  • Exports all or specified query results.
Traffic Alarm

You can create threshold alarms for eight traffic types, such as application, server, and session. When the traffic has reached the threshold for specified times within a specified time segment, an alarm is automatically generated. When the traffic meets alarm clearance conditions within a specified time segment, the alarm is automatically cleared. eSight can notify users of alarm generation or clearance by emails.

You can create, copy to create, delete, enable, and disable threshold alarms on the traffic threshold alarm configuration page. You can choose the objects to be monitored, and set the alarm severity, threshold, and repetition times based on the historical traffic data.

Figure 12-63 Threshold alarm configuration page

You can check traffic alarms on the current alarm page, and switch to the traffic analysis page to view traffic details within the time segment.

Figure 12-64 Checking traffic alarms
Host Name Resolution

NTA can resolve IP addresses of traffic into DNS domain names or NetBIOS host names. You can specify whether to enable DNS or NetBIOS resolution and set the update interval of DNS domain names and NetBIOS host names.

After DNS or NetBIOS resolution is enabled, eSight displays traffic by host name and IP address when host name resolution fails.

Figure 12-65 Host name resolution configuration page

After host name resolution is configured, eSight displays traffic by host name, as shown in the following figure.

Figure 12-66 Displaying traffic by host name

Application Restrictions

  • Only the professional eSight with the Oracle database supports VXLAN traffic viewing. A maximum of 100 VNIs are supported.
  • The NAT uses the sampling technology and applies only to top N traffic trend analysis because the collected traffic has slight differences from the actual traffic. When there are a large number of sessions on the network, only top N traffic volumes are viewed, and the NAT is not applicable to accurate traffic analysis and traffic-based charging.
  • The traffic analysis function is not recommended when the data center has large traffic.
  • Traffic forensics save information about the original traffic, occupying system resources. Disable this function after the function is used.
  • The NTA supports only the devices in the specification list. For other devices, their traffic can be displayed on eSight if they support NetFlow, NetStream, or sFlow. However, eSight functions may be abnormal, and the traffic may be incorrect.
  • You are advised to use the recommended sampling ratio of devices. If the ratio is too small, the forwarding performance may be affected.
  • Use the command line in Traffic Config > Navigation to configure the NTA. If any configuration is missing or incorrect, the NTA result may be incorrect, and the functions may be abnormal.
  • Configurations of two nodes deployed remotely in a NAT two-node cluster need to be sent to two collectors at the same time.
  • If the collector IP address changes, you need to log in to the device and reset the address of the NetStream, sFlow, or NetFlow. Otherwise, traffic statistics are not reported.
  • Application traffic analysis for WLAN regions is supported only in the centralized forwarding (tunnel mode) networking.
  • Only top N application traffic, top N host traffic, top N session traffic, and top N DSCP traffic portlets support multi-instance display on the traffic analysis dashboard. In addition, traffic can be filtered by interface group.

KPIs

The KPI list helps you understand the management scale and retention duration of the monitoring data supported by the network traffic component.

Management Scale

For details, see the software and hardware configuration requirements in the eSight product documentation.

Retention Duration of Monitoring Data
Table 12-54 Retention duration of monitoring data

Monitoring Data Type

Storage Period

Monitoring data aggregated by minute

12 hours

Monitoring data aggregated by 10 minutes

5 days

Monitoring data aggregated by hour

14 days

Monitoring data aggregated by 6 hours

31 days

Traffic data aggregated by day

186 days

Traffic data aggregated by week

3 years

Translation
Download
Updated: 2019-06-30

Document ID: EDOC1100044378

Views: 57793

Downloads: 264

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next