In a recent post I talked about ExtraHop product & its capability when it comes to network monitoring. In this post I will go through how we can use it to monitor Cisco WLC Netflow. If you read my “WLC Netflow with AireOS” post, you are aware about 17 fields included in Netflow packets coming from WLCs (Note:- 5520/8540 with AirOS 8.2.x onward)
1.Source IP
2.Dest IP
3.Source Port
4.Dest Port
5.Protocol
6.Direction
7.Application Tag
8.Client Mac Address
9.AP Mac address
10.WlanID
11.VLAN Id – Mgmt/Dyn
12.TOS – DSCP Value
13.Flow Start Time
14.Flow End Time
15.Packet count
16.Byte count
17.Dot1x username
Once you enable WLC Netflow on your SSID & pointing it to Netflow collector (ExtraHop in my case), you should be able to see it on your ExtraHop Discover Appliance (EDA) under pending flow Networks
Image may be NSFW.
Clik here to view.
One great advantage of ExtraHop product is its flexibility. You can create your own triggers & build custom application bundles. In our case we asked ExtraHop to help us to monitor WLC netflow traffic which include those fields.
Once your device in ExtraHop you can assign trigger to it (Metrics > Sources > Devices > Assign Trigger)
Image may be NSFW.
Clik here to view.
Once you do that, you will collect WLC netflow stats on your EDA & you can get stats based on your requirement. Below shows some sample stats we were able to get.
You can easily differentiate wireless upload/download on your network.
Image may be NSFW.
Clik here to view.
You can analyze wireless traffic based on Application
Image may be NSFW.
Clik here to view.
As WLAN ID is one of the field in netflow traffic you can easily view traffic on each SSID very easily.
Image may be NSFW.
Clik here to view.
As username is one of the field, you can get some interesting stats based on that field. Here is we breakdown “eduroam” visitor traffic to see which university users consuming our wireless bandwidth.
Image may be NSFW.
Clik here to view.
Here is top upload/download user stats
Image may be NSFW.
Clik here to view.
There are many more you can do as long as you have good imagination on how you would like to see stats. If you would like to see wireless traffic in certain way, pls drop a line as a comment, I will see if we can do it in this set up.
Special thanks needs to go to Thomas Plant (one of my colleague work with ExtraHop to get it done) & Khurram Waheed to get us those triggers from their technical resources.
RELATED POSTS