Traffic Sentinel Configuration
For first-time configuration steps, please see Getting Started.
The structure of the configuration is described in this Overview.
Additional, less frequently used customization options are described on the Configure>Extra page.
Configuration Sections
Server
- Enterprise Name, the name of the company or organization that owns the network being monitored.
- Site Name, the name of the campus or city containing the devices being monitored.
- Server, the hostname of the server. This name cannot be changed from within Traffic Sentinel. Consult the documentation for the server operating system if you need to change the hostname. the software key is tied to the hostname, so changing it will require a new key.
- Serial Number, the serial number associated with the software license. This must be the serial number provided with the software key.
- Software Key, the key used to unlock the software. The key is tied to a particular hostname and serial number. If you need to change the hostname then a new key will be required.
- Contact Name, the name of the person responsible for this server.
- Contact Location, the mailstop, address or building where the contact person can be reached.
- Contact Phone, the contact person's phone number.
Configuration Hierarchy
Zone
- Name, the name for this zone.
Group
- Zone, the zone this group will appear under.
- Name, the name for this group.
CIDR
CIDRs are used to associate end-hosts with a Group. A CIDR is specified by an Address and the number of Mask Bits associated with the subnet mask. These do not have to match the subnets used by your routers, and they may overlap with each other too. For example, you might create a group "all" with the CIDR "128.141.0.0/16" in it, and then a separate group with the smaller CIDR "128.141.122.0/24". When assigning addresses to groups, the smallest enclosing CIDR is used. Grouping hosts in this way is useful when defining security rules (see Signatures>Configure), or when displaying traffic (seeTraffic>Circles).
- Group, the group where this CIDR will appear.
- Address, the IP address.
- Mask Bits, the number of mask bits to apply.
Agent Range
An agent range describes a range of IP addresses that contain network devices to monitor.
- First Address, the first address in the range.
- Last Address, the last address in the range.
- Scan, indicates whether to search through this range looking for devices that can be configured to send sFlow using SNMP. The scan will happen automatically every night, but if you want your changes to take effect immediately you can initiate a new scan on the File>Control page.
- Override Control, this setting also relates to configuration using the sFlow MIB. If Override Control is set to Override then Traffic Sentinel will add itself as a monitoring receiver, even if that means taking over from another application.
- Enable, can be set to Disable to explicitly avoid discovering agents in this range, and to turn off monitoring on any agent in that range that might have been discovered before.
Agent
- Group, the group where this agent will appear.
- Address. This is the address that will be used to communicate with the device's SNMP Agent.
- Override Control see Agent Range above.
- Enable see Agent Range above.
Interface
Interfaces only need to be specified if particular settings are to be applied to the interface, such as custom thresholds. Otherwise interfaces will be automatically discovered.
- Agent, the device whose interface is being specified.
- IfIndex, the MIB-II ifIndex number of the interface.
Hierarchy Settings
The following settings can be applied at any level in the configuration hierarchy.
Threshold
A threshold setting applies a threshold to an interface metric. Specify the Metric and a Limit, or value of the metric that will trigger the threshold. The Minutes over Threshold and Total Minutes settings are used to specify a duration over which the metric must exceed the limit before an alert is generated. For example, if Minutes over Limit was set to 5 and Total Minutes was set to 10 then an alert would result if the limit were exceeded 5 minutes in any 10 minute interval. The Min. ifSpeed and Max. ifSpeed are used to limit the scope of the threshold to only links with particilar speeds. The threshold will only be applied to interfaces that fall in the specified speed range. This allows different threshold settings to be applied depending on the interface speed. Finally, the Enable flag can be used to Disable or Enable a particular threshold.
SNMP
An SNMP setting controls how the server will use SNMP to talk to the agents. The Read Community is used when scanning for agents in an Address Range. It is also used when polling counters or reading agent configuration. The Write Community is used when performing SNMP-SET operations. If a Write Community is not provided, the Read Community will be used for both GET and SET operations. Finally, the Enable flag can be used to Disable or Enable SNMP access to agents. SNMP is used to get interface names, agent information, and to poll counters from non-sFlow devices. Disabling SNMP is only recommended in situations where there is no interest in managing the device.
The settings User, Auth. Protocol, Auth Password, Priv. Protocol, and Priv. Password are only necessary if SNMPv3 is used.
Sampling
The sampling setting specifies the packet sampling rate that will be used when configuring an agent using the sFlow (or XRMON) MIB. The Sampling Rate determines the fraction of packets sampled. For example, a value of 100 would mean that, on average, 1 in every 100 packets would be sampled. The Min. ifSpeed and Max. ifSpeed settings allow different sampling rates to be set for interfaces depending on their speeds. An interface will match the first entry for which the condition Min <= ifSpeed < Max is satisfied. Generally, larger Sampling Rate settings are used for faster interfaces. The default settings are usually adequate and provide a useful guide when manually configuring sampling using the CLI.If sFlow has been configured on the agent using its CLI then this parameter will have no effect. The sampling rate configured on the agent will be adopted and will override any setting made here.
Similarly, if the agent is sending IPFIX, NetFlow or LFAP flow records, then the packet sampling rate being used on the agent will usually be indicated in a field in the data packets. In that case also, the sampling rate configured on the agent will be adopted.
If the agent is not using packet sampling at all, and is sending flow-records generated from every packet, then the sampling rate setting configured here will be applied. It is applied so that the results are equivalent to that packet sampling rate being applied on the agent prior to the flow-cache.
If the agent is using packet sampling but is not indicating the sampling rate in the data packets, then you must follow these steps:
- Add a special sampling entry just for this agent.
- Match the sampling rate setting to the one being used on the agent.
- Edit the XML configuration directly to add:
preSampled="true"
as an extra parameter in that <sampling> section.