Purview Integration Wireless Controller 9.21

  • 0
  • 1
  • Question
  • Updated 2 years ago
  • Answered
  • (Edited)
Hi community,

has anyone integrated the wireless solution V 9.21 into Purview? I get the TopN Mirror up and running but I don't get netflow packets.

Netflow is configured in the section "VNS->Global->NetflowMirrorN"
There I configured the Mgmt IP of my Purview instance and choose esa1 as my L2 Mirror Port.

Any idea?

Best Regards
Michael
Photo of Michael Kirchner

Michael Kirchner

  • 1,846 Points 1k badge 2x thumb

Posted 3 years ago

  • 0
  • 1
Photo of Michael Kirchner

Michael Kirchner

  • 1,846 Points 1k badge 2x thumb
I also enabled the Netflow flag in the Wireless Service Advanced section.
Still no netflow...
Photo of Paulo Francisco

Paulo Francisco, Employee

  • 1,534 Points 1k badge 2x thumb

Hi Michael,

What version of NMS are you running? You will require Netsight 6.3 as well. NetSight 6.3 is schedule for Early Access  at the end-of-the-month.

Paulo

Photo of Michael Kirchner

Michael Kirchner

  • 1,846 Points 1k badge 2x thumb
Hi Paulo,

thanks for the reply. I'm running NetSight 6.2. But what has the NetSight Version to do whether the wireless controller sends out netflow packets or not? In my opinion this is more WIreless controller related.

Best Regards
Michael
Photo of Paulo Francisco

Paulo Francisco, Employee

  • 1,534 Points 1k badge 2x thumb

Hi Michael,

The 9.21 Wireless controller is sending out Netflow packets... However, it is sending it on Port 2095. NS/Purview6.2 does not listen on that port and therefore does not display any Netflow data. You need Purview6.3 in order to receive and analyze the records. 

Therefore you need a minimum base of NetSight/Purview 6.3 in order for the integration to work correctly.

Photo of Doug Hyde

Doug Hyde, Technical Support Manager

  • 20,710 Points 20k badge 2x thumb
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 51,458 Points 50k badge 2x thumb
Hey guys, I also prepare my WLAN infrastructure for Purview and I'd need your input.

I've a single SSID/BYOD/NAC deployment with most of my APs in the office but also some in remote/home offices.

I'm not sure what the correct way is to enable Purview data collection....
Should/could I globaly enable it on the SSID but disable it for the role home office (bridge@AP).
It would make no sense to mirror all traffic back via the slow WAN link to the Purview engine.

Or should I leave WLAN service mirror disabled and enable it only on the role level (the bridge@EWC & routed roles).

What is the difference... on the WLAN service the selection is "enable both directions" but in the role the option is only "enabled".
Does it give the same information back to Purview ?

Thanks,
Ron
Photo of Paulo Francisco

Paulo Francisco, Employee

  • 1,534 Points 1k badge 2x thumb

Hi Ron,

The definition in the WLAN Service will work as the catch-all policy. Policy has precedence.

So in your example, if you want to capture all the traffic on the service except specific roles, simply set the service to 'Enable' - both directions recommended to get by-directional view of the traffic.

For any Roles you want to exclude, simply set their default action Traffic Mirror to 'Prohibited'.

If you have both Role and Service set to Enable, then there's no discrepancy and any traffic from that role on that service is N-Mirrored.

Paulo

Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 51,458 Points 50k badge 2x thumb
Thanks Paulo,

I've took a closer look into the KT and have two more questions...

1) controller mirror port
Is the traffic send untagged or is the tag from the respective role used to forward the traffic to Purview?

2) mirror N packets
If I unterstand it correctly only the first 15 packets/flow are mirrored to Purview per default.
So I should be able to enable it also for remote/branch offices without having all data copied back to the controller, right ?

-Ron
Photo of Paulo Francisco

Paulo Francisco, Employee

  • 1,534 Points 1k badge 2x thumb

Hi Ron,

It depends on the direction of the traffic:

1) Traffic to the MU (NET to MU) if carrying a VLAN tag when received at the Appliance/AP will be mirrored as is (With VLAN tag)

Traffic from the MU (MU to NET) will always be mirrored as received from the wireless (post 802.3) which does not include the VLAN tag.

2) It depends on the topology configuration. For Bridged@Controller topologies all traffic is relayed back to the controller for N-Mirroring filtering and NetFlow metrics. Note: if mirroring applicable (Rule, Role or Service) the AP will still mirror back all traffic that is 'denied' by a Filtering@AP (controller will discard from the VLAN any such traffic, but will still mirror on Purview)

For Bridged@AP topologies, the AP will mirror only up to the first N-frames of a flow. Note2: AP will mirror up to N-Frames of any flow even if "Denied' by filtering at AP (so that Purview has complete view of all traffic intended to/by the user)

Paulo


Photo of Luis Mendes

Luis Mendes

  • 1,690 Points 1k badge 2x thumb
Hi

  When i use TAGGED on any ESA the traffic don ́t appear on Purview, if the interface outside configured was untagged the purview show the connections, if tagged packets the purview count but not appear on dashboard. Any idea??
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 51,458 Points 50k badge 2x thumb
- is the link to the VM server a trunk and all VLANs are allowed ?
- is the VM vswitch set to promiscuous mode and VLAN ID set to "all" so all VLANs are forwarded ?

I've choosen the "easy" way and use a dedicated NIC on my VM which I've directly connected to my WLAN controller mirror port which works great.
Photo of Luis Mendes

Luis Mendes

  • 1,690 Points 1k badge 2x thumb
Yes
  
   I choose plug controller direct to the VM (C5210). If you call "tcpdump" the traffic exist and statitisc of purview appears.   I have the same scenario but with traffic untagged and purivew show the traffic and informations. But with Tagged, no show


any Idea?

Photo of Luis Mendes

Luis Mendes

  • 1,690 Points 1k badge 2x thumb
Collector process don ́t show  FLOWS Records...but sensor read packets
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 51,458 Points 50k badge 2x thumb
Ok another question - this time about the license.
I've Netsight with a NMS-ADV-U with no additional licenses installed.
In Oneview I'd see that my Purview supports 100 clients with 3000 flows.

Is that basic license included in every advanced license to try out Purview or only in the unlimited Netsight license.

-Ron

Photo of Michael Kirchner

Michael Kirchner

  • 1,846 Points 1k badge 2x thumb
Hi Ron,

correct - every NMS-ADV-XX comes with 3000 flows/min & 100 Clients. Just like the 500 NAC End-System licenses.

Regards
Michael
Photo of Mike Thomas

Mike Thomas, Employee - GTAC - NMS

  • 7,650 Points 5k badge 2x thumb
The early access of Netsight 6.3 is available now if you have requested early access rights.
Photo of Andre Brits Kannemeyer

Andre Brits Kannemeyer

  • 5,380 Points 5k badge 2x thumb
Hi Guys

Perhaps this post can assist:


We have deployed a V2110 with NMS 6.3

We have enabled the purview integration.


In Oneview we see no Application flows.

If I look at the TCPDUMP on the Purview appliance on eth0 I see the Netflow Traffic As follows:


17:56:15.377880 IP (tos 0x0, ttl 126, id 0, offset 0, flags [none], proto UDP (17), length 112)

10.0.10.250.2095 > rbhs-pur-01.rondebosch.local.2095: UDP, length 84

17:56:45.454054 IP (tos 0x0, ttl 126, id 0, offset 0, flags [none], proto UDP (17), length 112)

10.0.10.250.2095 > rbhs-pur-01.rondebosch.local.2095: UDP, length 84

17:57:15.588240 IP (tos 0x0, ttl 126, id 0, offset 0, flags [none], proto UDP (17), length 112)

10.0.10.250.2095 > rbhs-pur-01.rondebosch.local.2095: UDP, length 84

17:57:45.666345 IP (tos 0x0, ttl 126, id 0, offset 0, flags [none], proto UDP (17), length 112)

10.0.10.250.2095 > rbhs-pur-01.rondebosch.local.2095: UDP, length 84


If I look at the TCPDump on the mirror port I also see all the mirrored traffic.

But I see not info in "Oneview"


So in summary I see the Netflow data and the Mirror data on the purview appliance, but nothing in Oneview.....


Any ideas??


Regards
(Edited)
Photo of Mike Thomas

Mike Thomas, Employee - GTAC - NMS

  • 7,650 Points 5k badge 2x thumb
That is the correct port # used by Wireless controller for Netflow to Purview. 
Do you have the oneview Configuration setup to view the Purview appliance, as opposed to the default Netflow appliance?

In the below article, the last picture shows the Purview6.3 appliance selected. It's possible your looking at the Netsight appliance IP instead.

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-Identifi-Wireless-Controller-to-send-data-to-Purview
Photo of Luis Mendes

Luis Mendes

  • 1,690 Points 1k badge 2x thumb
Hi..i havê the same situation. On my lab purview is populate because the port is not tagged. On customer the port is tagged and purview dont populate . any idea
Photo of Mike Thomas

Mike Thomas, Employee - GTAC - NMS

  • 7,650 Points 5k badge 2x thumb
Luis, is the customer platform running on a VM? It would need to be responsible likely for decoding the tagged packet and forwarding to the PurviewVM.
a tcpdump, if seen with packets like above, should indicate your getting netflow packets to the purview appliance. The purview appliance must then be sending data back to the Netsight appliance to display the data. As mentioned above, sometimes the Netsight appliance is used for looking at applications flow, it is the default , and needs to be changed to the Purview appliance.
(Edited)
Photo of Luis Mendes

Luis Mendes

  • 1,690 Points 1k badge 2x thumb
Mike,
  The customer has a VM, the VM and Netsight has on the same server.  On my lab, the purview show the information, but on the customer not. If you see the image attach, you will see the information of my lab and customer

the collector not show any data

CUSTOMER


LAB

Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 51,328 Points 50k badge 2x thumb
Hi Luis,

is the vswitch in the VM set to "VLAN ID = All" and "Promiscuous Mode" is set to accept.
I think this are the 2 things that you need to set....

Here my settings, Netsight is on the VM and I've a C5110 which is directly connected to vmnic5.



-Ron
Photo of Andre Brits Kannemeyer

Andre Brits Kannemeyer

  • 5,380 Points 5k badge 2x thumb
We are bridging traffic at the AP, tagged in specific Vlans.
I see both the Netflow traffic and the Mirrored traffic on the Purview appliance if I run a TCPDUMP for both the management and mirror ports.
But We still do not see and "Applications Flows".
I will test this with B@AP but untagged.
Photo of Piotr Owczarek

Piotr Owczarek

  • 514 Points 500 badge 2x thumb
I have deployed PV and EWC in recommended versions, follow the GTAC document how to configure and apparently can not see any traffic on eth0 and eth1 interface of PV. It means no flow and no mirror. Any suggestions what I am doing wrong?
Photo of Mike Thomas

Mike Thomas, Employee - GTAC - NMS

  • 7,650 Points 5k badge 2x thumb
Is it Hyper-V or VMWare install? Permiscous mode on the ports is needed for the mirror interface anyways. Seeing no traffic however is a sign of another problem more than likely. Like the virtual switch may be broken.
Photo of Piotr Owczarek

Piotr Owczarek

  • 514 Points 500 badge 2x thumb
Yes it is Virtual Machine. Prom. mode is on. What can be theproblem with the switch?
Photo of Mike Thomas

Mike Thomas, Employee - GTAC - NMS

  • 7,650 Points 5k badge 2x thumb
It could be, but you would see broadcast and the like. Do you see any traffic on a tcpdump? Just a wide open one? The EWC uses a non standard port to transport netflow, either 2095 or 2075 I believe.
Photo of Piotr Owczarek

Piotr Owczarek

  • 514 Points 500 badge 2x thumb
On first interface of PV I can see some broadcast, the second one(TAP) is silent...
Photo of Mike Thomas

Mike Thomas, Employee - GTAC - NMS

  • 7,650 Points 5k badge 2x thumb
do an 'ifconfig -a' a couple of times to see if traffic is coming in.

Also a wide open tcpdump to see if anything is coming in unicast to box.

tcpdump -i eth0
I assume if the box is remotely managed the answer is yes.
If nothing on eth1, maybe the mirror interface is not eth1?
Photo of Tomasz

Tomasz

  • 2,430 Points 2k badge 2x thumb
Hi,

How should I proceed with troubleshooting when PV gets NetFlow reports (I can see them via tcpdump from both EWCs that create H/A pair) but it doesn't get MirrorN via L2 port?

I've set eth1 and eth2 in PV for mirror, as one is for the LAN, and another is for EWCs. Then I put the eth in a separate vSwitch (promisc accept) with one 4095 VID port group (promisc accept), where also mirror ports of both EWCs are inserted.

I am concerned about output of OneView->Applications->Configuration->Purview Appliances->purview->Status->Diagnostics->Configuration Verification:
--------------------------------------------------
Process appid is running at pid 7927
Process appidserver is running at pid 7947
--------------------------------------------------
Checking for traffic on interface eth1
Checking for traffic on interface eth2
Checking for Netflow records on interface eth0..
Checking for Netflow records on interface eth1..
Checking for IPFIX records on loopback interface..
--------------------------------------------------
Waiting for captures to complete..
Mirror appears to be setup correctly on eth1.
Mirror appears to be setup correctly on eth2.
NOTE - Netflow does not appear to be setup to send to this host correctly. <<<
IPFIX appears to be setup correctly.
--------------------------------------------------

If needed I can share with all the details of steps I've made to configure PV/EWC.

Regards,
Tomasz

EDIT: Tcpdumping the esa1 at EWC doesn't show anything.
I am testing using mobile playing Youtube movies, with B@AP topology.
(Edited)
Photo of Piotr Owczarek

Piotr Owczarek

  • 514 Points 500 badge 2x thumb
The issue with EWC and Purview was connected withsize of EWC virtual machine resources. If I had EWC with small amount of resources => EWC Small, EWC did not send any data to Purview (Netflow). When I have changed size of controller to Medium everything was OK and Purview started to work fine.
Photo of Luis Mendes

Luis Mendes

  • 1,690 Points 1k badge 2x thumb
Yes... but i Have 2 c5210. And purview see the traffic but dont populate 
Photo of Mike Thomas

Mike Thomas, Employee - GTAC - NMS

  • 7,650 Points 5k badge 2x thumb
Are you just not seeing application flows? Looks like both ports are seeing data.
If so, try a different browser.

We can certainly do a remote assist if you open a case with the GTAC
Instructions below.

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-contact-Extreme-Networks-Global-Tec...
Photo of Luis Mendes

Luis Mendes

  • 1,690 Points 1k badge 2x thumb
I have a case open... 2 months and all questions. all that was asked me I said , I sent screenshots I only requested a remote access someone who has already run the purview with wireless. I have 3 customers who are interested but want to see the working solution
Photo of Adilson Gal

Adilson Gal, Employee

  • 1,408 Points 1k badge 2x thumb
Hi Luis, please call us at the GTAC 0800-76-25397 at your earliest convenience for us to work on this issue. Thank you and have a great weekend. 
Photo of Adilson Gal

Adilson Gal, Employee

  • 1,408 Points 1k badge 2x thumb
We have worked with Luis Mendes via remote session and we believe we have identified the root cause. The Admin interface cannot be used as the source interface for netflow traffic. We have suggested to have the admin interface disabled and configure one of the available physical interfaces (esa0-3) for management of the controller and to be used as the source for the netflow traffic. 
Photo of David Coberly

David Coberly, Employee

  • 90 Points 75 badge 2x thumb
Hello all,  as soon as i enable the netflow mirror L2 port (esa1) to the purview appliance all of the wireless traffic stops.  all clients are still connected to the AP's but are not able to pass traffic.  NMS,NAC,Purview & WLC are virtual.. Purview configured with option 1, single interface.  Any ideas? 
(Edited)
Photo of Mike Thomas

Mike Thomas, Employee - GTAC - NMS

  • 7,650 Points 5k badge 2x thumb
James, I am not a VMware design expert - but the ESA port would need to be sent out a specific VLAN, probably tagged in this case, so it can get to the other sides Purview appliance VM Eth1 port. The wireless controller cannot do a Gre tunnel like the PV-FC-180 and S-Series so you will need to work around that.
Others here may have more experience in the actual configuration from a Vswitch end.
Photo of Peter Chang

Peter Chang

  • 394 Points 250 badge 2x thumb
Just bumping this thread.

We have two EWCs, each on different hosts, running active/active, and I'm trying to figure out how to setup one Extreme Analytics (Purview) VM, where both controllers will forward their Netflow? We aren't licensed to use Vmware's distributed switch so we have to use standard switch. Has anyone done this before? or would it be best to setup a Analytics VM on each of VM hosts where my EWC sits, as EWC esa1 and Analytics eth1, need to sit on the same Standard vSwitch. 
Photo of James A

James A, Embassador

  • 7,492 Points 5k badge 2x thumb
Peter: Multiple Purview VMs seems like a good idea, I'll give that a shot next week.
Photo of Peter Chang

Peter Chang

  • 394 Points 250 badge 2x thumb
Hi James. So far I implemented this yesterday, and it seems to be working. We have a vmware essentials plus license, so we can't use" distributed virtual switch". But if you have the license one above that, which I think is vmware enterprise, then you should be able to use one purview vm, and have a distributed virtual switch spanning across multiple vm hosts, for the EMC esa1 and purview etgh1 to plug into. If I remember correctly, I think this distributed virtual switch needs to be set to mirroring. This is all from what I've read, and unfortunately I can't confirm as I don't have the license.

From what I've done:
VM Host 1
-EMC1
-Analytics Purview 1 VM
-Standard Switch in promiscuous mode, using dedicated L2 port connected to our switch (EMC1 esa1, and Purview1 eth1 connected to this virtual switch)
-On our switch, I created a vlan, "analytics" to isolate traffic on this standard switch

VM Host 2
-EMC2
-Analytics Purview 2 VM
-Standard Switch in promiscuous mode (EMC2 esa1, and Purview2 eth1 connected to this virtual switch)
-On our switch, I created a vlan, "analytics2" to isolate traffic on this standard switch

On EMC1
-have netflow forward to Purview1

On EMC2
-have netflow forward to Purview 2

If you have any questions, let me know.
 
Photo of James A

James A, Embassador

  • 7,492 Points 5k badge 2x thumb
Hi Peter,

While we do have Enterprise Plus vSphere, but switching to a distributed virtual switch is a big config change, so I went with the config you have above (although I assume you mean EWC not EMC). There's a few things that are covered in comments above, like using VLAN 4095 to get all data, but one thing that isn't is that you can't use the EMC to configure Wireless Controller Flow Sources, as it'll try to add both controllers of the HA pair to one capture appliance, which is exactly what you don't want. Instead, set them up manually in each EWC, and then they show up in EMC later. I also set up a DRS rule to keep the EWC and Purview VMs on the same host.

One thing I learnt while researching VMware dvSwitching is it supports Encapsulated Remote Mirroring (L3) which is a GRE port mirror. So it's conceivable that you could set that up and point it at the purview VM like you would with a CoreFlow2 GRE source. Also, now I realise I can capture normal traffic from my S4 to wireshark on my desktop.