Purview Integration Wireless Controller 9.21


Userlevel 3
Hi community,

has anyone integrated the wireless solution V 9.21 into Purview? I get the TopN Mirror up and running but I don't get netflow packets.

Netflow is configured in the section "VNS->Global->NetflowMirrorN"
There I configured the Mgmt IP of my Purview instance and choose esa1 as my L2 Mirror Port.

Any idea?

Best Regards
Michael

50 replies

Userlevel 3
I also enabled the Netflow flag in the Wireless Service Advanced section.
Still no netflow...
Userlevel 4
Hi Michael,

What version of NMS are you running? You will require Netsight 6.3 as well. NetSight 6.3 is schedule for Early Access at the end-of-the-month.

Paulo
Userlevel 3
Hi Paulo,

thanks for the reply. I'm running NetSight 6.2. But what has the NetSight Version to do whether the wireless controller sends out netflow packets or not? In my opinion this is more WIreless controller related.

Best Regards
Michael
Userlevel 4
Hi Michael,

The 9.21 Wireless controller is sending out Netflow packets... However, it is sending it on Port 2095. NS/Purview6.2 does not listen on that port and therefore does not display any Netflow data. You need Purview6.3 in order to receive and analyze the records.

Therefore you need a minimum base of NetSight/Purview 6.3 in order for the integration to work correctly.
Userlevel 7
Reference: https://gtacknowledge.extremenetworks.com/articles/Q_A/What-port-does-Netflow-use-on-the-Indentifi-Wireless-controller-to-talk-to-Purview-appliance
Userlevel 7
Hey guys, I also prepare my WLAN infrastructure for Purview and I'd need your input.

I've a single SSID/BYOD/NAC deployment with most of my APs in the office but also some in remote/home offices.

I'm not sure what the correct way is to enable Purview data collection....
Should/could I globaly enable it on the SSID but disable it for the role home office (bridge@AP).
It would make no sense to mirror all traffic back via the slow WAN link to the Purview engine.

Or should I leave WLAN service mirror disabled and enable it only on the role level (the bridge@EWC & routed roles).

What is the difference... on the WLAN service the selection is "enable both directions" but in the role the option is only "enabled".
Does it give the same information back to Purview ?

Thanks,
Ron
Userlevel 4
Hi Ron,

The definition in the WLAN Service will work as the catch-all policy. Policy has precedence.

So in your example, if you want to capture all the traffic on the service except specific roles, simply set the service to 'Enable' - both directions recommended to get by-directional view of the traffic.

For any Roles you want to exclude, simply set their default action Traffic Mirror to 'Prohibited'.

If you have both Role and Service set to Enable, then there's no discrepancy and any traffic from that role on that service is N-Mirrored.

Paulo
Userlevel 7
Thanks Paulo,

I've took a closer look into the KT and have two more questions...

1) controller mirror port
Is the traffic send untagged or is the tag from the respective role used to forward the traffic to Purview?

2) mirror N packets
If I unterstand it correctly only the first 15 packets/flow are mirrored to Purview per default.
So I should be able to enable it also for remote/branch offices without having all data copied back to the controller, right ?

-Ron
Userlevel 4
Thanks Paulo,

I've took a closer look into the KT and have two more questions...

1) controller mirror port
Is the traffic send untagged or is the tag from the respective role used to forward the traffic to Purview?

2) mirror N packets
If I unterstand it correctly only the first 15 packets/flow are mirrored to Purview per default.
So I should be able to enable it also for remote/branch offices without having all data copied back to the controller, right ?

-Ron
Hi Ron,

It depends on the direction of the traffic:

1) Traffic to the MU (NET to MU) if carrying a VLAN tag when received at the Appliance/AP will be mirrored as is (With VLAN tag)

Traffic from the MU (MU to NET) will always be mirrored as received from the wireless (post 802.3) which does not include the VLAN tag.

2) It depends on the topology configuration. For Bridged@Controller topologies all traffic is relayed back to the controller for N-Mirroring filtering and NetFlow metrics. Note: if mirroring applicable (Rule, Role or Service) the AP will still mirror back all traffic that is 'denied' by a Filtering@AP (controller will discard from the VLAN any such traffic, but will still mirror on Purview)

For Bridged@AP topologies, the AP will mirror only up to the first N-frames of a flow. Note2: AP will mirror up to N-Frames of any flow even if "Denied' by filtering at AP (so that Purview has complete view of all traffic intended to/by the user)

Paulo
Userlevel 2
Thanks Paulo,

I've took a closer look into the KT and have two more questions...

1) controller mirror port
Is the traffic send untagged or is the tag from the respective role used to forward the traffic to Purview?

2) mirror N packets
If I unterstand it correctly only the first 15 packets/flow are mirrored to Purview per default.
So I should be able to enable it also for remote/branch offices without having all data copied back to the controller, right ?

-Ron
Hi

When i use TAGGED on any ESA the traffic don´t appear on Purview, if the interface outside configured was untagged the purview show the connections, if tagged packets the purview count but not appear on dashboard. Any idea??
Userlevel 7
Thanks Paulo,

I've took a closer look into the KT and have two more questions...

1) controller mirror port
Is the traffic send untagged or is the tag from the respective role used to forward the traffic to Purview?

2) mirror N packets
If I unterstand it correctly only the first 15 packets/flow are mirrored to Purview per default.
So I should be able to enable it also for remote/branch offices without having all data copied back to the controller, right ?

-Ron
- is the link to the VM server a trunk and all VLANs are allowed ?
- is the VM vswitch set to promiscuous mode and VLAN ID set to "all" so all VLANs are forwarded ?

I've choosen the "easy" way and use a dedicated NIC on my VM which I've directly connected to my WLAN controller mirror port which works great.
Userlevel 2
Thanks Paulo,

I've took a closer look into the KT and have two more questions...

1) controller mirror port
Is the traffic send untagged or is the tag from the respective role used to forward the traffic to Purview?

2) mirror N packets
If I unterstand it correctly only the first 15 packets/flow are mirrored to Purview per default.
So I should be able to enable it also for remote/branch offices without having all data copied back to the controller, right ?

-Ron
Yes

I choose plug controller direct to the VM (C5210). If you call "tcpdump" the traffic exist and statitisc of purview appears. I have the same scenario but with traffic untagged and purivew show the traffic and informations. But with Tagged, no show

any Idea?

Userlevel 2
Thanks Paulo,

I've took a closer look into the KT and have two more questions...

1) controller mirror port
Is the traffic send untagged or is the tag from the respective role used to forward the traffic to Purview?

2) mirror N packets
If I unterstand it correctly only the first 15 packets/flow are mirrored to Purview per default.
So I should be able to enable it also for remote/branch offices without having all data copied back to the controller, right ?

-Ron
Collector process don´t show FLOWS Records...but sensor read packets
Userlevel 7
Ok another question - this time about the license.
I've Netsight with a NMS-ADV-U with no additional licenses installed.
In Oneview I'd see that my Purview supports 100 clients with 3000 flows.

Is that basic license included in every advanced license to try out Purview or only in the unlimited Netsight license.

-Ron

Userlevel 3
Hi Ron,

correct - every NMS-ADV-XX comes with 3000 flows/min & 100 Clients. Just like the 500 NAC End-System licenses.

Regards
Michael
Userlevel 6
The early access of Netsight 6.3 is available now if you have requested early access rights.

Userlevel 5
Hi Guys
Perhaps this post can assist:

We have deployed a V2110 with NMS 6.3
We have enabled the purview integration.

In Oneview we see no Application flows.
If I look at the TCPDUMP on the Purview appliance on eth0 I see the Netflow Traffic As follows:

17:56:15.377880 IP (tos 0x0, ttl 126, id 0, offset 0, flags [none], proto UDP (17), length 112)
10.0.10.250.2095 > rbhs-pur-01.rondebosch.local.2095: UDP, length 84
17:56:45.454054 IP (tos 0x0, ttl 126, id 0, offset 0, flags [none], proto UDP (17), length 112)
10.0.10.250.2095 > rbhs-pur-01.rondebosch.local.2095: UDP, length 84
17:57:15.588240 IP (tos 0x0, ttl 126, id 0, offset 0, flags [none], proto UDP (17), length 112)
10.0.10.250.2095 > rbhs-pur-01.rondebosch.local.2095: UDP, length 84
17:57:45.666345 IP (tos 0x0, ttl 126, id 0, offset 0, flags [none], proto UDP (17), length 112)
10.0.10.250.2095 > rbhs-pur-01.rondebosch.local.2095: UDP, length 84

If I look at the TCPDump on the mirror port I also see all the mirrored traffic.
But I see not info in "Oneview"

So in summary I see the Netflow data and the Mirror data on the purview appliance, but nothing in Oneview.....

Any ideas??

Regards
Userlevel 6
That is the correct port # used by Wireless controller for Netflow to Purview.
Do you have the oneview Configuration setup to view the Purview appliance, as opposed to the default Netflow appliance?

In the below article, the last picture shows the Purview6.3 appliance selected. It's possible your looking at the Netsight appliance IP instead.

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-Identifi-Wireless-Controller-to-send-data-to-Purview
Userlevel 2
That is the correct port # used by Wireless controller for Netflow to Purview.
Do you have the oneview Configuration setup to view the Purview appliance, as opposed to the default Netflow appliance?

In the below article, the last picture shows the Purview6.3 appliance selected. It's possible your looking at the Netsight appliance IP instead.

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-Identifi-Wireless-Controller-to-send-data-to-Purview

Hi..i havê the same situation. On my lab purview is populate because the port is not tagged. On customer the port is tagged and purview dont populate . any idea
Userlevel 6
That is the correct port # used by Wireless controller for Netflow to Purview.
Do you have the oneview Configuration setup to view the Purview appliance, as opposed to the default Netflow appliance?

In the below article, the last picture shows the Purview6.3 appliance selected. It's possible your looking at the Netsight appliance IP instead.

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-Identifi-Wireless-Controller-to-send-data-to-Purview

Luis, is the customer platform running on a VM? It would need to be responsible likely for decoding the tagged packet and forwarding to the PurviewVM.
a tcpdump, if seen with packets like above, should indicate your getting netflow packets to the purview appliance. The purview appliance must then be sending data back to the Netsight appliance to display the data. As mentioned above, sometimes the Netsight appliance is used for looking at applications flow, it is the default , and needs to be changed to the Purview appliance.
Userlevel 2
That is the correct port # used by Wireless controller for Netflow to Purview.
Do you have the oneview Configuration setup to view the Purview appliance, as opposed to the default Netflow appliance?

In the below article, the last picture shows the Purview6.3 appliance selected. It's possible your looking at the Netsight appliance IP instead.

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-Identifi-Wireless-Controller-to-send-data-to-Purview

Mike,
The customer has a VM, the VM and Netsight has on the same server. On my lab, the purview show the information, but on the customer not. If you see the image attach, you will see the information of my lab and customer

the collector not show any data

CUSTOMER



LAB

Userlevel 7
That is the correct port # used by Wireless controller for Netflow to Purview.
Do you have the oneview Configuration setup to view the Purview appliance, as opposed to the default Netflow appliance?

In the below article, the last picture shows the Purview6.3 appliance selected. It's possible your looking at the Netsight appliance IP instead.

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-Identifi-Wireless-Controller-to-send-data-to-Purview

Hi Luis,

is the vswitch in the VM set to "VLAN ID = All" and "Promiscuous Mode" is set to accept.
I think this are the 2 things that you need to set....

Here my settings, Netsight is on the VM and I've a C5110 which is directly connected to vmnic5.



-Ron
Userlevel 5
We are bridging traffic at the AP, tagged in specific Vlans. I see both the Netflow traffic and the Mirrored traffic on the Purview appliance if I run a TCPDUMP for both the management and mirror ports. But We still do not see and "Applications Flows". I will test this with B@AP but untagged.
I have deployed PV and EWC in recommended versions, follow the GTAC document how to configure and apparently can not see any traffic on eth0 and eth1 interface of PV. It means no flow and no mirror. Any suggestions what I am doing wrong?
Userlevel 6
I have deployed PV and EWC in recommended versions, follow the GTAC document how to configure and apparently can not see any traffic on eth0 and eth1 interface of PV. It means no flow and no mirror. Any suggestions what I am doing wrong?Is it Hyper-V or VMWare install? Permiscous mode on the ports is needed for the mirror interface anyways. Seeing no traffic however is a sign of another problem more than likely. Like the virtual switch may be broken.

Reply