Tags
In a recent post I talked about ExtraHop product & its capability when it comes to network monitoring. In this post I will go through how we can use it to monitor Cisco WLC Netflow. If you read my “WLC Netflow with AireOS” post, you are aware about 17 fields included in Netflow packets coming from WLCs (Note:- 5520/8540 with AirOS 8.2.x onward)
1.Source IP
2.Dest IP
3.Source Port
4.Dest Port
5.Protocol
6.Direction
7.Application Tag
8.Client Mac Address
9.AP Mac address
10.WlanID
11.VLAN Id – Mgmt/Dyn
12.TOS – DSCP Value
13.Flow Start Time
14.Flow End Time
15.Packet count
16.Byte count
17.Dot1x username
You can enable Netflow on Cisco WLC with following basic steps.
- Create a AVC profile & map it onto a WLAN that you want to monitor wireless traffic.
- Configure Netflow Exporter (which is Netflow collector IP address & listening port)
- Configure Netflow Monitor & map it to Exporter defined in previous step.
Above shows Netflow Monitor & Exporter config that you have to do. Note that record type should be “client Source & Destination Record” as we are using 3rd party collector (Not Cisco Prime Assurance)
Once you enable on your WLC as shown in the above , you should be able to see it on your ExtraHop Discover Appliance (EDA) under pending flow Networks
One great advantage of ExtraHop product is its flexibility. You can create your own triggers & build custom application bundles. In our case we asked ExtraHop to help us to monitor WLC netflow traffic which include those fields.
Once your device in ExtraHop you can assign trigger to it (Metrics > Sources > Devices > Assign Trigger)
Once you do that, you will collect WLC netflow stats on your EDA & you can get stats based on your requirement. Below shows some sample stats we were able to get.
You can easily differentiate wireless upload/download on your network.
You can analyze wireless traffic based on Application
As WLAN ID is one of the field in netflow traffic you can easily view traffic on each SSID very easily.
As username is one of the field, you can get some interesting stats based on that field. Here is we breakdown “eduroam” visitor traffic to see which university users consuming our wireless bandwidth.
Here is top upload/download user stats
There are many more you can do as long as you have good imagination on how you would like to see stats. If you would like to see wireless traffic in certain way, pls drop a line as a comment, I will see if we can do it in this set up.
Special thanks needs to go to Thomas Plant (one of my colleague work with ExtraHop to get it done) & Khurram Waheed to get us those triggers from their technical resources.
RELATED POSTS
mrn-cciew 
Hello Nayarasi;
It has been a long time since I’ve read your blog, which I found it very informative. I like to ask you a question and I hope it is not to impertinent, the last three years, I’ve been working as a Routing and Switching Data Center Network Engineer, the last time I configured a wireless controller was three years ago, 5760. Now that I am unemployed and looking for new job opportunities, I like to refresh my knowledge and hand-on experience on wireless, I like to know your opinion on what will be the best approach for coming to speed with wireless.
Thank you Nayarasi and look forward your response.
Juan
Hi Juan,
If it is Cisco wireless, still AireOS (8540/ 5520/ 5508/ 3504/ 2504) controllers dominate. IOS-XE (5760/3850) formally known as converged access is dead, cisco killed it.
With Cisco DNA (Digital Network Arctitecture) they have come up with SDA-Wireless (software driven access) which is still very new & I haven’t seen it adapted well in market.
So If I have to learn Cisco wireless, I still invest my time to learn AireOS based controller config. I would suggest you to have at least 2504 & few APs & switches as your Home lab with a VM that can run ISE, PI & possibly CMX/MSE. Then play with different scenarios & learn the technology.
From technology perspective, if you want to learn wireless, I would suggest you to start with CWNA (from https://www.cwnp.com/ )
Good luck & hope you will get a opportunity soon
KIT
Rasika