Filtering on traffic between subnets

When looking at sFlowTrend traffic graphs and reports, sometimes you will want to focus on specific traffic of interest, for example understanding traffic patterns between subnets. To do this you can use a filter in a network traffic Top N chart or report. The help includes a section on filtering which outlines how to build filters. The UI for both network traffic TopN charts and report query sections includes a filter builder. The filter builder has a dropdown menu that lists the traffic database keys that can be used as filter terms. You can also use filter functions in a filter and these filter functions can be typed directly into the filter bar. One such filter function is the inSubnet function. There are two forms of the inSubnet filter function:

inSubnet(address, subnet, maskBits)

In this form address is the database address key field that you would like to test (for example ipServer), subnet and maskBits define the subnet to test against for inclusion. For example inSubnet(ipServer, "10.1.5.0", 24) will return true for any IP server address that is in subnet 10.1.5.0/24. Note the quotes "" around the subnet address. 

This form of the filter function can also be used for testing IPv6 addresses for subnet inclusion. For example the inSubnet(ipSource, "2001:db8:a::", 64), can be used to show traffic sourced by any address in the subnet 2001:db8:a::/64.

This example shows the top connections for server addresses in the 10.1.5.0 subnet. It also uses a custom Top N chart that includes serverAddress, serverPort, clientAddress as key fields, so that the connections are not broken out by ephemeral client port. See the help for more information on configuring Custom Top N charts.

inSubnet(address, subnetName) 

In this form, address is the database address key field that you would like to test (for example ipSource) and subnetName has previously been defined as a subnet in the sFlowTrend configuration (see the help section on configuring subnets). For example inSubnet(ipSource, "East Bay") will return true for any IP source address that is in the predefined subnet named East Bay.

Diagnosing abnormal network traffic levels

A common question that network managers handle is "Why is the network slow?". In many cases, poor network performance can be caused by a localised overload. This may be caused by mistakes in the network configuration, equipment malfunctions, inadvertent mis-use, or because capacity is insufficient for the normal load. Since an sFlow enabled network and sFlowTrend provide complete visibility of network usage, it is easy to pinpoint overload conditions and take appropriate action. It is even possible to receive alerts so that proactive controls can be implemented to prevent poor performance occurring. Here is an example of how sFlowTrend helps you identify and diagnose network overload conditions.

Dashboard, Thresholds indicates an abnormally high level of unicast traffic. Click on the unicast indicator to view the Thresholds tab and find out why.

The Thresholds tab indicates the switch 10.1.4.253 is experiencing the abnormally high level of unicast traffic. Click on the unicast indicator to see which interfaces are affected.

The interface with ifIndex 23 is most affected by the unicast traffic. Click on the unicast indicator to bring up the menu and select Root cause to see who and what is contributing to the unicast traffic.

100% of unicast frames are sent from hosts in the External subnet to hosts in the External subnet. Looking at the fourth row, 58% of the unicast frames are sent from 208.65.153.251 TCP:80 to 64.151.76.36. From this we can conclude that the major factor causing the abnormally high unicast traffic is web traffic from server 208.65.153.251 (which is in the External subnet). To see for how long abnormal levels of unicast traffic have affected this interface, click on the Network > Counters tab (or choose View chart from the Root cause tab menu).

The Network > Top N tab displays the details of the top connections.

In this example we have created a custom top connections chart that allows us to focus on the server port and ignore the ephemeral client port.

The Network > Circles tab allows you to visualise the traffic flows between groups of addresses to help understand the communication patterns across the network.