Traffic Insights

Welcome to ThousandEyes Traffic Insights. This article introduces the Traffic Insights feature, an overview of its components and configuration steps, and how to get started.

What Is Traffic Insights?

Traffic Insights collects network traffic flow data from your network devices and integrates it with synthetic test data, allowing you to effectively isolate and troubleshoot network and application performance issues faster. The viewable results, built on a foundation of ThousandEyes Cloud Agent and Enterprise Agent test data, are enriched with flows passing through the test path that are representative of real users, enabling you to verify actual performance impacts.

Traffic Insights exploits data from multiple protocols and intelligence mechanisms, including NetFlow (Cisco’s network IP traffic protocol), IPFIX (IP Flow Information Export - sometimes called NetFlow v10), SNMP (Simple Network Management Protocol), and Cisco NBAR (Network Based Application Recognition) to bring you a fuller picture of your network health.

In addition, ThousandEyes expands other existing functionality for dashboards and alerts to include data from Traffic Insights, further enhancing your view of the network and increasing your speed of issue resolution.

Traffic Insights leverages ThousandEyes Enterprise Agents, whose functionality now includes collection of network telemetry data via NetFlow v9 and IPFIX, supporting traffic flow analysis from both Cisco and non-Cisco networking platforms using IPFIX records and their NetFlow equivalents. Traffic Insights also helps you monitor your application usage (see Application Recognition).

Traffic Insights Use Cases

Traffic Insights provides value for any organization, particularly for network engineering and network operations (NetOps) teams utilizing Enterprise Agents as part of their ThousandEyes deployment. The visibility it provides into network traffic as well as its ability to correlate network traffic data with synthetic test results makes Traffic Insights valuable in addressing a number of use cases, including:

• Identifying application traffic as the cause of degraded experiences – Through the use of filtering and the ability to identify applications within flow records through network-based application recognition (NBAR), Traffic Insights can be used to attribute packet loss or latency on a network node to specific applications. In a troubleshooting workflow, for example, network teams can filter and sort flow records to quickly identify applications that are consuming excessive bandwidth and perhaps causing more business-critical applications to underperform.

• Identifying network nodes and interfaces as the cause of degraded experiences – Similarly, teams can start with a network path visualization in a troubleshooting workflow, then correlate poor performance with detailed network traffic analysis to drill down and remediate issues at the node or interface level.

• Visualizing trends and changes in traffic before, during, and after issues occur – Traffic Insights provides a 30-day window into network traffic and features an easy-to-navigate interface combining graphical (stacked charts, trend lines, etc.) and tabular views that reduce the amount of time and effort needed to identify issues and move towards resolution.

• Prioritizing issues based on user impact – Filtering the flow records within Traffic Insights makes it possible to determine the number of end-users affected by network performance degradation at specific locations or in specific regions. Enterprise Agents activated for flow forwarding within specific network segments allow you to localize a synthetic test event to a specific network device (or segment).

Traffic Insights Key Components

The following network components are involved in sending network flow data to ThousandEyes. Each of them play particular roles. Below, we set out those roles, as well as how they apply to Traffic Insights, and employ a package delivery logistics system analogy to aid understanding:

1. Flow Record: The flow record defines what specific information (fields) you collect about traffic flows, such as source and destination IP addresses, ports, protocol, and more. This is like a shipping label that contains information about a package: sender address, recipient address, package weight, contents, shipping method.

2. Interface: The interface provides the observation point from which a flow monitor can collect data on the traffic flows (ingress, egress, or both). This is like the warehouse loading dock where packages enter or leave the logistics system.

3. Flow Monitor: This is a device that monitors the flow of traffic through the interface and collects data according to the flow record’s specifications. You will see this referred to as the "traffic monitor" in Traffic Insights. This is like the package scanner at the dock that scans packages as they come in or go out, using the shipping label to record the required details. It applies the label template (flow record fields) at the dock (interface) to actually monitor packages (flows).

4. Flow Exporter: The flow exporter specifies where the collected flow data is sent. This typically includes the export protocol (such as NetFlow v9 or IPFIX) and IP address and port of a flow collector (though in the case of Traffic Insights, the data is sent to the forwarder first - see number 6). In our analogy, the exporter is like the shipment data uploader that sends scanned package data from the dock to the central logistics system, so that wider tracking and analytics can happen outside the warehouse.

   Importantly, in Traffic Insights, the same device acts as flow monitor and flow exporter and both come under the name "traffic monitor". In the analogy, the package scanner both records the package data and automatically uploads it.

5. Flow Collector: The flow collector receives the flow data for processing and analysis. In Traffic Insights, the ThousandEyes backend platform acts as a flow collector in the cloud. This component is the central logistics system in our analogy, tracking packages, identifying delays, and generating delivery reports.

6. Forwarder: In Traffic Insights, all of the flow data is collected and analyzed in the cloud. No data is stored on-premises. For this to happen, a specialized ThousandEyes Enterprise Agent receives flows from the traffic monitors and forwards them to the ThousandEyes cloud platform in real-time. We call this agent the forwarding agent, or “forwarder”, and is the point where the network flow data is compressed, encrypted, and transmitted from your network to our platform. You can have more than one forwarder per account across your geography to distribute the load if needed. Since it sits separately from the flow collector, the forwarding agent has the additional benefit of being able to forward the raw flow data also to another external collector if you already have one set up.

While the actual flow of data roughly follows the sequence above, the steps to configure network flow takes almost the opposite route (that is, starting with the forwarder), reflecting dependencies in setup. In the case of Traffic Insights, you configure the components in the following order: forwarder, SNMP device discovery (a step that supports correlation between synthetic tests and real traffic), traffic monitor, flow record, then interface, as summarized in Traffic Insights Configuration Overview.

See Component Relationships for more information about how components relate to each other.

Traffic Insights Configuration Overview

All you’ll need to get started in Traffic Insights is a valid ThousandEyes license, an Organization Admin or Account Admin role (see Role-Based Access Control, Explained), and the ability to make the necessary configuration changes within your own enterprise network. See Traffic Insights System Requirements and Traffic Insights Configuration Guide for details.

Configuring Traffic Insights involves the following essential steps:

1. Configure the Enterprise Agent to enable it for forwarding. You might need to install a dedicated Enterprise Agent. See Step 1: Enable an Enterprise Agent.

2. Configure SNMP devices in ThousandEyes, if not already done so, to enable ThousandEyes to correlate the device information shown through your path visualization (synthetic test data) with the data coming from your traffic monitors. See Step 2: Configure SNMP Device Discovery.

3. Configure network devices to serve as flow monitors and exporters via command line, Cisco Catalyst SD-WAN Manager, Meraki Dashboard, or other tools. This step also covers flow record configuration, if required, and interface assignation. Once allow-listed in ThousandEyes, these “traffic monitors” can send flow data to the platform. See Step 3: Configure Network Flow Data.

Note that steps 2 and 3 can also be done in reverse order, but we recommend doing them in the above order as best practice.

Optional configuration steps include subnet tagging in ThousandEyes so you can filter by subnets using human-readable labels such as “engineering” or “HR”. You can also configure optional external flow collectors that may represent existing systems, so that they can receive network traffic flow information outside of any ThousandEyes data needs. See Optional Configurations.

Traffic Insights Quick Start Guide

For a screen-by-screen guide to configuring all the above elements within ThousandEyes, see this handy walk-through (skip login). For ease of viewing, the guide assumes you already have a supported Enterprise Agent available for configuration. See Supported Enterprise Agent Device Types for information about supported agents.

Trial Traffic Insights

You can request a free trial of Traffic Insights directly within the ThousandEyes portal by navigating to Traffic Insights from the left-hand menu. Click Request Trial to activate your free trial. You will receive a confirmation email when you start the 60-day trial period. Before your trial period expires, we will reach out to you. While a free trial can only be requested once, you can talk to your account team to discuss additional options.