Traffic Insights Configuration Guide

Traffic Insights minimum configuration requirements consist of enabling a ThousandEyes Enterprise Agent to accept Traffic Insights data, conducting SNMP discovery of the devices that will send flow data, and configuring and allow-listing a network flow traffic monitor to send the correct record formats to ThousandEyes.

Optionally, you can configure subnet tags inside of ThousandEyes to enhance the ThousandEyes data views.

Before you begin any configuration, see Traffic Insights System Requirements for information about the minimum requirements of the components configured in the steps below.

Configuration Requirements

To complete the configuration steps in this section, you need access to:

• Your own enterprise network configuration systems, and/or the network device command line interface (CLI).

• The ThousandEyes platform and user interface, with an Organization Admin or Account Admin role.

Step 1: Enable an Enterprise Agent

Before exporting network flow data, you need to install or designate a ThousandEyes Enterprise Agent within your network. Then, on the ThousandEyes platform, you need to configure the agent to recognize and pass along the exported flow data so it can be ingested into the ThousandEyes platform. Refer to Flow Forwarder Requirements for information on installing the Enterprise Agent within your enterprise network.

1.1 Designate an Enterprise Agent Within Your Network

If you do not yet have a supported Enterprise Agent to use as a flow forwarder, you can install an Enterprise Agent directly from the ThousandEyes Platform. See Enterprise Agent Requirements for information about supported agents, and the relevant article in the Enterprise Agent Installing section for installation instructions.

If you already have Enterprise Agents installed, and want to designate one as a forwarder, see Finding a Supported Agent.

1.2 Enable Flow Forwarding on the Enterprise Agent

Enable the network flow forwarder on the Enterprise Agent under Network & App Synthetics > Agent Settings > Enterprise Agents. After choosing an agent to edit, go to the Advanced Settings tab, scroll down to Agent Modules, and click the Enable button.

Refer to Enterprise Agent Settings Screens for more information.

Success Criteria: The Enterprise Agent has Traffic Insights enabled and is visible on the Forwarders Screen.

Step 2: Configure SNMP Device Discovery

Why We Need Device Discovery

In order to better correlate between ThousandEyes data views for Network & App Synthetics and the data views for Traffic Insights, you must discover the devices that you designate as your traffic monitors from an Enterprise Agent on your network. SNMP device discovery is necessary to unlock device identification features such as the device name (like ISR4451cEdge) and interface type (like GigabitEthernet0/0/2) that are sending flow data; otherwise, only the device IP address is shown in the Traffic Insights views. Additionally, if the device shows up as a node in the path visualization of a test and there are network flows going from it to an Enterprise Agent with Traffic Insights enabled, you can simply click on the device to take you directly into a filtered view in Traffic Insights for a deeper dive into that device's current metrics.

Enterprise Agents poll your network devices using the Simple Network Management Protocol (SNMP). The Enterprise Agent you use to discover the network devices does not have to be the one you designated as the flow forwarder you configured in step 1.

2.1 Conduct SNMP Device Discovery

Find instructions for device discovery at Device Layer.

2.2 (Optional) Enable ACLs on the Traffic Monitor

In addition to all the other steps, you may need to enable Access Control Lists (ACLs) for the network device that is serving as the traffic monitor for Traffic Insights. You need to allow the ThousandEyes Enterprise Agent to discover this network device and to receive flow data.

Success Criteria: Enabled Enterprise Agent has discovered the device and it is visible in the Devices table.

Step 3: Configure Network Flow Data

This section describes tasks related to setting up flow exporting within traffic monitors from your network to ThousandEyes. Some of these configuration tasks are performed within your enterprise network, while others are done on the ThousandEyes platform.

3.1 Command-Line Configuration

Below are example steps for manually configuring NetFlow on Cisco IOS-XE devices using a command-line interface (CLI).

A. Set Up Dedicated Forwarding IP on Interface

The flow exporter's IP address needs to be unique within your network. While the IP address need not be “dedicated” solely to Traffic Insights – the device can use the IP address for other purposes – it just means that your exporting interfaces should be assigned with IP addresses that don't overlap with other IP addresses in your network.

B. Configure Network Flow Records

• Create IPv4 Record:

  Copy

  flow record te_etm_record_v4 
    match interface input
    match ipv4 source address
    match ipv4 destination address
    match ipv4 protocol
    match transport source-port
    match transport destination-port
    match flow direction
    collect interface output
    collect counter bytes
    collect counter packets
    collect application name
    collect transport tcp flags
    collect routing next-hop address ipv4
    collect ipv4 dscp
    collect timestamp absolute first
    collect timestamp absolute last

• Create the IPv6 record:

  Copy

  flow record te_etm_record_v6 
    match interface input
    match ipv6 source address
    match ipv6 destination address
    match ipv6 protocol
    match transport source-port
    match transport destination-port
    match flow direction
    collect interface output
    collect counter bytes
    collect counter packets
    collect application name
    collect transport tcp flags
    collect routing next-hop address ipv6
    collect ipv6 dscp
    collect timestamp absolute first
    collect timestamp absolute last

C. Configure Flow Exporter

flow exporter te_etm_exporter 
  destination <Destination IP Address> (optional: vrf <VRF Name>) 
  source <Source Interface> 
  transport udp 18089 
  export-protocol ipfix 
  option interface-table timeout 300 
  option vrf-table timeout 300 
  option sampler-table 
  option application-table timeout 300 
  option application-attributes timeout 300

D. Configure Flow Monitors

• Create the IPv4 monitor:

  Copy

  flow monitor te_etm_monitor 
    exporter te_etm_exporter 
    cache timeout inactive 10 
    cache timeout active 60 
    record te_etm_record_v4

• Create the IPv6 flow monitor:

  Copy

  flow monitor te_etm_monitor_v6 
    exporter te_etm_exporter 
    cache timeout inactive 10 
    cache timeout active 60 
    record te_etm_record_v6

E. Attach Flow Monitor to All Interfaces

interface <Interface>
  ip flow monitor te_etm_monitor input

Optional: If you want to get IPv6, attach the IPv6 flow monitor to all interfaces.

interface <Interface> 
  ipv6 flow monitor te_etm_monitor_v6 input 

3.2 Cisco SD-WAN Configuration

There are a different set of Netflow configuration steps needed specifically for Cisco SD-WAN environments. For SD-WAN you need to configure a centralized Cflowd policy.

See the Cisco documentation titled Cisco SD-WAN Policies Configuration Guide for Cisco IOS XE Release 17.x for instructions to set up and configure Cflowd. Refer to the example below to create a Cflowd policy for your sites.

3.2 Option 1: Cisco SD-WAN Centralized Cflowd Policy

Locate the centralized default policy in your Cisco SD-WAN manager. If you do not have one, you need to create one. In the following example, you create a policy called “Default_Central_Policy”.

1. Go to Configuration > Policies > Centralized Policies > Default_Central_Policy.

2. Select “...”.

3. Click Edit.

   
4. Select Traffic Rules as shown in the figure above.

   
5. Select the Cflowd tab.

6. Click Add Policy.

   
7. In the Cflowd Policy screen, fill in the following fields:

   • Name: Enter a policy name, in this example we use ThousandEyes-ETM.

   • Description: Enter a simple description for the policy.

   • Active Flow Timeout: 60

   • Inactive Flow Timeout: 15

   • Flow Refresh: 120

   • Sampling Interval: 1

   • Protocol: IPv4 (an additional policy can be created for IPv6).

8. Click New Collector and fill in the following fields:

   • VPN ID: Use the VPN that will send traffic to the cflowd collector.

   • IP Address: IP of the ThousandEyes Enterprise Agent that has Traffic Insights enabled.

   • Port: 18089 (that can be customized for example 9995).

   • Transport Protocol: TCP or UDP (this must match the ThousandEyes Enterprise Agent collector/forwarder settings in Traffic Insights Settings Screens).

   • Source Interface: Type the interface that will send Cflowd records to the ThousandEyes Enterprise Agent collector/forwarder. Use the dropdown to help select the interface type.

9. Click Add.

10. Click Save Cflowd Policy.

    

To apply the Cflowd policy to sites:

1. Select Policy Application.

2. Click the Cflowd tab.

3. Click the + New Site List.

   • Select your site(s) from the popup list.

   • Click Add.

   • Click Save Policy Changes to update your policy.

3.2: Option 2: Cflowd Configuration by Command-Line

Below is a command-line example of the Cflowd configuration; the IP address 192.168.100.176 and port 18089 refer to the Enterprise Agent that has been enabled as a network flow collector/forwarder.

#show sdwan policy from-vsmart cflowd-template 
  flow-active-timeout 60 
  flow-inactive-timeout 15 
  template-refresh 120 
  flow-sampling-interval 1 
  protocol ipv4 
  no collect-tloc-loopback 
  customized-ipv4-record-fields 
    no collect-tos 
    no collect-dscp-output 
  collector vpn 2 address 192.168.100.176 port 18089 transport transport_udp
    source-interface GigabitEthernet0/0/3 
    bfd-metrics-export  
    export-interval 60

Additionally, the command **show sdwan app-fwd cflowd statistics** can be used to verify flow statistics.

3.3 Meraki Dashboard Configuration

There may be subtley different ways to set up a traffic monitor via the Meraki Dashboard depending on the device you use. General steps include:

1. Log into the Meraki admin console.

2. Navigate to Network-wide > Configure > General.

3. Allow SNMP access (you may also need to type in the community name).

4. Set NetFlow traffic Reporting or NetFlow Collector to "Enabled".

5. In the NetFlow collector IP field, enter your Traffic Insights forwarder IP address.

6. In the NetFlow collector port field, enter 18089.

   
7. Click Save.

For more information about configuring Meraki devices for network flow, see Meraki's Netflow Overview.

Success Criteria: Traffic monitor is visible for allow-list selection. The device should appear on the screen in Allow-Listing Your Flow Device.

3.4 Allow-List the Flow Device in ThousandEyes

This step allows the forwarding Enterprise Agent to recognize and accept the network flow data from the newly configured traffic monitor (flow exporter). The forwarder needs the allow-list in order to accept flow data from your exporter. Go to Traffic Insights > Settings > Traffic Monitors and click Allow All. See Allow-listing Your Flow Device for more in-depth guidance on allow-listing your traffic monitors.

Note that network flow data must already be streaming to the Enterprise Agent in order for the traffic monitor’s network device to appear as an option for allow-listing.

You only need to allow-list one traffic monitor per Enterprise Agent.

Optional Configurations

Create Subnet Tags

This optional step is performed in the ThousandEyes platform if you want to be able to see network traffic flows by subnet. See Subnet Tagging Screen for screens and further instructions.

Configure External Flow Collectors

Get your flows sent to another flow collector for ingestion into additional newtork flow analysis tools. See External Flow Collector Screens for more information.