Overview
Segmentation and Aggregation provides the ability to aggregate flow data from various network equipment and/or segment the data for reporting and analysis by different groups such as customers, locations or departments. Flows can be segmented by almost any flow property and the data attributed to each segment is placed in a secondary source, in either your own account or any account that you have RW access to.
In this Article
Segment Properties
Adding in a new Segment
Segment Fields Explained
Adding in a new Aggregate
Aggregate Fields Explained
Segments
Segments allow flow data from one or more primary sources (e.g. an in-line Sinefa Probe or a SPAN port) to be filtered into secondary sources based on properties of the flow. The currently supported properties are:
| Segment Property | Description |
| IP Version | Match the Internet Protocol version, e.g. IPv4 or IPv6. |
| IP Protocol | Match the IP transport Protocol, e.g. TCP or UDP. |
| Internal/External Address/Subnet | Match the internal or external IP address or subnet, e.g. 192.168.0.1 or 10.0.0.0/16. |
| Source/Destination Address/Subnet | Match the source or destination IP address or subnet, e.g. 192.168.0.1 or 10.0.0.0/16. |
| Source/Destination Port | Match the source or destination ports of TCP or UDP flows, e.g. 80. |
| Application | Match the application classification, e.g. HTTP, YouTube, Facebook, etc. |
| Direction | Match the flow direction, e.g. inbound or outbound. |
| Virtual Circuit | Match the Virtual Circuit name of flows exported from Exinda devices performing QoS. |
| VLAN tag | Match the VLAN ID where flows contain 802.1Q VLAN tags, should be a number between 1 and 4095. Double tagged VLANs / QinQ is supported. Match on Inner Tag or Outer Tag. |
| MPLS label | Match the MPLS label. Matching on multiple labels is supported including Top Label, Bottom Label or any Label. |
| AD Group | Match the AD Group that has been specified i.e. Melbourne Team, Sydney Team etc. Please note Active Directory Integration needs to be setup for this: How to allow Sinefa probes to connect to Active Directory Domain Controllers as a non-Administrator user How to Setup Active Directory Username Visibility |
Using the above properties, flows can be segmented into secondary sources, providing full visibility into each segment.
Example
As an example, lets say we have the following environment:
| Location | Subnet |
| Branch Office | 172.26.0.0/24 |
We have a mirror port and a Sinefa Probe in the DC sending traffic containing all the flows to/from the branch offices. With segmentation, we can create secondary sources that include only the traffic to/from the main Branch office which we want to identify in our reporting as Internal Subnet.
- To create segments, navigate to the Settings > Utilization page and click on the Segments tab.
- Click on Add new Segment
Each field explained
| Field | Definition |
| Extract | This is where you select what to filter your traffic by per segment i.e. VLAN tag, source address, source port, etc. Refer to segment property tables above for full list of capabilities There is the ability utilize the AND/OR operator to add additional rules to your filter |
| From | This is where you select the source of the traffic that you are wanting to segment i.e. Melbourne Probe |
| Account | This is where you select which account the results go into. By default, this is set to the account you're currently creating the rule from BUT you can send the segment results to a different account that you have created/access to |
| Source | The name of the segment that you're creating |
Example
For a different example, we have the following WAN environment:
| Location | Subnet |
| UK | 10.8.5.0/24 |
| China | 172.26.0.0/24 |
To create a segment that filters only the flows to/from the UK, we can use the 'External Address' filter. Flow data is collected from the DC, and the UK is external to the DC, so this filter matches all flows to/from the UK subnet. We've set-up this segment to send results to the "UK" source in my own account. If you own more than one account, you can send the results to a different account. Once this is completed, you will need to Subscribe each segment you've setup.
After setting up both the UK and China, this is what my segments look like.
Navigating back to the Sources tab will show our existing Primary Source and our 2 new Secondary Sources.
The only other change to make is to toggle the Collection Point on both Secondary Sources to Internal. If we were to look at the reports for the UK, for example, our internal hosts would be reported as external and our external hosts would be reported as internal. This is because collection happens at the DC, so a host's internal/external status is determined from the point of view of the Primary Source. Changing the Collection Point to Internal reverses the direction of the flows from the point of view of the Secondary Sources.
With our Segments now created, we can now view all the reports from the point of view of our UK and China locations.
Segmentation can also be used to segment customer's traffic in multi-tenant environments. For example, if I'm a service provider I could segment the traffic for each of my customers and provide them access to detailed visibility reports, just showing their data.
Aggregates
Aggregates are like the reverse of segments, they allow flow data from multiple Primary Sources to be aggregated into a single Secondary Source.
Example
As an example, lets say we have 2 load-balanced routers with port mirroring configured for traffic to flow to a Sinefa Probe in our data centre. We want to view this location as a single source, not as 2 individual sources.
- To create an aggregate, navigate to the Settings > Utilization page and click on the Aggregates tab.
- Click on Add new Aggregate.
Each field explained
| Field | Definition |
| Aggregate | This is where you select what sources you want to aggregate i.e. Melbourne (br1) and Melbourne (.139) |
| Account | This is where you select which account the results go into. By default, this is set to the account you're currently creating the rule from BUT you can send the segment results to a different account that you have created/access to |
| Source | The name of the aggregate that you're creating |
Once this has been created - subscribe the new aggregate.
Navigating back to the Sources tab will show our existing Primary Sources as well as our new Secondary Source.
The only other change to make is to Suppress the Primary Sources, this means they won't report any flow data, so on our reports, we will see the Secondary Source only.
See Also
How to filter Sinefa reports
Sinefa Best Practise Guide
How to create a custom dashboard
How to setup report scheduling
How to allow Sinefa probes to connect to Active Directory Domain Controllers as a non-Administrator user
How to Setup Active Directory Username Visibility
Comments
0 comments
Article is closed for comments.