Identify any unusual activity by comparing the same dashboard over the past 1 hour to the same time last week's data. For example, the bar visualization of traffic over time shows changing ratios of internal to external traffic, which can highlight an abnormality.
The Count sFlow vs Last Wk visualization in the sFlow dashboard shows the number of unique flows being seen now compared to last week. This visualization indicates unusual network activity and will help pinpoint a Denial of Service (DOS) attack.
Figure 3. Count sFlow vs Last Wk
In a well-inventoried environment, use the New Flows & New Hosts report.
Figure 4. Production Traffic
Configure utilization alerts associated with the following DMF port types:
Filter
Delivery
Core
Services
Figure 5. Monitoring Port Utilization Alerts
The other alerts available include the following.
The percentage of outbound traffic exceeds the usual thresholds.
New hosts appear on the network every 24 hours.
Figure 6. New Host Report
Perform Anomaly Detection in data over byte volume and characteristics over time using machine learning.
Figure 7. Machine Learning
Application Data Management
Application Data Management (ADM) helps users govern and manage data in business applications like SAP ERP. To use Arista Analytics for ADM, perform the following steps:
Pick a service IP address or block of IP addresses.
Identify the main body of expected communication with adjacent application servers.
Filter down to ports that need to be communicating.
Expand the time horizon to characterize necessary communication completely.
Save as CSV.
Convert the CSV to ACL rules to enforce in the network.
WAN Link Optimization
Use your knowledge of DMF filters or delivery interface names to monitor traffic to or from specific interfaces. DMF WAN interface names identified with a standard string, such as wan, can monitor the utilization of WAN links by reference to the DMF filter interface names.
To identify a WAN link or device that is approaching full utilization, complete the following steps:
Select sFlow.
Refer to the Flow by Filter Interface visualization.
Figure 8. Flow by Filter Interface
This visualization displays the utilization for each DMF filter interface. To compare this to the traffic from the production interfaces (SPAN or Tap), use the Flow by Production Device & IF visualization.
Figure 9. Flow by Production Device & IF
Select the Filter Interfaces corresponding to the WAN link.
Refer to the Count sFlow vs Last Wk visualization to determine if any significant change in utilization has occurred.
Figure 10. Count sFlow vs Last Wk
Use the Traffic over Time visualization to focus on peak and non-peak utilization periods. Drag the cursor horizontally over a peak utilization period, and the display is updated to zoom in on those events.
Figure 11. Traffic Over Time
Use the Time Range configuration to analyze traffic over a month for a more complete characterization.
Figure 12. Expanding Time Period Using the Time Range
Machine Learning
Arista Analytics uses machine learning for anomaly detection. The following jobs are available:
Single-metric anomaly detection
Multimetric anomaly detection
Population
Advanced
Categorization
Figure 13. Machine Learning
For every job, a job ID must be configured. To create a machine learning job:
Select the time range
Select the appropriate metric
Enter details: job ID, description, custom URLs, and calendars to exclude planned outages from the job
Figure 14. Machine Learning Job options
Single-metric anomaly detection uses machine learning on only one metric or field.
Figure 15. Single-metric Anomaly Detection
Multimetric and so on, I couldn't find any whichanomaly detection uses machine learning on more than one metric field. The image below uses two metrics: over and running ml per L4 app.
Figure 16. Multimetric Anomaly Detection
Multimetric Anomaly Detection detects network activity that differs from the population of data points. Arista Networks recommends this analysis for high-cardinality data.
Figure 17. Population
This job groups data points into categories and then finds anomalies between them.
Figure 18. Categorization
