Hello Chinguun,

You've encountered a somewhat common problem.   Many engineers find that enabling NetFlow and the telemetry data that it produces is very valuable.  The problem is they may not have considered the impact of enabling flow on the router both in terms of processor and bandwidth utilization.

Engineers will frequently resort to sampling flow.  Sampled flow is good for some tasks such as gaining indicators of network or application utilization; but not good for others.  Sampled flow creates big gaps in the telemetry stream making the data less valuable for anomaly detection and other security purposes.

A solution to this problem is to deploy a Flow Sensor.  A Cisco Stealthwatch connects to your router via a span port and offloads the process of creating flow.  The Flow Sensor captures packets on the span port and uses that data to create a NetFlow. The Flow Sensor is then configured to send that NetFlow to a Flow Collector.

When used with our Cisco Stealthwatch Flow Collectors the flow traffic from a Flow Sensor is not counted towards the Flows Per Second license normally required on a Flow Collector.  The Stealthwatch Flow Collector then reports flow telemetry via the Cisco Stealthwatch Management Console.

Flow Sensors are valuable for gathering flow data from places in the network where you can't (due to reasons such as processor utilization) or shouldn't (if the device on the network is not under your administrative control; as is the case if the router is supplied by a service provider or other third party).

For more information see:  http://www.cisco.com/go/stealthwatch

Brian Ford  | Technical Marketing Engineer  | Cisco Security Business Group  | @ccie2106