08-22-2016 12:43 AM - edited 03-10-2019 12:42 AM
i have configured netflow in my router but my router is overheaded. So i decided to configure sampled netflow and sampling rate of 1 out of 100 packets may reduce the export if Netflow data by as musch as 50 percent.So you know its not suitable for security monitoring.
Whats your recommendation ? is there any solution on collector?
08-22-2016 05:08 AM
Hello Chinguun,
Collecting sampled flows should be a native capability of most collectors on the market. The ability to receive a high volume of flows is a feature that sets vendors apart. Keep in mind that collection and then reporting are two separate issues in terms of performance. You might want to test our free version of Scrutinizer.
Also, if you want to reduce flow volumes but, reduce flow volumes, read this post involving Flexible NetFlow: https://www.plixer.com/blog/sflow/how-to-avoid-ipfix-or-netflow-sampling-vs-sflow/
I hope this helps.
Mike
10-04-2016 10:58 AM
Hello Chinguun,
You've encountered a somewhat common problem. Many engineers find that enabling NetFlow and the telemetry data that it produces is very valuable. The problem is they may not have considered the impact of enabling flow on the router both in terms of processor and bandwidth utilization.
Engineers will frequently resort to sampling flow. Sampled flow is good for some tasks such as gaining indicators of network or application utilization; but not good for others. Sampled flow creates big gaps in the telemetry stream making the data less valuable for anomaly detection and other security purposes.
A solution to this problem is to deploy a Flow Sensor. A Cisco Stealthwatch connects to your router via a span port and offloads the process of creating flow. The Flow Sensor captures packets on the span port and uses that data to create a NetFlow. The Flow Sensor is then configured to send that NetFlow to a Flow Collector.
When used with our Cisco Stealthwatch Flow Collectors the flow traffic from a Flow Sensor is not counted towards the Flows Per Second license normally required on a Flow Collector. The Stealthwatch Flow Collector then reports flow telemetry via the Cisco Stealthwatch Management Console.
Flow Sensors are valuable for gathering flow data from places in the network where you can't (due to reasons such as processor utilization) or shouldn't (if the device on the network is not under your administrative control; as is the case if the router is supplied by a service provider or other third party).
For more information see: http://www.cisco.com/go/stealthwatch
Brian Ford | Technical Marketing Engineer | Cisco Security Business Group | @ccie2106
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide