I have a query from our customer, which have implemented Cisco Stealthwatch v.6.9.0, which consists of Flow Collector 4200 as a hardware appliance and SMC as a virtual machine. So far, Flow Collector collects flows from 4 Cisco Nexus 7700 switches.
Customer is reporting that not all flow export is collected from the Nexus switches, because they were creating some sample traffic which was not present in SMC.
Can anyone tell me is there any sort of processing of flows on a Flow collector or SMC which could ignore certain flows, or maybe the problem is in the configuration of the Flow export on the switches.
If the latter is the case, which configuration of the flow export could cause this? Can it be the case that the switches are sending just samples of flows in order to reduce impact on the performance.
It's important to understand that you are actually asking two questions here.
In the Nexus 7k series full NetFlow is supported only on the M1 and M2 Series module ports. F2, F2e, F3, and M3 Series modules support sampled NetFlow only. For further granular information refer to the links below.
Stealthwatch recieves records only when the switch exports them which can cause a few seconds of delay. And due to the processing in Stealthwatch a new network flow may take a few seconds to appear in the console.
If your switch is only providing sampled flow, the likely reason you are not seeing specific traffic is those packets were not selected for reporting. This highlights one of the two reasons sampled flow is insufficient for security policies: It does not report on all traffic.
What linecard is being used in the 7700?
Is it possible the flows are showing up in Stealthwatch after a few minutes, the problem is just a delay?