we have nexus 7k switches with f3 line card configured exporter sampler netflow data to Stealthwatch 6.9.2.
The problem explain,
Stealthwatch showing less data on interface inbound traffic comparing to SNMP interface statics for example WAN interface has 300Mbps but stealthwatch collect up to 100 mbps with netflow.
we can see no more than 100 Mpbs sampler mode 1 out of 1
we do not see any traffic while sampler mode 1:1000
and we can not seen any sampler configuraiton on flow collector and stealhwatch console.
which is the problem ? nexus or swtealthwatch ?
do you have any experiance with similar problem ?
Solved! Go to Solution.
The issue may be the result of the use of sampled NetFlow (rather than full or un-sampled NetFlow). The interface statistics produced in Stealthwatch when using sampled NetFlow are an approximation of the traffic based on the sampling rate and the sampling type (random or deterministic). The statistics reported at the command line interface (CLI) of a device are often exact.
In this network the NetFlow sampled data generated by the Nexus switch can contribute to behavioral analytics but really can't be the only data source. You can greatly improve Stealthwatch findings by adding exporters that support full, un-sampled NetFlow elsewhere in the network.