If you have a large network with many routers and switches, exporting NetFlow from all these devices might significantly impact the complexity of export configuration, NetFlow Analyzer performance, as well as license needed.
This article will help you decide which devices exactly to choose as necessary for your NetFlow export and overcome these challenges.
Choosing Traffic to Export
The basic principle is to export only the traffic that is of your interest. For this reason, it is necessary for you first to understand well your network topology and flow routing.
For example, you can export NetFlow only from devices in data center and regional units, and not from branch locations. Or, if you want to make Traffic Pattern that captures all internal company's traffic where part of the traffic passes via central router and part passes directly between other routers, then you should export from all these routers.
Incomplete Traffic Export
This is a situation when NetFlow traffic is not exported for one part of the network. The traffic that passes through the central router (Host A to Host B) will be captured, while traffic that does not pass via central router (Host C to Host D) will not.
Complete Traffic Export
Figure above shows an example of communication when we want to monitor communication that is not passing through the central router. It is necessary to configure the NetFlow export on network devices on which that communication is passing through.
Deciding Whether to Use Automatic Deduplication
Since Exporters charts present data as they are actually exported by devices, none of the Exporter traffic will have duplicated data.
However, when you create Traffic Patterns and Subnet Sets they may include data exported by multiple exporters and as a consequence NetFlow data will be duplicated. This naturally depends on which devices are configured as exporters, as well as traffic routing and network topology.
Automatic Deduplication Disabled
When automatic deduplication is disabled, a flow traveling from Host A to B and passes via multiple exporters, NetFlow Server will receive same flow from R1, R2 and R3 so flow will be processed three times.
Automatic Deduplication Enabled
Automatic deduplication solves this problem based on the next hop - when an exporter exports a flow, and this flow includes IP address of another exporter as next hop information, then the flow will be skipped by the Traffic Pattern/Subnet Set counter.
For example, when three consecutive routers in the flow route are exporting flows then NetVizura will have enough information to skip flows from R1 and R2 (since R2 and R3 exporters are mentioned as next hop) and include only flow from R3 in the Traffic Pattern.
Automatic Deduplication Not Possible
However, sometimes it is not possible to achieve automatic deduplications, for example:
- if exporting from too much devices is not desired,
- if operational exporter is deleted,
- if device is not NetFlow export capable,
- when part of the network is managed by third party (ISP).
In the figure above, we see that even though automatic deduplication is enabled, flow will be duplicated by two exporters (R1 and R3) that are not in the flow continuity (R3 will not be mentioned as next hop in R1 flow export).
- No labels