If you have a large network with many routers and switches, exporting NetFlow from all these devices might significantly impact the complexity of export configuration, NetFlow Analyzer performance, as well as license needed.

This article will help you decide which devices exactly to choose as necessary for your netflow export and overcome these challenges.

Choosing Traffic to Export

The basic principle is to export only the traffic that is of your interest. For this reason, it is necessary for you first to understand well your network topology and flow routing. 

For example, you can export netflow only from devices in data center and regional units, and not from branch locations. Or, if you want to make Traffic Pattern that captures all internal company's traffic where part of the traffic passes via central router and part passes directly between other routers, then you should export from all these routers.

Incomplete Traffic Export

On this page:

NetVizura NetFlow Incomplete Export

This is a situation when netflow traffic is not exported for one part of the network. The traffic that passes through the central router (Host A to Host B) will be captured, while traffic that does not pass via central router (Host C to Host D) will not. 

If you are evaluating NetFlow module, we recommend you to include export from all desired devices (as it should be on live production), so that you could correctly estimate fps baseline needed for Licensing. Read more about Estimating Number of Flows (NetFlow).

 

 

Complete Traffic Export

NetVizura NetFlow Complete Traffic Export

Figure above shows an example of communication when we want to monitor communication that is not passing through the central router. It is necessary to configure the netflow export on network devices on which that communication is passing through.

 

Deciding Whether to Use Automatic Deduplication

Since Exporters charts present data as they are actually exported by devices, none of the Exporter traffic will have duplicated data.

However, when you create Traffic Patterns and Subnet Sets they may include data exported by multiple exporters and as a consequence netflow data will be duplicated. This naturally depends on which devices are configured as exporters, as well as traffic routing and network topology.

Automatic Deduplication Disabled

NetVizura NetFlow Automatic Deduplication Disabled

When automatic deduplication is disabled, a flow traveling from Host A to B and passes via multiple exporters, NetFlow Server will receive same flow from R1, R2 and R3 so flow will be processed three times.

Automatic deduplication is enabled by default. To disable it, go to  > Settings > NetFlow Settings > Configuration > Automatic Deduplication and select Disable.

Automatic Deduplication Enabled

NetVizura NetFlow Automatic Deduplication Enabled

 

Automatic deduplication solves this problem based on the next hop - when an exporter exports a flow, and this flow includes IP address of another exporter as next hop information, then the flow will be skipped by the Traffic Pattern/Subnet Set counter.

For example, when three consecutive routers in the flow route are exporting flows then NetVizura will have enough information to skip flows from R1 and R2 (since R2 and R3 exporters are mentioned as next hop) and include only flow from R3 in the Traffic Pattern.

 

In order to achieve automatic flow deduplication in Traffic Patterns and Subnet Sets, it is required that ALL devices in flow continuity are configured as exporters.
 

Automatic Deduplication Not Possible

However, sometimes not possible to achieve automatic deduplications. For example, if device is not NetFlow export capable, when part of the network is managed by third party (ISP) or if exporting from too much devices is not desired. 

NetVizura NetFlow Automatic Deduplication Not Possible

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

In the figure above, we see that even though automatic deduplication is enabled, flow will be duplicated by two exporters (R1 and R3) that are not in the flow continuity (R3 will not be mentioned as next hop in R1 flow export).

In case it is not possible to enable automatic deduplication by exporting all devices in flow continuity, deduplication could also be achieved manually. Read more at Manual Deduplication.

  • No labels