RE: NetFlow - path from Routers to Collector

[Erik Sundberg <ESundberg () nitelusa com>]

Mainly management type traffic over an Out of band Management Network. This way during and outage we don't miss any 
Netflow and SNMP Queries and more importantly we can still access the router.

In the past I have also setup a Management VRF, but tend to stay away from this. During an outage you end up losing 
data or visibility while routes reconverge.

-----Original Message-----
From: NANOG [mailto:nanog-bounces+esundberg=nitelusa.com () nanog org] On Behalf Of James Bensley
Sent: Friday, September 11, 2015 3:35 AM
To: serge () nbnet nb ca; nanog () nanog org
Subject: Re: NetFlow - path from Routers to Collector

On 1 September 2015 at 16:33, Serge Vautour <sergevautour () yahoo ca> wrote:
> Hello,
>
> For those than run Internet connected routers, how do you get your NetFlow data from the routers to your collectors? 
> Do you let the flow export traffic use the same links as your customer traffic to route back to central collectors? 
> Or do you send this traffic over private network management type path? If you send this traffic over the "Internet" 
> (within your AS), are you worried about security?
>
> Thanks,
> Serge


Hi Serge,

Not encountered any worries regarding security, typically NetFow/ipfix/sFlow/etc is inside a management MPLS VPN so it 
is segregated from customer VPNs through the network.

For the physical transport of the data, collecting the data via your OOB network is probably preferred however "it 
depends".

Do you use NetFlow internally only or offer it as a chargeable service? Do you also graph traffic stats via SNMP too? 
And so on and so forth...

In past experience, NetFlow data was exported over the productive links (the links also carrying customer data being 
measured using
NetFlow) without issue. I recall two occasions a DDoS disrupted the NetFlow collecting because the DDoS traversed those 
links that are being monitored and carrying their own NetFlow traffic. However SNMP graphing was via the OOB network so 
we didn't really lose any vital visibility. So we could still see from the like 1000% increase in traffic which links 
along the network were being affected. A distress call from the customer being DDoS also helps :)

Another part of the "it depends" puzzle is how much data you are collecting via NetFlow? Again in a part experience we 
were testing collecting everything (as much as we could), every single packet header (no payload data though), rather 
than sampling say 1 in 10 packets for example. We only got as far as testing this in the lab but one issue it threw up 
was we could generate several Mbps of NetFlow traffic. Some PoPs have ADSL for OOB and wouldn't have been able to 
support that so sites with ADSL or 3G OOB links would need the OOB link upgrading, that required additional Capex, cue 
management budget wrestle, blah blah...

Cheers,
James.

________________________________

CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or previous e-mail messages attached to it 
may contain confidential information that is legally privileged. If you are not the intended recipient, or a person 
responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, 
distribution or use of any of the information contained in or attached to this transmission is STRICTLY PROHIBITED. If 
you have received this transmission in error please notify the sender immediately by replying to this e-mail. You must 
destroy the original transmission and its attachments without reading or saving in any manner. Thank you.