We use the VRF approach not because we think this will give us more stability ie. no fate sharing, but because it is best practice in a security perspective. We keep our internal network separated from customer traffic for the same reason our customers run firewalls. Minimize the attack surface. Customers or people from the internet should not be able to even attempt hacking the infrastructure. They should not be able to send packets that will get routed to the collector. ACLs is a poor man's solution compared to running in a VRF or equallent (vlan). Regards Baldur Den 02/09/2015 18.31 skrev "Serge Vautour" <sergevautour@yahoo.ca>:
Hello again,
Well, this generated a bit more discussion than I was expecting. I've retained the following from all your comments:
-Doing flow export over an OOB network can help make sure you still "see" your network during a DDoS -If we do this over an OOB network, it may not work over the OOB port on the RE/RSP.
I do have some specific questions for the folks who are OK with doing this inband:
-Are you concerned with someone intercepting the Flow streams? I assume if someone has the ability to do so, you've got bigger problems. -If we make the assumption that someone can intercept the Flow steam, do you think the data in the steam can be used for anything? It's just L3 & L4 headers. In other words, do you feel an OOB network is require to secure the flow data?
Thanks again, your comments are very helpful.
Serge
-------------------------------------------- On Tue, 9/1/15, Serge Vautour <sergevautour@yahoo.ca> wrote:
Subject: NetFlow - path from Routers to Collector To: nanog@nanog.org Received: Tuesday, September 1, 2015, 12:33 PM
Hello,
For those than run Internet connected routers, how do you get your NetFlow data from the routers to your collectors? Do you let the flow export traffic use the same links as your customer traffic to route back to central collectors? Or do you send this traffic over private network management type path? If you send this traffic over the "Internet" (within your AS), are you worried about security?
Thanks, Serge