Mainly management type traffic over an Out of band Management Network. This way during and outage we don't miss any Netflow and SNMP Queries and more importantly we can still access the router. In the past I have also setup a Management VRF, but tend to stay away from this. During an outage you end up losing data or visibility while routes reconverge. -----Original Message----- From: NANOG [mailto:nanog-bounces+esundberg=nitelusa.com@nanog.org] On Behalf Of James Bensley Sent: Friday, September 11, 2015 3:35 AM To: serge@nbnet.nb.ca; nanog@nanog.org Subject: Re: NetFlow - path from Routers to Collector On 1 September 2015 at 16:33, Serge Vautour <sergevautour@yahoo.ca> wrote:
Hello,
For those than run Internet connected routers, how do you get your NetFlow data from the routers to your collectors? Do you let the flow export traffic use the same links as your customer traffic to route back to central collectors? Or do you send this traffic over private network management type path? If you send this traffic over the "Internet" (within your AS), are you worried about security?
Thanks, Serge
Hi Serge, Not encountered any worries regarding security, typically NetFow/ipfix/sFlow/etc is inside a management MPLS VPN so it is segregated from customer VPNs through the network. For the physical transport of the data, collecting the data via your OOB network is probably preferred however "it depends". Do you use NetFlow internally only or offer it as a chargeable service? Do you also graph traffic stats via SNMP too? And so on and so forth... In past experience, NetFlow data was exported over the productive links (the links also carrying customer data being measured using NetFlow) without issue. I recall two occasions a DDoS disrupted the NetFlow collecting because the DDoS traversed those links that are being monitored and carrying their own NetFlow traffic. However SNMP graphing was via the OOB network so we didn't really lose any vital visibility. So we could still see from the like 1000% increase in traffic which links along the network were being affected. A distress call from the customer being DDoS also helps :) Another part of the "it depends" puzzle is how much data you are collecting via NetFlow? Again in a part experience we were testing collecting everything (as much as we could), every single packet header (no payload data though), rather than sampling say 1 in 10 packets for example. We only got as far as testing this in the lab but one issue it threw up was we could generate several Mbps of NetFlow traffic. Some PoPs have ADSL for OOB and wouldn't have been able to support that so sites with ADSL or 3G OOB links would need the OOB link upgrading, that required additional Capex, cue management budget wrestle, blah blah... Cheers, James. ________________________________ CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or previous e-mail messages attached to it may contain confidential information that is legally privileged. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of any of the information contained in or attached to this transmission is STRICTLY PROHIBITED. If you have received this transmission in error please notify the sender immediately by replying to this e-mail. You must destroy the original transmission and its attachments without reading or saving in any manner. Thank you.