Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Cisco Netflow

Posted on 2013-12-07
2
Medium Priority
?
432 Views
Last Modified: 2013-12-22
Does anyone have experience setting up Cisco Netflow cards to capture data flow to export to an external workstation?
I need help understanding what's the best cache settings/overall config to ensure least amount of bandwidth used exporting from netflow card to external workstation.

I also don't want to add a ton of extra utilization on my switches.

I've got a redundant Catalyst 4507R, WS-X4515 Supervisor Engine's both with Netflow cards installed.
Basically right now I've only got the cards installed.  

The Cisco guides aren't clear if the cache settings are important for exporting the data to a external workstation for analyzing, or what best practices/recommended settings to use.

The configuration doesn't look to complicated I just want to make sure I don't add a ton of extra load on the switch while capturing data or while exporting it.
If anyone has implemented Netflow and has some best practices/recommended settings that you can share I'd greatly appreciate it.

Thanks,
Corey Amonette
corey.amonette@ktpo.com
0
Comment
Question by:ktpoitm
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 29

Expert Comment

by:Jan Springer
ID: 39706110
Netflow is very easy implement and should cause no problems with the device.

Unless you are doing sampling, your configuration should be relatively simple.
0
 
LVL 32

Accepted Solution

by:
harbor235 earned 1000 total points
ID: 39708376
Cache settings are important if you are interested in attack mitigation activities for real-time traffic analysis. Netflow Caching allows for real time analysis of collected flows directly on the 4500. Otherwise your collector Netflow data  is typically 15 minutes behind which is a long time if you are being attacked.

Sampled netflow is just that, you sample the traffic (each flow is not collected) to get an idea of that traffic that is flowing through your device, the longer you sample the more accurate your collection will become. Obviously, if you are able to attain flow records for every packet that comes in/out of your network you have better visibility. You will have to tweak your config to see what is the best mix of 4500 resources and traffic visibility.

Things to consider:

Do you have ample disk space to collect this information? depending on the amount of data sampled/collected from your location this can become allot of data.

Have a data retention policy for flow record data, 3 months?

What software are you going to use for your collector? freeware, COTS?

Netflow does not impose a heavy tax on resources for most routers/L3 switches. That being said you have dedicated netflow cards so there should be no additional resources consumed on the switch/route processor.

Manage which interfaces you turn netflow on, only enable the interfaces your interested in for netflow e.g if your interested in the data coming into your network only enable netflow on the external interface

Consider routing netflow data over a management network

harbor2356 :-}
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Large and small networks have one same need, Service monitoring. Service monitoring consists of watch services of the several servers in the network. To monitor means that the administrator will receive an alert when a service is down or it's state …
Load balancing is the method of dividing the total amount of work performed by one computer between two or more computers. Its aim is to get more work done in the same amount of time, ensuring that all the users get served faster.
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question