NetFlow - Router, Switch or Both

You're going to get a lot of contrasting answers to this question, I would imagine - and I think that's because there are different answers based on need.

For example, say you're mostly monitoring (or concerned with) WAN or Internet utilization at your remote locations.

In this case, you might be looking for who's using the bandwidth and what they're doing. At a smaller location, that's not a big deal - a router flow will give you that (IP address 10.10.1.2 is using 2mb/sec talking to youtube.com).

Easy enough.

However, what if you're monitoring a global network and you want to see internal AND external measurements on, say, Lotus Notes traffic (port 1352 by default)? Now you might want to go down into some switches and see flows on those devices. You have interest in traffic that may not always be traversing a WAN or internet link, but perhaps you're trying to formulate some trend visibility. That STILL doesn't mean you necessarily want to monitor on every port, though - maybe you just need to examine your trunks.

The same could apply to any application you use that is easily identified by port or other flow-identified characteristic.

As far as affecting traffic flow, sFlow is a good friend here to mitigate any impacts. However, I have many Netflow exporters traversing a 3MB transatlantic link with no ill effects.

As rharland2012 mentioned, it "all depends."

Given your simple layout above, I'd probably configure the router WAN interface only (ingress and egress). But let's compound the example by adding a local file server for backups, then I'd configure the switch and not the router, and watch the uplinks to the router and server. Compound it further by adding a direct Internet connection with an additional router. Now you have a need to configure that uplink, or that router.

So, it all depends on your needs, business requirements, and device capabilities. I'll also add, Cisco 3750s, 3750Xs, and 3560s, do not support netflow...so you will have to use a router. (caveat: 3750X with the 10G module does support it).

D

Thank you both for your replies - they have been helpful.

We are new to SolarWinds and are kicking-the-tires.  I posed the question for my clarity and wanted to ensure a redundancy of information was not affecting performance.

Most common we are requested to investigate generalized network slowness, so we need to determine a cause.  Streaming, etc., is controlled with web filtering, so we need to track down the business process, circuit status or file transfer that may be occurring.  We are not so concerned, for now, with individual usage, rather how server traffic or circuit issues are affecting the network.

deverts - I have found a couple of routers on the network that do not support NetFlow, so I'm using the switch by default. 

Thanks again for the information.

Those must be routers with some really old code (if they are Cisco).

As "newbies", I'd like to first say Welcome to the community! As with most IT professionals, we are generally sarcastic to each other, but we are always here to help!

Secondly, some advice, you're going to want to look at a complete picture when troubleshooting. For this, netflow is just 1 component of the puzzle. You would do well to consider the following (if you haven't already):

1. Configure QoS tagging at a minimum, this data is a great addition to the netflow data.
2. IP SLA (if you are a Cisco shop) which will require the Orion VNQM module to collect the data.

Along with interface stats, Netflow/sFlow, QoS tags, and IP SLA data provide a very clear picture of what's going on where and when.

D

deverts - my past work experience is that of fire/ems.  I'm used to the ribbing, so no worries.

We are not a Cisco shop.  We simply have a few routers that have not been removed from the system.  We started a switch replacement program and started with Adtran Netvanta.  Management then wanted to get SolarWinds, and it was discovered those switches didn't have a NetFlow-ish component.  Then we moved over to the PowerConnects for other locations.

I'm going to look into the QoS tagging.  Can you offer any references?

Thanks,

Dave

Dave,

While I understand your managements desire to reduce costs where they can (I battle this argument all the time), cutting costs on infrastructure is never a good idea (IMHO). I've used lots of other networking gear (Dell, HP/3Com, Linksys, etc.), but I've always come back to Cisco. Why? It's the same reason Windows is preferred over Apple for business. More enterprise apps are built for it, and you get more features. Your less expensive gear come with less features (that's how they cut costs), as you've experienced personally with those Adtrans.

I found this posting for the sFlow configuration of the PowerConnects. Hope it helps...

Dell PowerConnect Switches + Orion NetFlow Traffic Analyzer (NTA)

D

I'd recommend reading this document if you haven't already.

New to Networking Volume 3 - NetFlow Basics and Deployment Strategies

Cisco's great, no doubt - but if you add per-port cost plus smartnet, it gets to be expensive over time. If your enterprise isn't using the apps that having a pure Cisco infrastructure will leverage, then one could argue that it might not be the best fit. I'm not sure I would lump HP/Procurve in with Dell and Linksys, either. But that's just me.

Fair statements, I was just throwing examples out there of stuff I've used in the past. I guess the gist of my statement...you get what you pay for.

D

True statement!