NetFlow is great for troubleshooting network bottlenecks and finding unwanted traffic, but there is a common pitfall that may be blocking or distorting your view of your network traffic. The issue is data flooding.This is a very easy trap to fall into once you have seen the value of your initial NetFlow implementation. The usual response to seeing flows on your network is typically, "Show me more!". More visibility into your network is a good thing, until you reach the point where more is just more. After that the more you add the less you get, so more becomes less. Let me explain.

 

Data Flooding in Network Management

Consider the case where a user in a small office is accessing less-than-productive materials from the Internet. At a minimum this is just a waste of time and money, at worst it could be a serious regulatory violation that could result in loss of business or loss of an accreditation. Chances are that this traffic would transverse a WAN connection to the main site, and then connect to the Internet from there. If NetFlow exporters are configured just at the WAN interfaces, which is common, then this traffic will most probably be noticed and action can be taken to correct the issue. Now imagine if we were to apply NetFlow at all the LAN switch interfaces and the WAN interfaces. Intra-LAN (switch to switch) traffic is typically ninety percent or more of the total network traffic. So now this crucial WAN traffic is being buried in a mountain of LAN traffic. To make things worse, a great deal of the LAN NetFlow exports are duplicate counts of the same data passing from switch interface to switch interface. Since this is strictly internal traffic that never touches a WAN interface, the chances of the traffic being unwanted is about nil. Finding the offending WAN traffic in this mountain of data may not be possible by any means.

 

Is This a NetFlow Problem?

No, it is more of a planning problem. Any tool used improperly can turn against you. So, what can you do to correct or just plain avoid this issue? Take a look at this paper on NetFlow Basics and Deployment Strategies and compare the deployment examples with your NetFlow implementation.  If you are new to the world of flow analysis take a peek at the SolarWinds NetFlow Traffic Analyzer demo at http://oriondemo.solarwinds.com/Orion/TrafficAnalysis/SummaryView.aspx