2 Replies Latest reply on Nov 28, 2016 12:21 AM by yoinkz

    Netflow - Best practice setup?

    yoinkz

      Hey Guys,

       

      I'm about to setup Solarwinds Netflow, so I can measure and analyze the data we are using. I'm just not 100% sure where to place the netflow exporters on my switches, so if I provide you with my setup you might be able to point me in the right direction.

       

      So I have a office where 100 people are working. At that Office I have a ASA 5505 Firewall which is connected to our ISP. From the ASA as well there is cable going to my Core Switch Cisco 3850 on Port 1. My Core Switch is then connected using 4 cables going from port: 18,20,22,24 to my Distribution Switches Cisco 2960-X (all connected on Port 24 on each switch). All clients are then connected to the Distribution switches.

       

      So:

      ASA (Port 5) <---> (Port 01) Core Switch (Port 18) <---> (Port 24) Distribution Switch 1 <---> Clients connected on the rest of the ports

                                                                         (Port 20) <---> (Port 24) Distribution Switch 2 <---> Clients connected on the rest of the ports

                                                                         (Port 22) <---> (Port 24) Distribution Switch 3 <---> Clients connected on the rest of the ports

                                                                         (Port 24) <---> (Port 24) Distribution Switch 4 <---> Clients connected on the rest of the ports

       

      So I found this guide of how to set up the traffic analyzer: https://thwack.solarwinds.com/community/solarwinds-community/geek-speak_tht/blog/2014/01/22/netflow-and-catalyst-switch-netflow-v9-configuration-for-cisco-catalyst-3850-switch#start=50

      As far as I can see is it only inbound traffic - but I would like outbound as well (unless you wouldn't recommend it)

       

      What would best practice be, should I set this netflow up on every single interface on the distribution switches or should I leave it only on the core switch on port the uplink ports?

       

      Thanks guys - much appreciated.

        • Re: Netflow - Best practice setup?
          mesverrum

          The inbound/outbound thing depends on what commands your switches/firewall support. The better gear allows you to do in and out on a single interface.  If you are using hardware that only allows inbound then you do have to monitor every interface on the device to get a complete picture of all the data moving around.

           

          In terms of which devices to use netflow on, if all traffic would get routed back to the core 3850 then you don't need to enable it at the access switches or the firewall because that same data would just be captured twice.  You just have to be aware of where the choke points in the network are that you can use to capture everything.

           

          -Marc Netterfield

              Loop1 Systems: SolarWinds Training and Professional Services

            • Re: Netflow - Best practice setup?
              yoinkz

              So all my Distribution Switches points at my Core Switch which is my Gateway as well. All Distribution Switches are also connected directly as described above on my Cores Switch as well. So you would just recommend that on all the interfaces on my Core Switch should be capturerin the traffic - is that correct?