1 Reply Latest reply on Aug 28, 2007 2:28 PM by floyd.may

    Deduplication question

      Hello, I'm new to the Orion product and the Netflow module and have it in a lab environment to evaulate. I currently have Netflow enabled on a WAN aggregation router and on the inside interface of an IOS firewall router.  When I have a client from a remote site going to the internet.  I don't see any of this traffic when I look at the Netflow statistics for the WAN router which it has to pass through, I do see the traffic on the router acting as my firewall.  Is this considered deduplication?  If so how will I be able to see this traffic when looking at the WAN router Netflow statistics.  Thanks


       Scott

        • Re: Deduplication question

          Is it possible that the WAN router is reporting the traffic as ESP traffic (i.e. encrypted/tunneled)?  If so, there isn't a way to isolate any client's participation in tunneled traffic.  If the client IP address that you're looking for isn't present in the NetFlow data exported from your WAN router, you won't see that client when looking at the WAN router's data.  If this seems wrong, you might want to fire up a packet sniffer on the machine that's running NetFlow Traffic Analyzer (NTA) and see if the NetFlow data from the WAN router contains any information about that specific client.  If you're seeing that client in the sniffer data, but not from NTA, post the details here, and we'll start getting diagnostics and determine if you've found a bug.

          [Edit] Most packet sniffers will decode NetFlow v5; I've used Ethereal/Wireshark and it's done well.

           WRT duplication/deduplication, we've carefully avoided situations where double-counting traffic could be occurring.  If you notice when you drill-down in the web interface, you'll always have a NetFlow source (either a router or an interface on that router) associated with the traffic you're looking at.

          Thanks for evaluating our NetFlow product!