12 Replies Latest reply on Jan 9, 2014 9:03 AM by deverts

    NetFlow - Router, Switch or Both


      When monitoring NetFlow, or sFlow depending on hardware, is it advisable to monitor on each device or the last device in line?  For example, in a remote site, a PowerConnect switch (sFlow) connects to a Cisco router (NetFlow) before going to the data center.  Should the switch monitor the traffic on each interface?  Should the router monitor the traffic?  Both?  I'm curious as to whether the amount of monitoring will hamper traffic flow?




        • Re: NetFlow - Router, Switch or Both

          You're going to get a lot of contrasting answers to this question, I would imagine - and I think that's because there are different answers based on need.


          For example, say you're mostly monitoring (or concerned with) WAN or Internet utilization at your remote locations.

          In this case, you might be looking for who's using the bandwidth and what they're doing. At a smaller location, that's not a big deal - a router flow will give you that (IP address is using 2mb/sec talking to youtube.com).

          Easy enough.

          However, what if you're monitoring a global network and you want to see internal AND external measurements on, say, Lotus Notes traffic (port 1352 by default)? Now you might want to go down into some switches and see flows on those devices. You have interest in traffic that may not always be traversing a WAN or internet link, but perhaps you're trying to formulate some trend visibility. That STILL doesn't mean you necessarily want to monitor on every port, though - maybe you just need to examine your trunks.

          The same could apply to any application you use that is easily identified by port or other flow-identified characteristic.

          As far as affecting traffic flow, sFlow is a good friend here to mitigate any impacts. However, I have many Netflow exporters traversing a 3MB transatlantic link with no ill effects.

          2 of 2 people found this helpful
          • Re: NetFlow - Router, Switch or Both

            As rharland2012 mentioned, it "all depends."


            Given your simple layout above, I'd probably configure the router WAN interface only (ingress and egress). But let's compound the example by adding a local file server for backups, then I'd configure the switch and not the router, and watch the uplinks to the router and server. Compound it further by adding a direct Internet connection with an additional router. Now you have a need to configure that uplink, or that router.


            So, it all depends on your needs, business requirements, and device capabilities. I'll also add, Cisco 3750s, 3750Xs, and 3560s, do not support netflow...so you will have to use a router. (caveat: 3750X with the 10G module does support it).



            1 of 1 people found this helpful
            • Re: NetFlow - Router, Switch or Both

              Thank you both for your replies - they have been helpful.


              We are new to SolarWinds and are kicking-the-tires.  I posed the question for my clarity and wanted to ensure a redundancy of information was not affecting performance.


              Most common we are requested to investigate generalized network slowness, so we need to determine a cause.  Streaming, etc., is controlled with web filtering, so we need to track down the business process, circuit status or file transfer that may be occurring.  We are not so concerned, for now, with individual usage, rather how server traffic or circuit issues are affecting the network.


              deverts - I have found a couple of routers on the network that do not support NetFlow, so I'm using the switch by default. 


              Thanks again for the information.

                • Re: NetFlow - Router, Switch or Both

                  Those must be routers with some really old code (if they are Cisco).


                  As "newbies", I'd like to first say Welcome to the community! As with most IT professionals, we are generally sarcastic to each other, but we are always here to help!


                  Secondly, some advice, you're going to want to look at a complete picture when troubleshooting. For this, netflow is just 1 component of the puzzle. You would do well to consider the following (if you haven't already):


                  1. Configure QoS tagging at a minimum, this data is a great addition to the netflow data.
                  2. IP SLA (if you are a Cisco shop) which will require the Orion VNQM module to collect the data.


                  Along with interface stats, Netflow/sFlow, QoS tags, and IP SLA data provide a very clear picture of what's going on where and when.



                • Re: NetFlow - Router, Switch or Both

                  I'd recommend reading this document if you haven't already.


                  New to Networking Volume 3 - NetFlow Basics and Deployment Strategies

                  1 of 1 people found this helpful