If your remote office are connected to one or more routers at your central office, you can enable netflow just on your central office routers. Make sure to enable flow switching on all interfaces of the central router(s) so you get all the traffic - as netflow only counts the egress packets of an interface - I think.... Egress or Ingress - it only counts one of them, si you need flow on each int to accurately get all the traffic.
I would not enable it at your remote sites - it would be redundant data to your central site AND use up Bandwidth. You need to define what data you want to measure. If you want to measure "everything" - and everything goes through the core - you COULD do it there and be done with it. However, the overhead on the core CPU may be unacceptable. Depending on your supervisor it might have a daughter card (WS-F4531) for netflow processing, but I don't know your traffic loads to know if the card would keep up. It would also violate Cisco's view of the Core switch role - which who cares about? IMO - distribute the netflow probes (routers as you pointed out) to several key collection points. I have the following routers netflow enabled: Our HQ hub router for the Frame-Relay WAN and the internet border router. On the short list is the server farm switches and one more border router for a PtP network. Then I'll have visibility into all the traffic I care about except intraVLAN and non server interVLAN traffic - which I plan to shut down using private VLAN's and interVLAN ACL's. Done. G -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, February 09, 2007 2:47 PM To: [email protected] Subject: RE: [Ntop] NTOP new install,Local Network Traffic Map error and too manyNetflow devices cause NTOP to stop updating Hi Gary, Thanks for the response. Yes, since Friends I just got that one gig of "The whole nine yards" ;) We are a spoke off of Canon's primary site in NY. We in turn have 9 or so sites coming off of us to our satellite offices. Not knowing a good way to roll out Netflow I opted to have the routers at each site send us their netflow data and the router here that's connected to those sites do the same. I'm no longer certain that would be the proper way to do things. I think maybe our core switches, 6500's, would be a better option. I wonder if there's a "best practices" for Netflow. I think I figured out partially what my problem may be. I setup each netflow device as the address to that netflow device's loopback address that's sending the flows. After reading the field info I think it needs to be the network address. It also states to add other local subnets using the -m option, but every time I've updated -m's field it turns to a few jumbled characters. So I'm unsure again if it's a bug or me. Correct me if I'm wrong, but in this configuration I'm using NTOP as a collector and each "probe" is the router at each site. So when I add a site, I should add the network address of that site. i.e., our Phoenix branch's router's loopback address is 10.209.24.254, but I should be adding 10.209.24.0/255.255.255.0 as a netflow. I can see that it sees flows coming from each device so I was uncertain if I should add them at all. That router is connected to a switch that has another subnet coming off of it, I suspect it has a supervisor module that lets it route and it has the 10.209.25.0 network that actually has all the users. So I'm unsure how to add the local subnets to encompass both networks. Back at our HQ, which is the only netflow device I have added now that works, it's sending from 10.208.254.6 so I changed how it was listed in netflow devices to 10.208.0.0/255.255.0.0 since this site has all the 10.208 subnets, but we also have an additional subnet of 146.184.212.0, which I guess needs to get added via the -m option. I hope this makes since. If it would help I can send you a visio diagram of what our network looks like. Thanks. Chandler Bing Date: Wed, 7 Feb 2007 13:20:40 -0600 From: "Gary Gatten" <[EMAIL PROTECTED]> Subject: RE: [Ntop] NTOP new install, Local Network Traffic Map error and too many Netflow devices cause NTOP to stop updating To: <[email protected]> Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset="us-ascii" Chandler Bing? Guess since "Friends" you haven't had much work huh? Can't speak about the map - haven't used that feature yet - bells and whistles to me. As for netflow, I have two netflow devices operating just fine. I'm using a different UDP port for each one. Not sure if that's the proper way to do it or not, but seems to be working. As for an upper limit - not sure. There are some upper limits in the code - for instance the "Host Clusters" is coded at 16 max; so there MAY be some max number of netflow devices in the code somewhere. Why might you need so many netflow instances? Typically you collect data at aggregation area's in the net. I have a fairly large LAN/WAN and although the two I have now is not quite enough, I can't imagine needing more than 4 or 5 max. Gary -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, February 07, 2007 11:55 AM To: [email protected]; [email protected] Subject: [Ntop] NTOP new install, Local Network Traffic Map error and too many Netflow devices cause NTOP to stop updating Importance: High I just installed NTOP and I'm seeing a couple of anomalies. First, when I try to display the Local Network Traffic Graph, I get an error (see below). I ensured that graphviz is installed and when I run the command listed below from the command line as root, I get the same error. Local Network Traffic Map ERROR Creation of network map failed Command was: /usr/bin/dot -Tpng -Goverlap=false /var/ntop/ntop.dot -o /var/ntop/network_map.png 2>&1 Results were: Error: Layout was not done. Missing layout plugins? Second, when I add Netflow devices, the first works, but after I add more than 10 it stops updating. The devices are not setup for netflow yet as I'm waiting for AT&T to make the changes, but removing all of them except for the one device that is setup to send netflow has restored functionality. Is there any kind of limitation on how many devices you can receive netflow from or was it that they were not setup yet and that cause a problem? Thanks Chandler Bing _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop =========================================================================== "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
