![]() At the very least, if a vendor feels they have to use NetFlow in lieu of IPFIX, they had better copy Cisco exactly! Remember, Cisco owns NetFlow and all of its information element space. Cisco may use elements carved out by other companies in the future and collector vendors will likely go with the Cisco values and not another company’s. Although our Scrutinizer appliance can collect and store over 140,000 flows per second, this 28 bytes per flow could add up to 3.9 MB per second.Īnother concern: exporting non-Cisco elements with NetFlow isn’t a good idea because Cisco owns all NetFlow elements. It’s also 28 bytes of additional storage required for every flow saved. The 28 byte difference between these two strategies doesn’t sound like a big deal, but, it’s 28 bytes added to every flow record – stuffed into a NetFlow or IPFIX datagram that is traversing the network. ![]() By contrast, Cisco exports 4 bytes for applicationTag. Exporting 32 bytes for appId consumes more space in the database. The issue with the the above method is that it is inefficient in some ways because it increases the amount of data going over the wire to carry the NetFlow exports. It’s a straight forward export and the query to build the report is fast. They simply stick the application Name (appld) into the flows that are exported. Two companies, one of which produced the nProbe did exactly what might make the most sense on the surface. Less Optimal Approach to Application Aware NetFlow Exports There is no perfect way to export these details in flow records however, there are a few less than ideal configurations already being used by some vendors. We feel it is now time to address this issue.įirst, lets digress a bit on how we have seen a few vendors tie flows to actual applications that are detected with Deep Packet Inspection (DPI) for example. The NetFlow Application ID draft by Claise, Aitken and Dvora tries to address this issue however, it is only meant to create discussion. ![]() The current direction of vendors is preventing interoperability and in some cases, the poor template designs and element selections are causing: The topic of using Deep Packet Inspection to identify applications and exporting the details using defined Application IDs in NetFlow exports is a growing concern.
0 Comments
Leave a Reply. |