I understand the part about multiple Netflow virtual devices. I love that feature and use it. The problem is on the router end of things. Most people use Cisco routers and as far as I know you can't break out the flows to different destinations - flows for all interfaces enabled for Netflow go to all configured destinations. Then you have the issue where Cisco only collects flow info for ingress packets. So even if you could break it out interface-by-interface, you'd only see the ingress side of the conversation.
 
[rant]I run into this problem constantly - my CTO says, "I want to know everything that's happening on every port". Well, but you can't mirror 96 100meg ports to 1 100meg port and get anything meaningful. "But I want it". Too bad. "But I want it". OK, I'll use sFlow. "OK, but now I want to know what port that came from". Sorry, the FREE software I'm using won't do that. "But I want it". OK, well, buy me Traffic Server for 50 grand. "I don't have the budget for that". Well, dunno what to tell you..... "But I want it!". @[EMAIL PROTECTED]  I told him I'd talked to Luca about doing something like that and he said "then get on him about it". But we're not paying him, I can't get on him. "I don't care, I want it. Get on him". Yeah, OK, I'll get right on him.......I'm sure being rude and abusive to a guy who develops free software is gonna get me a long way.[/rant] Sorry.....had to get that off my chest!


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Burton Strauss
Sent: Tuesday, February 15, 2005 9:47 AM
To: [email protected]
Subject: RE: [Ntop] NetFlow Multiple Routers Multiple Interfaces

Not true ... ntop 3.1 supports multiple netFlow devices.
 
Each pseudo-device can be configured to receive on a separate port (that's the only meaningful configuration).  Each configured port is treated as a separate 'device'.  ntop receives the flows and accumulates counts in separate 'devices' and, just like any other situation, you select one at a time for reporting.  The trick is in the configuration...
 
If the router(s) support it, you simply direct the flows (perhaps both ports to the same destination to work around the ingress question) to separate destination ports on the ntop host.   If the routers won't support alternate destination port numbers, you need to get sneaky - use flow-tools (http://www.splintered.net/sw/flow-tools/) on yet another box.
 
Is it efficient? Probably not...
 
-----Burton


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Moore
Sent: Tuesday, February 15, 2005 9:26 AM
To: [email protected]
Subject: RE: [Ntop] NetFlow Multiple Routers Multiple Interfaces

In short, Ntop won't do what you want to do in question 1.
 
At present, Ntop won't break the info out according to interface the NetFLow info was collected on. I have had some discussions with Luca about providing this functionality for sFlow but I don't know if he has done any work on this.or not. If it could be configured, you could send NetFlows from each interface to a different destination port, but I don't think Cisco provides this functionality. Nor do I know if NetFlow provides interface info along with the flows. One additional complication is that, at least on Cisco devices, NetFlow only collects stats on ingress packets. e.g. on a 2 interface router Netflow must be configured for both interfaces to see both sides of the conversations. So in your example below, each virtual device would only be seeing one side of the conversations.
 
In response to your second question, you set the virtual address to one on the network you wish to be "local". I don't know how you might want to set this on your system. One approach is to run more than one Ntop for your Netflow destinations, so you have a bit more configuration control on what is considered local and what is considered remote.
 
BTW, InMon Traffic Server does exactly what you want, but warns that some Netflow implementations do not provide interface info along with the flows. In any case, IIRC monitoring your two routers with Traffic Server would run you something like $30k!
 
Chris

_____________________________________________
Chris Moore
Senior Network Engineer
Guardian Mortgage Documents

303-942-2019
[EMAIL PROTECTED]




**********************************************************************
Confidential/Proprietary Note

The information in this email is confidential and may be legally privileged. Access to this email by anyone other than the intended addressee is unauthorized. If you are not the intended recipient of this message, any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you are not the intended recipient, please reply to or forward a copy of this message to the sender and delete the message, any attachments, and any copies thereof from your system. Thank you.
Guardian Mortgage Documents, Inc.
225 Union Boulevard, Suite 200
Lakewood, CO 80228.
**********************************************************************
_______________________________________________
Ntop mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop

Reply via email to