How to solve duplicated NetFlow caused by multiple exporters

How to solve duplicated NetFlow caused by multiple exporters

We have already wrote about configuration duplication in the previous post How to configure devices and not duplicate NetFlow. Now we will help you understand and solve exporters deduplication - what to do when same flow is exported by different devices.

Understanding exporters duplication

​Viewing exporter traffic is simple because it presents data as actually exported. On the other side, viewing custom traffic not dependent on physical infrastructure may be confusing since exports arrive from multiple devices.

Figure above shows a flow travelling from Host A to B and passing via multiple exporters (R1, R2 and R3). NetFlow server will receive and processes the same flow three times.

For this reason, a professional NetFlow analyzer should know how to tackle this challenge and resolve which export to count in traffic statistics.

NetVizura network monitoring aplication provides two ways of resolving exporters duplication:

  1. Automatical deduplication - for general use
  2. Manual deduplication - for special use

Automatic deduplication

Facing this challenge, NetVizura team implemented a feature that quickly and automatically removes duplicate flows, but also does not jeopardize aggregation performance.

Namely, it solves this problem based on the next hop - when an exporter sends a flow, and this flow includes IP address of another exporter as next hop information, then the flow will be skipped by the custom traffic counter.

Figure above shows same the flow travelling from Host A to B and passing via multiple exporters (R1, R2 and R3). This time, NetVizura will skip flows from R1 and R2 (since R2 and R3 exporters are mentioned as next hop) and process only flow from R3.

Nevertheless, automatic deduplication has its advantages and disadvantages meaning that it should be used when suitable and according to network admin need.

  • One-time enabling
  • Does not require any special custom traffic definitions
  • Requires configuration on all devices flow continuity, including those on the network edge (eg. regional centers, locations)
  • Exporting from more devices requires greater HW (CPU, RAM; HDD) and higher license

Manual deduplication

When automatic deduplication is not possible due to above mentioned reasons, NetVizura offers possibility of manual deduplication by filtering a specific data while making a custom traffic definition.

Deduplication filtering that can be achieved based on the specific exporter, interface or next hop information.

For example, same flow will be processed only once from central exporter (R2) when custom traffic definition includes its IP address in the Exporter filter.


​So all you need to do now is to decide which of the previous methods is the best choice for you and hit it of...

2 Ways of Exporting Without Netflow Capable Device
How to configure devices and not duplicate NetFlow

Related Posts

Contact

Mailing and Visiting Address:
Soneco d.o.o.
Makenzijeva 24/VI, 11000 Belgrade, Serbia
Phone: +381.11.6356319
Fax: +381.11.2455210
sales@netvizura.com | support@netvizura.com

CONNECT WITH US:

linkedin facebook facebook