Determining which network devices to monitor

When planning your Flow Monitor deployment, it is important to understand which network devices are likely to provide you the information you want. In identifying those devices, questions about the data flowing through an individual device, its location in respect to other network devices and the types of addresses (internal/external) available to that device are all of importance.

Are you interested in monitoring the internet gateway routers connecting to your ISP for application level traffic analysis, performing forensics and diagnostics on a core router of a public facing network, or monitoring your WAN core in order to plan for additional capacity? The answers to these and similar questions about the purpose of your monitoring will provide you with some indication as to which devices in your network are of most interest as potential sources for Flow Monitor.

Once a potential Flow Monitor source has been identified, you should consider the location of the device with respect to other networking devices, particularly those devices that perform network address translation (NAT). Depending on where the source is located relative to the device performing NAT, traffic to and from an internal (private) IP addresses are reported differently in the exported NetFlow data.

If the device is inside the firewall, or if no firewall exists, the exported flow data includes the internal IP address for devices generating and receiving traffic. This allows you to pinpoint the exact device in the internal network to which the traffic belongs.
If the device is outside the firewall, the exported flow data aggregates all traffic to and from internal devices and reports it as belonging to a single public address belonging to the device performing the address translation. In this case, you can only determine that an internal device originated or received traffic, but you cannot pinpoint the traffic as belonging to a specific internal device.
If the device exporting flows is also performing NAT, you can configure the device to export the flow data using either the private or the public translated address, mimicking either of the above scenarios. To see internal IP addresses, configure the device to export data on ingress and egress for the internal interface. To see all traffic reported using the external translated IP address, configure the device to export data on ingress and egress for external interfaces. For more information, see Manually configuring network devices to export flow data to Flow Monitor.

Other conditions that may also change the nature of the data reported by Flow Monitor include:

When address translation occurs anywhere in the path between the source and the destination, IP addresses reported are altered to include the translated address. In most cases, this does not present a problem, but it may require monitoring multiple flow-enabled devices to track traffic in complex network environments.
Virtual private networks and other tunneling technology (such as ESP or SSH) can appear to distort reports. In these cases, Flow Monitor reports large amounts of traffic sent over a small number of flows. This is expected behavior, as VPNs and other tunnels aggregate traffic from multiple connections and funnel it through a single connection.