Determining which device sources to monitor
The information that Flow Monitor collects is influenced by the location of the flow sources relative to firewalls or other devices that perform network address translation (NAT). In short, the data is dependent on what and how the source sees. Carefully consider which routers or other Flow-enabled devices you want to configure to export flows to Flow Monitor to ensure that you see the type of data that you want to see.
Depending on where the source is located relative to the device performing NAT, traffic to and from internal (private) IP address are reported differently in the exported NetFlow data.
- If the source is inside the firewall, or if no firewall exists, the exported flow data includes the internal IP address for devices generating and receiving traffic. This allows you to pinpoint the exact device to which the traffic belongs.
- If the source is outside the firewall, the exported flow data aggregates all traffic to and from internal devices and report it as belonging to the public address of the device performing NAT. In this case, you can only determine that an internal device originated or received traffic, but you cannot pinpoint the traffic as belonging to a specific internal device.
- When the device exporting flows is also performing NAT, you can configure the device to export the flow data using either the private or the public NAT address, mimicking either of the above scenarios. To see internal IP addresses, configure the device to export data on
ingress and egress for the internal interface. To see all traffic reported using the external IP address of the NAT device, configure the device to export data on ingress and egress for external interfaces. For more information, see Configuring NetFlow sources.
Other conditions may also change the nature of the data reported by Flow Monitor.
- If NAT occurs anywhere in the path between the source and the destination, IP addresses reported are altered to include the address of the NAT. In most cases, this does not present a problem, but it may require monitoring multiple flow sources to track traffic in complex network environments.
- Virtual private networks and other tunneling technology (such as ESP or SSH) can appear to distort reports. In these cases, Flow Monitor reports large amounts of traffic sent over a small number of flows. This is expected behavior, as VPNs and other tunnels aggregate traffic from multiple connections and funnel it through a single connection.