Exporting IPFix from 5698 or 5632 to Scrutinizer collector

[davidwn]

I have followed all of the available configs I could find about enabling IPFIX, but I am still getting a very low level of flows o the collector.  I have an older HP switch that is registering reasonable usage, but similar users attcched to an Avaya switch are getting about 1/1000 of the usage levels.  I realize the 5xxx class ERS devices do bnot show egress, but in comparing the flow levels, it still does not make sense.  For instance, I have a very high level of usage, and I am patched to the 5698.  My ingress statistics are about 4 b/s.  Other users that do not do a lot of networking are getting say 30 Kb/s usage.

Are 5xxx class ERs's usable for netflow?  It would seem not.

[Dominik]

That is the normal behavior, the ERS5600 switches are only capable of sampled FlowExporter.
So you will not see the complete data stream, only some samples of the complete stream will be picked
up and exported via IPFIX to your Scrutinizer.
For me the sampled Flows are pretty useless, I always try to collect the Flows on devices like e.g. the ERS8800
that are capable to forward the complete flow and not only samples.

Cheers

[davidwn]

Is that the final word on this?  Has anyone used an nprobe/ntop/nbox appliance to pull flow information?  I have also heard that Ipswitch's Flow Monitor has a Flow Publisher plugin that can be used to pull flow information from devices?  Has anyone had any experience with those?

What is the preferred setup to do flow analysis?  It sounds like I must have an Avaya 8600 switch setup.

[Dominik]

I personal try only to use devices that have an extra HW asic for the flow exporter. The ERS5600 series
can only export flows that are samples of the complete traffic.
With software based solutions you always have the problem that you can not trust the flows 100%,
in fact of high cpu or memory usage on the server you run the software based flow exporter, it can happen
that you are not receiving all flows.

There are a lot of switches out there that have an extra HW asic for the flow exporter. I usually only grep
the flows on the network cores, in fact most of the traffic has to pass the network core.

As always the answer is it depneds on what you whant to achieve with the flows.
If you only want to inspect a specific problem, a software based flow eporter on the server that have
the problem can serve you well.
If you want to inspect 24/7 all the traffic that passes your network, it is better to have a HW based solution, in my opinion.