NetFlow - path from Routers to Collector

• Previous message (by thread): NetFlow - path from Routers to Collector
• Next message (by thread): NetFlow - path from Routers to Collector
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

We use the VRF approach not because we think this will give us more
stability ie. no fate sharing, but because it is best practice in a
security perspective. We keep our internal network separated from customer
traffic for the same reason our customers run firewalls.

Minimize the attack surface. Customers or people from the internet should
not be able to even attempt hacking the infrastructure. They should not be
able to send packets that will get routed to the collector.

ACLs is a poor man's solution compared to running in a VRF or equallent
(vlan).

Regards

Baldur
Den 02/09/2015 18.31 skrev "Serge Vautour" <sergevautour at yahoo.ca>:

> Hello again,
>
> Well, this generated a bit more discussion than I was expecting. I've
> retained the following from all your comments:
>
> -Doing flow export over an OOB network can help make sure you still "see"
> your network during a DDoS
> -If we do this over an OOB network, it may not work over the OOB port on
> the RE/RSP.
>
> I do have some specific questions for the folks who are OK with doing this
> inband:
>
> -Are you concerned with someone intercepting the Flow streams? I assume if
> someone has the ability to do so, you've got bigger problems.
> -If we make the assumption that someone can intercept the Flow steam, do
> you think the data in the steam can be used for anything? It's just L3 & L4
> headers. In other words, do you feel an OOB network is require to secure
> the flow data?
>
> Thanks again, your comments are very helpful.
>
> Serge
>
> --------------------------------------------
> On Tue, 9/1/15, Serge Vautour <sergevautour at yahoo.ca> wrote:
>
>  Subject: NetFlow - path from Routers to Collector
>  To: nanog at nanog.org
>  Received: Tuesday, September 1, 2015, 12:33 PM
>
>  Hello,
>
>  For those than run Internet connected routers, how do you
>  get your NetFlow data from the routers to your collectors?
>  Do you let the flow export traffic use the same links as
>  your customer traffic to route back to central collectors?
>  Or do you send this traffic over private network management
>  type path? If you send this traffic over the "Internet"
>  (within your AS), are you worried about security?
>
>  Thanks,
>  Serge
>
>

• Previous message (by thread): NetFlow - path from Routers to Collector
• Next message (by thread): NetFlow - path from Routers to Collector
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]