Blue Coat MACH5 NetFlow Support

Good news, the Blue Coat MACH5 NetFlow support is now part of a growing community of vendors supporting NetFlow and or IPFIX.  IPFIX is the official standard for all flow technologies and although interest in the proprietary sFlow technology has begun to shrink over the past few years, the IPFIX standard includes provisions for real-time packet sampling as well.

The MACH5 is a WAN optimization solution and combines protocol acceleration, compression, object and byte caching and QoS to help accelerate key applications.

Setup The Blue Coat MACH5 NetFlow configuration

In the Blue Coat MACH5 NetFlow configuration, you need to define the port and IP address of the flow collector(s), specify which interfaces you want to monitor, and enable NetFlow processing. Below are the steps involved:

1. Access the MACH5 CLI, with enable (write) access.
2. Type conf t to go into configuration mode.
3. Type the following CLI commands to define a flow collector:
   • #(config) netflow
   •  #(config netflow) collectors
   •  #(config netflow collectors) add <IP-address> <port>
   •  Enter the collector’s IPv4 or IPv6 address and the port on which it is listening.
4. Define additional collectors, if available. You can define up to four collectors. Very cool!
5. (Optional) If you want to limit the number of flow detail records that are sent to the collector, specify the MACH5 interface(s) that you want to monitor:
   •  #(config netflow collectors) exit
   •  #(config netflow) add <adaptor>:<interface> [in|out|inout]
   •  NetFlow input (in), output (out), or both (inout). If no parameter is specified, the default is used (inout).  I’m assuming that this means ingress and egress metering.  If this is the case, a direction bit needs to be exported.  This is VERY important because the MACH5 is compressing data and users will want to compare the in traffic on interface 1 to the out traffic on interface 2, to verify compression ratios. Please send us a packet capture of your flows and we will verify that the direction bit is being exported.  We have seen this become a problem with Riverbed NetFlow exports as well.
6. Enable NetFlow processing:
   • #(config netflow) enable

The Blue Coat MACH5 appliance will now send flow detail records of data seen on the specified interface to the defined flow collectors. Flow records are actually bundled together into NetFlow packets; the MACH5 appliance sends a packet to the collector after it reaches the maximum of 30 flow records, or two minutes after the first flow record is collected, whichever comes first.

Verify The Blue Coat MACH5 NetFlow Configuration

Use the show netflow CLI command to verify that the MACH5 appliance is sending flow records.

Visit your NetFlow Analyzer to verify that the flows are coming in and give us a shout if you are having any issues. I’m particularly concerned about where it says “or two minutes after the first flow record is collected” because I noticed that there is no active or inactive timer setting in the above configuration and this could lead to spikes in the utilization trends.

I also learned that the Blue Coat Crossbeam security automation solution also supports NetFlow as does the Checkpoint firewall  and the Packeteer PacketShaper. Blue Coat is a company committed to NetFlow and IPFIX technologies!

Steve

Stephen joined Plixer in 2011. Steve’s efforts over the years have helped many customer gain better Visibility and Network Analytics. With more than 5 years of successful technology consultation, Steve has become a thought leader, focusing on how Scrutinizer can be part of a system incorporating other solutions such as Gigamon, Statseeker, Uptime, InfoBlox and Splunk. Firm believer that most organizations will have a larger SDN implementation and greater leveraging the Cloud in the next few years. Steve resides in Scarborough, ME with his wife and two sons.