I recently discovered that the Ecessa appliance has the ability to send NetFlow v5 or IPFIX information to a NetFlow/IPFIX collector. In this blog, I am going to explain how to configure NetFlow with Ecessa appliances.

According to Ecessa’s website, the Powerlink 175EHQ, Powerlink 600EHQ, and the Powerlink 1200EHQ all provide support for NetFlow/IPFIX, but their support site indicates that the Clarilink CL175EHQ also supports NetFlow. The documentation on their website shows the configuration being done with the CL175EHQ and the support is for IPFIX, even though it states “Enable NetFlow”. For those with the smaller Outpost PL and Outpost PL+, these devices are also capable of sending NetFlow/IPFIX data. So if you already have a NetFlow solution, like the one Plixer offers, you can opt for the lower cost Outpost PL over the higher-end PowerLink appliances and still get full visibility on your network.

How to enable NetFlow

Click on NetFlow under Advanced Setup in the left-hand menu. On the NetFlow configuration page:

  1. Select the Enable NetFlow checkbox.
  2. Click the “Add a new NetFlow Collector” button. The Host IP is the IP address of the NetFlow collector. The Host Port is the appropriate UDP port the collector uses to listen for reports.
  3. Click the Activate button to save the changes.
netflow configuration

There you have it, your Ecessa appliance is now sending IPFIX data to your collector(s). A few important things to keep in mind regarding the Ecessa appliance:

  • If the address entered for the NetFlow collector is not in the same network as the Ecessa appliance, make sure the Ecessa appliance has a route to the collector so the information can be sent properly.
  • The Sample Rate field indicates how often packets should be processed. For example, a sample rate of 20 means 1 out of every 20 packets will be processed, which is suitable for most configurations. A sample rate of 1 will cause every packet to be processed. If you want full visibility in your network then you will need to configure the device with a sample rate of 1; otherwise, any data that is not sampled will not be reported in your netflow collector. Choosing a sample rate of greater than 1 would be the equivelent of using sFlow technology. One thing to note, however, is that if you have a high flow volume the sample rate of 1 will cause higher CPU utilization.
  • The NetFlow support on the Ecessa appliance is for LAN interfaces only; traffic going over the WAN would not be included. You could, however, connect your Ecessa appliance to an Internet facing router/switch and then collect the NetFlow from that device.

Let us know if you need help setting up NetFlow/IPFIX on your Ecessa appliance or other exporters; we are here to help.

 

Justin

Justin Jett is Director of Audit and Compliance at Plixer with roles ranging from system administration of web services to technical product marketing for Plixer’s incident response system, Scrutinizer. Jett, a graduate of the University of Maine at Farmington, is an avid learner of all things security, with a particular interest in TLS and DNS attacks.

Related