Flexible NetFlow Generates Cash?
In the What’s So Flexible About Flexible NetFlow? post I discussed the key advantages of Flexible NetFlow.  In this blog I will outline how Flexible NetFlow exports 3 types of flow caches (i.e not cash) depending on the nature of what you want to export.  These caches are as follows:

• Normal Cache: used for traditional NetFlow, has an additional benefit.  The Active time can be set as low as 1 second whereas in traditional NetFlow it can only go as low as 60 seconds.  This means the data can be exported to the collector closer to real time.

• Permanent Cache: is used for accounting and for security monitoring.  This cache is sometimes used to export a byte count on an interface for specific IP addresses for accounting purposes.  We have to be careful with a Permanent Cache because if it becomes full, all new flows will be dropped so, we need to be sure that we export frequently enough to avoid lost data.  It is generally used when the amount of flows expected will be low or when there is a need to keep long-term statistics on the router.  When a cache becomes full, all new flows are ignored.  Also, the counters represent totals seen for the lifetime and not just from the last export.

• Immediate Cache: is used when each packet matching the filter is to be exported immediately to the collector.  It is generally used to export up to the first 1000 bytes from the IP payload.  Usually, “something” is monitoring traditional NetFlow which triggers an Immediate Cache.  Loaded with a good portion of the original packet, a closer look into the potential problem can be taken.

For most of us, NetFlow collection using a Normal Cache won’t change however, a NetFlow solution which can take advantage of the other Caches (i.e. Permanent and Immediate) in a beneficial way may allow your IT team to better serve the business.

In the next blog “How can my company benefit from Flexible NetFlow?” I will discuss how the IT team may take advantage of the different caches.

Michael

Michael

Michael is the Co-Founder and the product manager for Scrutinizer Incident Response System. He can be reached most hours of the day between work and home. He enjoys many outdoor winter sports and often takes videos when he is snowmobiling, ice fishing or sledding with his kids. Cold weather and lots of snow make the best winters as far as he is concerned. Prior to starting Somix and Plixer, Mike worked in technical support at Cabletron Systems, acquired his Novell CNE and then moved to the training department for a few years. While in training he finished his Masters in Computer Information Systems from Southern New Hampshire University and then left technical training to pursue a new skill set in Professional Services. In 1998 he left the 'Tron' to start Somix which later became Plixer. Feel free to email him.

Related

Plixer logo
General

Plixer—a fresh perspective

2019 marks Plixer’s 20th year providing network analytics solutions to IT teams all over the world. Today we’re launching a new identity.