nFLow Windows client

[WillemDH]

Hello,

We are looking into a way to monitor network flows in our organization.

I read a document yesterday about NNA where it was said that to monitor flow on Windows server we need a Windows client license. I checked out the ntop's webshop http://www.nmon.net/shop/cart.php

Do we need a license for each Windows server in order to use NNA or is one ntopng license enough? If we need one for each Windows server @ 49.95 $ each (and we have 600) , this is kind of really expensive.. (29000 $) Or are there other less expensive solutions?

Grtz

Willem

[sreinhardt]

Depending on where you want to monitor, you could significantly reduce your licensing. The only real instance that you actually need netflow from any physical, or vm, machine is if there is traffic you wish to monitor between it and the first switch it touches, if that switch is not layer 3 or net\sflow supporting. So what I would suggest, is first look at your switches and consider where you wish to collect data from. If all of them are layer 3 and support sending flows, all cisco layer3 devices do, there would be no need to purchase any windows licensing. Secondly if they are vmware machines, different levels of vmware licensing allow exporting of flows directly from the virtual switches, this might be another option to reduce or completely remove licensing needs. Finally if you need a windows flow client, I would suggest staying away from ntops as it does not generate netflow, but sflow data. Meaning it only samples the traffic and set intervals and will miss anything in between. The company flowtraq makes a flow client that does proper netflow creation, and is what we would currently suggest looking at instead.

[WillemDH]

Ok, but
1) if we would want to use the NNA with Nagios XI integration for Windows host, we would need a Windows Netflow client?
2) As we have only Alcatel networking devices, we would first have to find out if these switches can do Netflow? Can you confirm that Alcatel is fully supported by NNA?

Grtz

[sreinhardt]

1) What you have to understand about netflow, is that the data is exactly the same if it comes from a switch or windows machine. What I'm getting at, is that if you have windows box A that speaks to windows box C over switch B. The only case that you would need a netflow collector on the windows machines is if switch B does not support sending flows. Otherwise the data you collected from either windows machine would be basically identical, with the exception of if you were collecting from A and another device speaks to C specifically, A is not going to show you the traffic, whereas the switch would show any and all traffic.

2) I honestly do not know, however if they support sending by the netflow standards, I see no reason that it shouldn't work, but a test is likely in order first.

[WillemDH]

I guess I'll have to convince my boss to give me some time to set this up as a trial.I'll let you know how it goes.

[lmiltchev]

Sounds good. Let us know how it goes.

[WillemDH]

Is there a manual hoe to setup the exporting of flows in VMWare. Does it work with normal vswitches, or only with distributed switches? Is there a manual on how to set this up in Alcatel switches?

[sreinhardt]

We do not have official documentation on alcatel switches, but a quick look up of "alcatel netflow" brought up many solutions for different devices. I think vmware exporting only happens with distributed switches, unfortunately this is a licensing feature we do not have presently, so I was unable to write a doc for it. They have some documentation here: http://www.vmware.com/pdf/vi3_35_25_netflow.pdf