We have a router that we need to monitor using NetFlow. The router is very important, so we are not allowed to enable Netflow on the router itself. Instead, it will have port mirroring enabled so that it can mirror traffic to another network device.
We have now two options:
a) Using software Netflow probe on a Linux server such as nProbe to convert the mirrored traffic into Netflow
b) Buy another router and enable Netflow on the other router to concert the mirrored traffic into Netflow.
We know that we can do (a)
The question is:
is it possible to do (b) ?
which is more effective (a) or (b)?
Best Answer
Buying another router won't work because routers will typically generate Netflow records only for forwarded traffic. Since you just want it to look at the traffic without actually forwarding anything, this won't work.
Using a software probe may work, but keep in mind that the mirrored traffic doesn't contain any information other than the traffic itself. Netflow can contain interface information (inbound/outbound interface), routing data (nexthop, ASN etc.) and other useful stuff which the software probe cannot know by just looking at the traffic.
If you just need to do some basic traffic accounting, the software probe is probably sufficient, but this really depends on your use-case.