Nta and network flow record collection overview – H3C Technologies H3C Intelligent Management Center User Manual

3

NetFlow record, and forwards it to the NetFlow collector. One NetFlow packet can contain summarized

details for as many as 24 to 30 conversations. When a NetFlow-enabled router or switch is configured
properly and the router or switch is not overloaded, NetFlow data can achieve 100% accuracy.
Like NetFlow, sFlow also summarizes traffic into a network flow record that it pushes to a collector. It is

also a technology that is implemented in devices, such as routers and switches, which forward traffic from

source to destination.
Unlike NetFlow, however, sFlow is implemented in hardware with a dedicated chip that performs the flow

analysis and processing. For this reason, sFlow technologies introduce much less load onto the router or

switch on which sFlow is enabled.
Another key difference between NetFlow and sFlow is that sFlow does not analyze every packet in a flow
but rather statistically samples every n th packet. As a result, sFlow data is often considered to be less

accurate than NetFlow data.
When you use routers or switches to collect network traffic statistics, they must support NetFlow,

NetStream, or sFlow. For a device that does not support any of these protocols, you can configure port
mirroring on the device to mirror the network traffic to be analyzed to the probe server, which is a server

with a probe application program deployed. The probe server collects statistics of the received mirrored

traffic and generates probe traffic logs. The probe server then uploads the probe traffic logs to the NTA

server. NTA analyzes the network traffic based on the received probe traffic logs.
The H3C probe servers are Linux servers with probe application programs deployed. A probe
application program is software which must be installed on a physical or virtual Linux server, and it

collects statistics of the received traffic of a physical or virtual network.

NTA and network flow record collection overview

To configure NTA and devices to collect a record of network flow:

1.

Identify the areas of interest for which you want to capture network flow data.
This may include business services, applications, or systems and the underlying technologies that
deliver these services, as well as network devices or interfaces, servers, storage, or other network

resources.
When you identify where you want to capture network flow data, you can develop a plan to
enable network flow data. Segments of the network that are often valuable from a network flow

collection perspective include network ingress and egress points, aggregation points and server

farms.

2.

Identify all of the devices in the network that are capable of generating network flow records.
The network flow data protocols that NTA supports and for which it can process flow records are

NetStream v5/v9, NetFlow v5/v9, and sFlow v5. You must determine if the devices that are
network flow capable are compatible with the versions supported by NTA. Routers and switches

are the most likely candidates for network flow capable devices.

3.

Perform a gap analysis of the areas in your network that are network flow data capable and those
that are not.
You can do this by mapping the areas from step 1 to the device inventory you created in step 2.
This enables you to identify the areas for which you can collect network flow data and those areas

that you cannot.
This analysis provides the following important planning aids:

•

A list of the devices and their interfaces for which you enable network flow data.