We used netflow on all external interfaces towards upstream & peerings, so we could find out, how much traffic we were exchaning with which AS. It's quite a nice feature for peering policy decisions (or the decision, if you should change your upstream)
The tool we used was flowscan (http://www.caida.org/tools/utilities/flowscan/), but I hear there are others as well (especially, if you are willing to shed out some money :-))
Another nice use for netflow data are intrusion detection systems, that can find out unusual traffic patterns with heuristic methods. Since those systems are quite expensive, I don't have any first-hand experience, but I hear, they have a long learning period, need a lot of tweaking until they do, what they're supposed to do... If you're interested in this stuff, I guess Nico (Fischbach) is your man :-)
Cheers, Viktor
At 18:25 30.08.2005, you wrote:
I am doing some research on NetFlow and wanted to ask you guys a few things:
How are you using NetFlow? For what purposes? Billing? Security? Do you have NetFlow enabled on all your routers? Do you enable it on all the interfaces or just on the external/internal interface? Do you utilize any tool to stitch the NetFlows back together? Why would you do that?
I guess you can tell that I was never exposed to NetFlow in the ISP world. Any answers or comments are really appreciated.
Thanks
-raffy
-- Raffael Marty, GCIA, CISSP Senior Security Engineer @ ArcSight Inc. _______________________________________________ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog