IC SunsetThe developerWorks Connections platform will be sunset on December 31, 2019. On January 1, 2020, this community and its apps will no longer be available. More details available on our FAQ.
Topic
  • 6 replies
  • Latest Post - ‏2015-06-26T10:04:29Z by Naveed Anjum Sadiq
Asadz
Asadz
8 Posts

Pinned topic Difference in license limit use for netflows versus Qflow

‏2014-07-08T12:38:29Z |

In the offical BOQ it says...."25,000 (50,000 NetFlows". I want to know that I'm already getting span traffic which is around 400 fpm at its peak which equates to about 20k I have a live switch from which I want to get netflows traffic as well layer 4 only, before I point /export nflows I want to know does the value 50,000 netflows are dedicated for nflows traffic only.?

 

Please help clarify. thanks.

  • Asadz
    Asadz
    8 Posts

    Re: Difference in license limit use for netflows versus Qflow

    ‏2014-07-08T12:47:00Z  

    also the device in use is 3124 AIO.

  • JonathanPechtaIBM
    JonathanPechtaIBM
    12 Posts

    Re: Difference in license limit use for netflows versus Qflow

    ‏2014-07-09T13:49:54Z  
    • Asadz
    • ‏2014-07-08T12:47:00Z

    also the device in use is 3124 AIO.

    Asadz,

     

    I'm not exactly sure what the BOQ is actually, but it sounds like you are licensed for 25,000 flows/minute. Typically NetFlow (v9) will include an ingress (inbound traffic to an interface with source info) and egress (outbound traffic to an interface with destination info). This is sent as two individual pieces of data to QRadar, but the data is combined in to a single flow record that captures both sides of the communication. So, saying that you have 50,000 NetFlows is somewhat misleading I think, as QRadar will combine the data as a single flow. You are still licensed for 25,000 flows, regardless of type (QFlow, NetFlow, JFlow, SFlow, etc).

     

    I recently wrote an article on flow licensing in general, which you might also want to take a look at. I don't cover NetFlow in particular, but it does talk about licensing in general as it relates to flows.

     

    http://www-01.ibm.com/support/docview.wss?uid=swg21676986

     

    Hope this helps...

     

  • Asadz
    Asadz
    8 Posts

    Re: Difference in license limit use for netflows versus Qflow

    ‏2014-07-09T14:21:20Z  

    Asadz,

     

    I'm not exactly sure what the BOQ is actually, but it sounds like you are licensed for 25,000 flows/minute. Typically NetFlow (v9) will include an ingress (inbound traffic to an interface with source info) and egress (outbound traffic to an interface with destination info). This is sent as two individual pieces of data to QRadar, but the data is combined in to a single flow record that captures both sides of the communication. So, saying that you have 50,000 NetFlows is somewhat misleading I think, as QRadar will combine the data as a single flow. You are still licensed for 25,000 flows, regardless of type (QFlow, NetFlow, JFlow, SFlow, etc).

     

    I recently wrote an article on flow licensing in general, which you might also want to take a look at. I don't cover NetFlow in particular, but it does talk about licensing in general as it relates to flows.

     

    http://www-01.ibm.com/support/docview.wss?uid=swg21676986

     

    Hope this helps...

     

    Sorry for not explaining enough. BOQ stands for 'A bill of quantities' its part of the procurement process the actual items on which the organization is billed.

    So, flows for any matters are all licensed there is no unlicensed part like I was thinking for layer 7 capability the customer is acquire to purchase a license but for normal flows meaning layer 4 there is no restriction on license.  

    In that manner adding netflow sources from router would have an impact on base-license for device in case e.g 25k?

    Thanks.

  • JonathanPechtaIBM
    JonathanPechtaIBM
    12 Posts

    Re: Difference in license limit use for netflows versus Qflow

    ‏2014-07-09T19:31:19Z  
    • Asadz
    • ‏2014-07-09T14:21:20Z

    Sorry for not explaining enough. BOQ stands for 'A bill of quantities' its part of the procurement process the actual items on which the organization is billed.

    So, flows for any matters are all licensed there is no unlicensed part like I was thinking for layer 7 capability the customer is acquire to purchase a license but for normal flows meaning layer 4 there is no restriction on license.  

    In that manner adding netflow sources from router would have an impact on base-license for device in case e.g 25k?

    Thanks.

    Correct, there are no unlicensed portion of flows, for any layer or format. All communication is counted, but as I mentioned and some formats are combined to create records as mentioned with NetFlow v9 above. It does not matter if the flow data contains payloads or not, as we still generate flow records for the communication. Any NetFlow exports you add to your deployment would count towards your 25,000 flows per minute license.

     

    Hope this helps...

     

    Note: The next QRadar open mic we are doing are specifically around flows and answer flow questions. I have a pinned post at the top of this forum (Network Surveillance, Sentries & Flows) if you have other specific questions.

  • Asadz
    Asadz
    8 Posts

    Re: Difference in license limit use for netflows versus Qflow

    ‏2014-07-09T19:40:55Z  

    Correct, there are no unlicensed portion of flows, for any layer or format. All communication is counted, but as I mentioned and some formats are combined to create records as mentioned with NetFlow v9 above. It does not matter if the flow data contains payloads or not, as we still generate flow records for the communication. Any NetFlow exports you add to your deployment would count towards your 25,000 flows per minute license.

     

    Hope this helps...

     

    Note: The next QRadar open mic we are doing are specifically around flows and answer flow questions. I have a pinned post at the top of this forum (Network Surveillance, Sentries & Flows) if you have other specific questions.

    Thanks for clearing it out. Yes I would see what  I can ask related to flows in upcoming Qradar open mic discussion. Nice of you to mention it over here in this discussion.

    Also, may I know when the recording from previous session be available to us on this forum?

    thanks.

  • Naveed Anjum Sadiq
    Naveed Anjum Sadiq
    2 Posts

    Re: Difference in license limit use for netflows versus Qflow

    ‏2015-06-26T10:04:29Z  

    Asadz,

     

    I'm not exactly sure what the BOQ is actually, but it sounds like you are licensed for 25,000 flows/minute. Typically NetFlow (v9) will include an ingress (inbound traffic to an interface with source info) and egress (outbound traffic to an interface with destination info). This is sent as two individual pieces of data to QRadar, but the data is combined in to a single flow record that captures both sides of the communication. So, saying that you have 50,000 NetFlows is somewhat misleading I think, as QRadar will combine the data as a single flow. You are still licensed for 25,000 flows, regardless of type (QFlow, NetFlow, JFlow, SFlow, etc).

     

    I recently wrote an article on flow licensing in general, which you might also want to take a look at. I don't cover NetFlow in particular, but it does talk about licensing in general as it relates to flows.

     

    http://www-01.ibm.com/support/docview.wss?uid=swg21676986

     

    Hope this helps...

     

    Hi Jonathan,

    The document referred in this article is no more accessible, can you please share the fresh (working) link.

    Regards,