Hello,
I am (was) using Traffic Flow for DDoS Detection and Graphing for some part of my network. It looks like Traffic Flow does not work when the traffic is offloaded. I tried several ACL rules to atleast copy specific amount of packets to CPU but it does not seem to work.
For logging and graphing I switched back to SNMP but for DDoS detection I am looking for workarounds or alternative solutions. Is there any workaround or method you would suggest?
I was planning to mirror switch port to another and capture flow from here as a workaround but since I use LACP (1x100 and 4x25G link) for uplink I don't know what to do.
Thanks in advance for suggestions.
*Edit: Some details about my network;
65-70 Gbps of traffic in peak times
2 x 100G Uplink to my CCR2216 -- 1x100G, 4x25 Gbps bonded using LACP mode. Entire traffic is offloaded, no NAT/Firewall. Only several BGP sessions are up. 1x100G traffic goes to my CRS518 that handles distribution to other part of my network (to my enterprise customers, to my internal network (firewall, bng etc). So I have no chance to mirror my traffic as workaround :/