Forwarding of Netflow, Syslog and SNMP Traps

Many network devices limit the number of destinations that they can send Netflow, Syslog or SNMP Traps to, typically due to hardware or software resource limitations. This can be a big problem for many network administators because they usually need to send the same data to multiple network management platforms.

A simple solution is to install a forwarder, sometimes referred to as Fanout or Replicator. The forwarder spoofs the original source packet and sends it to multiple destinations. AKIPS has the built-in facility to forward Netflow, Syslog and SNMP Traps to 10 different IPv4 destinations.

The following diagram shows packets (eg. syslog) being sent from Router A to AKIPS, which then retransmits those packets using a source IP address of Router A to multiple syslog servers. The contents of the data are not modified in any way. As far as the syslog servers are concerned, the packets came directly from Router A.

In the following example, the spoofed packets may be blocked by the router due to route poisoning or by firewall filter rules.

Syslog Forwarding

Some vendors also offer a completely non standard alternate solution to packet address spoofing. They modify the contents of the original message by adding the IP address or hostname of the original source.

The problem is, there is no published and accepted standard for this method, and every vendor implements it in a different way.