In case of large geographically distributed networks, you may have multiple options to run FastNetMon.
The simplest option to deploy a single central instance of FastNetMon in a location which is well interconnected with all your remote PoPs and send network telemetry traffic to it.
In this case, we recommend using private connectivity and encrypted lines to deliver network telemetry, as it carries very sensitive information. You will need to keep BGP connections with remote locations too, and it may be challenging in case of network congestion, which is very likely to happen during DDoS attacks.
We recommend running individual FastNetMon instances in each Data Centre/PoPs to avoid dependency on external connectivity, which may be interrupted by an attack. This approach offers the best guarantees about DDoS detection and offers extremely fast attack detection. In addition, it keeps network telemetry traffic local and helps to avoid potential leaks of sensitive information.
Our licensing is built with this deployment option in mind, and our licenses starting from 40G allow multiple individual instances. To verify your bandwidth use for licensing purposes, we aggregate traffic from all instances and then apply limits. It is implemented using our very flexible online licensing approach.
In case of individual installations of FastNetMon, each site will have its completely independent visibility into its network segment, and DDoS detection will see only traffic from a particular PoP.
For some attack types, it may be beneficial to have a global overview of traffic from all sites. It may be useful for networks which deploy BGP anycast and announce the same prefixes from multiple locations, and in this case, it may be very useful to count their traffic usage for all PoPs. To implement it, you may send copies of network telemetry to a local instance of FastNetMon using the device’s capabilities, or you can use FastNetMon’s own protocol for that purpose.