In case of large geographically distributed networks you may have multiple options to run FastNetMon.
The simplest option to deploy single central instance of FastNetMon in location which is well interconnected with all your remote PoPs and send network telemetry traffic to it.
In this case we recommend using private connectivity and encrypted lines to deliver network telemetry as it carries very sensitive information. You will need to keep BGP connections with remote locations too and it may be challenging in case of network congestion which is very likely to happen during DDoS attacks.
We recommend running individual FastNetMon instances in each Data Center / PoPs to avoid dependency on external connectivity which may be interrupted by attack. This approach offers best guarantees about DDoS detection and offers extremely fast attack detection. In addition it keeps network telemetry traffic local and helps to avoid potential leaks of sensitive information.
Our licensing is built with this deployment option in mind and our licenses starting from 40G allow multiple individual instances. To verify your bandwidth use for licensing purposes we aggregate traffic from all instances and then apply limits, it’s implemented using our very flexible online licensing approach.
In case of individual installations of FastNetMon each site will have their completely independent visibility into their network segment and DDoS detection will see only traffic from particular PoP.
For some attack types it may be beneficial to have global overview of traffic from all sites. It may be useful for networks which deploy BGP anycast and announce same prefixes from multiple locations and in this case it may be very useful to count their traffic use for all PoPs. To implement it you may send copies of network telemetry to local instance of FastNetMon using device’s capabilities or you can use FastNetMon’s own protocol for that purpose.