Cisco
Login
Search
Software Secure Workload
Activity Configure

Network Flows-Traffic Visibility Client-Server Classification Sensor Type Recommendation

Last updated: Jun 09, 2025

Sensor Type Recommendation

Deep visibility or enforcement software agents provide the best signals to Secure Workload client-server classification algorithms. It is encouraged to consider deploying deep visibility or enforcement agents. These agents get all the necessary signals to drive the correct client-server classification. If deployment of deep visibility or enforcement agents is not possible for few workloads, it is recommended to use ERSPAN sensors and stopping there for automatic policy discovery. Secure Workload assists as best as it can and we’re continuously improving our heuristics algorithms based on feedback.

When the correct client-server direction information isn’t available, Secure Workload uses user-defined overrides or heuristics to infer what the direction may have been. Heuristics by definition don’t guarantee 100% accuracy. The accuracy drops with the type of sensor that is used and the condition in which it was used.

The following is the recommended order for client-server decision for policy generation use cases:

  • Deep visibility or enforcement agents: For best results, use Software Sensors (Deep visibility or Enforcement agents). Traffic flows started before the sensor was started would be processed by heuristics that are discussed below.

  • ADC Sensors like F5/Citrix/. . . agents: These agents gather the client-server state from the ADC devices and stream that source of truth to Secure Workload.

  • ERSPAN sensors : With an ERSPAN sensor, user needs to take care of providing full visibility of the traffic to and from the workload in question, and make sure the ERSPAN sensor sees all the spanned traffic. The ERSPAN sensor must also not be over subscribed, so that its visibility is not impaired of the network communication of the workload. Furthermore, user must ensure that packet drops for ERSPAN sensors are kept to the minimum. The operator will not see process information with the network flow information for automatic policy discovery.

While using Netflow sensor listed below, user has to sign up for lot more manual work on policy analysis and generate exception rules. Secure Workload uses extensive use of heuristics, which by definition, aren’t 100% accurate.

  • Netflow Sensor : NetFlow provides sampled and aggregated flow data. The aggregation and sampling processes lose client-server direction information. This impacts automatic policy discovery and policy generation results and makes the problem harder. NetFlow data is excellent for high-level visibility. Secure Workload has to fall back to heuristics, which sometimes, if incorrect, requires more manual work on behalf of the operator – like defining exception rules for Secure Workload. NetFlow data also misses some of the short flows and the signal quality depends on the device producing NetFlow data. We recommend using NetFlow with Secure Workload for specialized use cases like stitching flows through L3/L4 NAT devices like Application Delivery Controllers (or Server Load Balancers) to provide Secure Workload visibility into which flow is related to which other flow.

More details of the client- server direction analysis follow.

Previous topic Client-Server Classification Next topic Identifying Producers (aka Servers) and Consumers (aka Clients) for a flow