"Anycast" NetFlow

Hello Redditors,

Lately I've been thinking about an idea to provide HA to our Netflow setup without adding more work to routers/switches, basically I want to anycast the netflow collectors, our setup has two things:

• Elasticsearch Cluster
• ElastiFlow machines (the actual collectors)

Basically what I want to do is to make the ElastiFlow machines publish via BGP or OSPF the same /32 IP, this way netflow traffic gets routed to the nearest NetFlow collector, and in case there's an issue, it'll find and use another of the collector availables. This will make for some load-balancing of the netflow traffic so collectors don't get overloaded.

This way I also remove the need to have 2 feeds going to two (or more) different collectors in parallel per SW or Router, ElastiFlow doesn't do any analysis on its own, it's just there to collect flows and enrich the data (using Geo/ASN information for instance), the analysis of the data is done by other systems interacting directly with Elasticsearch.

Has anyone done this? do you see any possible issue here with my approach? thank you!