NetFlow, the most widely-used standard for flow data statistics, was developed by Cisco to monitor and record all traffic as it passes in to or out of an interface. NetFlow analyzes the flow data it collects to provide visibility on traffic flow and volume, as well as track where traffic is coming from, where it's going, and how much traffic is being generated at any time. The recorded information can be used for usage monitoring, anomaly detection, and various other network management tasks.
The first NetFlow format was supported in all the initial NetFlow releases. Versions 2, 3, and 4 were only available as internal releases. NetFlow v5 is the most popular version and is still supported by many router brands. NetFlow v5 has a fixed packet format, making netflow traffic monitoring and reporting easier since the contents of each packet are quickly identifiable. Version 5 brought in multiple enhancements like BGP AS information and flow sequence numbers.
Although versions 7 and 8 had a few enhancements, they're no longer in use. Meanwhile, NetFlow version 9 is slowly gaining popularity. The packet format in NetFlow v9 is dynamic and this version has FNF capability, making it flexible. IPFIX, often referred to as NetFlow v10, builds on NetFlow v9 for most of its features, but it's simply an industry standardized version of NetFlow.
Cisco NetFlow includes the following components:
An IP flow is a group of packets with a specific set of IP packet attributes, and each packet within a switch or router that is forwarded includes the following information:
The NetFlow cache is a database of condensed information derived from data generated after monitoring and grouping the IP packets.
Flows are grouped into export flow datagrams and are exported using User Datagram Protocol (UDP), which a flow collector receives and processes.
There are two methods for accessing NetFlow data: using a CLI or a NetFlow collector. A NetFlow collector or NetFlow traffic analyzer is a reporting server that collects and analyzes traffic data for easier troubleshooting. It's either a hardware device or a software program.
NetFlow data can be used for several network management tasks, such as:
Monitoring: Monitor your network, track in and out traffic, and identify top users.
Capacity planning: Track network usage to assess future bandwidth requirements.
Security analysis: Detect changes in network behavior to identify network anomalies. Use this data as a valuable forensic tool to understand and replay the history of security incidents so your security teams can learn from them.
Troubleshooting: Diagnose and troubleshoot network slowdowns, bandwidth hogs, and traffic spikes. Use reporting tools to quickly understand network pain points.
Validation of QoS parameters: Ensure appropriate bandwidth allocation to each Class of Service (CoS) so that no critical CoS is under-subscribed.
SNMP is one of the oldest and most efficient protocols for bandwidth monitoring. While SNMP is the most relevant option for real-time monitoring, only NetFlow can give you information on what your network is being used for and by whom. NetFlow is appropriate for complex networks with high traffic as well as anomaly detection.
NetFlow Analyzer, our flow-based network management software, integrates NetFlow, sFlow, jFlow, IPFIX, and various other flow formats to provide real-time visibility into network traffic and bandwidth performance. NetFlow Analyzer helps you diagnose and troubleshoot network slowdown and anomalies—as well as plan your future bandwidth needs—with its detailed reports. Download a free trial of our real-time NetFlow analysis tool now!
- Raul Borges
Network Administrator in Praxair