NetFlow
Last updated
Last updated
Cisco NetFlow services provide network administrators with IP flow information from their data networks.
Network elements (routers and switches) gather flow data and export it to collectors.
Captures data from ingress (incoming) and/or egress (outgoing) packets.
Collects statistics for IP-to-IP and IP-to-MPLS packets.
A flow is defined as a unidirectional sequence of packets with some common properties that pass through a network device.
A flow is identified as the combination of the following key fields:
Source IP address, Destination IP address, Source port number, Destination port number, Layer 3 protocol type, Type of service (ToS), and Input logical interface.
These collected flows are exported to an external device, the NetFlow collector.
Network flows are highly granular.
For example, flow records include details such as IP addresses, packet, and byte counts, timestamps, Type of Service (ToS), application ports, input and output interfaces, autonomous system numbers, etc.
NetFlow has three major versions: v1, v5, and v9.
v1 is only recommended for legacy devices without support for v5 or v9.
V1 and v5, do not support IPv6 flows.
NetFlow v1/v5 packets are UDP/IP packets with a NetFlow header and one or more NetFlow data Records.
NetFlow v9 packets are UDP/IP packets with a NetFlow header, one or more Template FlowSets (may be suppressed, if sent previously), one or more Data FlowSets, and, optionally, an Options Template and Data Record.
Used to characterize users/services in terms of the amount of traffic.
Users/Groups (overall or per-app) → Applied in (V)LAN interfaces.
Services → Applied to data-center interfaces.
Used to characterize traffic destinations (to egress points) from a specific ingress point in a network: traffic matrices.
Ingress/Egress points may be:
Network access links (distribution layer L3SW, Internet access routers, user VPN server links),
Network core border links (core border routers),
BGP peering links (AS Border routers).
Used to characterize “in-network” routing.
Complex to implement and process.
Interfaces to monitor depend on the objective:
Traffic matrix inference – all core border interfaces.
User/group flow generation inference - access interface from user/group.
Egress vs. Ingress monitoring:
Traffic matrix inference – ingress OR egress.
User/group flow generation inference – both directions.
IPFIX is very similar to NetFlow v9.
Uses version 10 in a similar header.
Also has Templates and Data Records.
Also has Options Templates and Options Data Records.
IPFIX made provisions for NetFlow v9 and added support for it.
IPFIX lists an overview of the “Information Element identifiers” that are compatible with the “field types” used by NetFlow v9.
IPFIX has more file types than the ones defined for NetFlow v9.
Also allows a vendor ID to be specified which a vendor can use to export proprietary/generic information.
IPFIX allows for variable length fields.
Useful to export variable size strings (e.g., URLs).
NetFlow v9 extension “Flexible NetFlow” aims to be equally flexible as IPFIX.