How the NetFlow protocol monitors your WAN


How the NetFlow protocol monitors your WAN

Tom Lancaster
Rating: --- (out of 5)

NetFlow technology is a method of switching that collects an extraordinary amount of information about the traffic passing through routers, switches and other network devices. This information has myriad uses -- from monitoring users and applications to trending and network planning. You can also do traffic engineering with it. It is even detailed enough to use for accounting and billing. Most important for some is that the information can be extremely useful for diagnosing those difficult, intermittent performance problems, and it can help you sort out DDoS/worm issues where traditional tools are overwhelmed with tons of traffic going in all directions.

To be clear, what we're talking about here is the NetFlow protocol that's used to transfer the information about your network traffic from the network devices to a server that collects and stores the data. The server is called a "NetFlow collector." Although some other network hardware manufacturers are supporting this technology in various forms, and others are offering competing technology -- like sFlow, which uses sampling -- the current Cisco NetFlow protocol format is the ninth version.

More on NetFlow
NetFlow network monitoring tools go with the 'flow'

Combining NetFlow analysis with security information management systems

Mining NetFlow 

Going beyond the flow: Giving network engineers the tools to think, act globally 

NetFlow was invented by Cisco years ago and has been proprietary for a while, but recently it's become an IETF "standard." Here's a link to the IETF's working group for Flow Information Export (IPFIX). And there's more interesting reading in this IETF informational RFC.

Opening this standard has done two big things:

It lets non-Cisco devices send data to your NetFlow collector. Riverbed's WAN optimization appliances are an example of this. They are typically placed at the edge of the WAN, an ideal position in the network to gather critical data about WAN utilization because they see the packets before and after they're optimized. These devices can export the data in a NetFlow format.

It also lets management software vendors directly access a much more detailed source of information than the old SNMP/ mini-RMON.

Implementing NetFlow

If you're considering implementing NetFlow, here are a few things to keep in mind:

NetFlow has a reputation for increasing CPU utilization on your network devices. Cisco's performance testing seems to indicate that newer hardware can accommodate this load pretty well, but you will still want to check it out before you turn on the feature. Some symptoms of high CPU utilization are very large jitter and increased delay. Services running on the device may also be affected.

Another thing to keep in mind is the amount of data you're going to be sending across the network. Depending on how much traffic you have and how you configure it, the traffic can be substantial. For example, you may not want to send NetFlow data from a datacenter switch to a NetFlow collector on the other side of a small WAN circuit. Also bear in mind that the flows from aggregating large numbers of devices can add up.

About the author:
Tom Lancaster, CCIE# 8829 CNX# 1105, is a consultant with 15 years of experience in the networking industry. He is co-author of several books on networking, most recently CCSP: Secure PIX and Secure VPN Study Guide, published by Sybex.