NMS Topic : NetFlow

NetFlow began its life as a routing technique similar to Fast Switching or CEF. It has since evolved to become a useful accounting technology.

Cisco NetFlow consists of three components:

  1. Network traffic analysis and collection (performed on a network element)
  2. Flow record export (network device sends the records to a ‘collector’)
  3. Flow analysis (automated or performed by humans at a NMS console)

Flow records contain any number of KEY fields, including

  1. Source/destination IP address
  2. Protocol and Port
  3. ToS values

NetFlow has gone through several revisions, but the most popular ones are:

  1. version 5 – probably the most widely deployed version
  2. version 8 – specific to the Catalyst 6500
  3. version 9 – this is the version you should be deploying

For those of you looking for an IETF standard, the IPFIX working group used the version 9 architecture as a starting point.

What NetFlow is:

You can use NetFlow to help you with Traffic Engineering, security analysis, and billing. Since it is low cost (free on Cisco devices), you can more easily deploy NetFlow than external RMON probes.

What NetFlow is not:
NetFlow is not a replacement for a protocol analyzer. Think of NetFlow as a “phone bill” for your network. You are less concerned with the details of a particular conversation, but you are concerned with who talked with whom, and how long the conversation lasted (the cost). NetFlow Data Export (NDE) rides UDP, so it susceptible to the same problems as other UDP applications.

Under what circumstances would you deploy NetFlow, and what design considerations do you need to keep in mind?

Engine (Record Generator) Placement
Try to minimize the amount of duplicate records. Configure NetFlow accounting on ingress and egress interfaces. It is usually not necessary or desireable to configure NetFlow on transit devices.

Record Collector Placement
Place the collectors as close to the sources as possible.
You could use Anycast as a collection mechanism, with an out-of-band backhaul to a central management station.
Keep in mind the UDP nature of export.

NetFlow resources:

Flexible NetFlow Whitepaper

Share/Save/Bookmark

352-001

Sorry I’ve not posted anything recently: I’ve been studying intently for 352-001. It must have worked out because I passed the qualification today. First attempt.

Here’s what I need to work on:

QoS is definitely my weakest area. I think it’s probably good to revisit my original plan of taking and passing 642-642

I am also weak in Management. Unfortunately there’s not a good test to study for this, so I’m going to at least begin by reading Network Management Fundamentals.

I will also need to more intensely study the variety of MPLS offerings available. It opens up a whole new area of service provisioning.

Share/Save/Bookmark