NetFlow began its life as a routing technique similar to Fast Switching or CEF. It has since evolved to become a useful accounting technology.
Cisco NetFlow consists of three components:
- Network traffic analysis and collection (performed on a network element)
- Flow record export (network device sends the records to a ‘collector’)
- Flow analysis (automated or performed by humans at a NMS console)
Flow records contain any number of KEY fields, including
- Source/destination IP address
- Protocol and Port
- ToS values
NetFlow has gone through several revisions, but the most popular ones are:
- version 5 – probably the most widely deployed version
- version 8 – specific to the Catalyst 6500
- version 9 – this is the version you should be deploying
For those of you looking for an IETF standard, the IPFIX working group used the version 9 architecture as a starting point.
What NetFlow is:
You can use NetFlow to help you with Traffic Engineering, security analysis, and billing. Since it is low cost (free on Cisco devices), you can more easily deploy NetFlow than external RMON probes.
What NetFlow is not:
NetFlow is not a replacement for a protocol analyzer. Think of NetFlow as a “phone bill” for your network. You are less concerned with the details of a particular conversation, but you are concerned with who talked with whom, and how long the conversation lasted (the cost). NetFlow Data Export (NDE) rides UDP, so it susceptible to the same problems as other UDP applications.
Under what circumstances would you deploy NetFlow, and what design considerations do you need to keep in mind?
Engine (Record Generator) Placement
Try to minimize the amount of duplicate records. Configure NetFlow accounting on ingress and egress interfaces. It is usually not necessary or desireable to configure NetFlow on transit devices.
Record Collector Placement
Place the collectors as close to the sources as possible.
You could use Anycast as a collection mechanism, with an out-of-band backhaul to a central management station.
Keep in mind the UDP nature of export.