It may have started out with Cisco, but a lot of other network management vendors are doing clever things with NetFlow data to provide traffic usage and billing statistics and reports to help you see what's going on on your network. And while you have to pay for the clever front-end report generators that managers love so much, the functionality that provides the actual data is inherent in the IOS running on most of your Cisco switches and routers (though you may need to purchase a licence for some of the larger routers), so there is no need to deploy multiple external probes.


NetFlow concepts

NetFlow used to be the name for a type of switching that ran on Cisco hardware. It is no longer used to switch packets, but it continues to read them and use the information to create cache entries showing traffic flows - what is talking to what, when they started and ended, and how much data was passed.

These entries are then exported to a NetFlow Collector, parsed, filtered, aggregated and tweaked to provide statistics on the traffic running over your network.

If NetFlow is enabled on a router, it categorises all the traffic it sees into source-to-destination flows. Packets in the same flow share the same values for each of these seven fields:

    Source IP address
    Destination IP address
    Source port number
    Destination port number
    Layer 3 protocol type
    ToS byte
    Input logical interface

If any one of these is different, that constitutes a new flow, and a separate record is kept. At regular intervals, the router packages up the records into NetFlow packets and exports them to the collector.


Information produced

Typical flow analysis information found in a NetFlow data record includes:

    Source and destination IP address
    Source and destination TCP/UDP ports
    Type of service (ToS) value
    Packet and byte counts
    Start and end timestamps
    Input and output interface numbers
    TCP flags and encapsulated protocol
    Routing information (next-hop address, source autonomous system (AS) number, destination AS number, source prefix mask, destination prefix mask)

You don't have to gather all of these, though. If all you want is source and destination IP addresses, so that you can identify top talkers and just see what the overall utilisation of your router interface is, you can configure that.


Deployment

You need to figure out where it is best to enable NetFlow. It looks at ingress traffic (except for MPLS, where you can also get egress stats to allow PE to CE traffic to be monitored), so it may be enough to enable it only on a few central routers.

Running NetFlow on a router (or switch) will also increase CPU and memory usage. Usage depends directly on the amount of traffic passing through the router, and a CPU increase of around 20% is possible if your router passes a reasonable amount of traffic.

NetFlow on remote routers will also consume bandwidth in sending stats back to a central collector. A good rule of thumb is that NetFlow traffic will amount to about 1% of the overall throughput of the router. If you think this might be an issue (eg. if the router has multiple local high speed interfaces but is limited for WAN bandwidth), you can run NetFlow aggregation on the router (more CPU but less bandwidth) or install collectors locally. The 12000 series router supports sampled NetFlow, so you can cut down the ridiculously large amount of information you would otherwise get from a fully populated device of this size.


Analysing the data

Although Cisco sells a NetFlow Collector/Analyser for producing reports, it's a bit basic. This is where the other management vendors come in. In terms of performance reporting (which applications are in use, who is talking to who, how much resources you're using), the likes of Concord Communications, Crannog Software, Infovista, and HP can all use NetFlow inputs to produce a wealth of reports, while Digiquant and Portal's billing systems also understand NetFlow data.

There are also freeware tools that can collect and report on NetFlow information, such as flow-tools. And if you're keen, it's quite possible to write your own analyser, or export the collected data into a spreadsheet or database.

If you don't have Cisco hardware, NetFlow's not of much interest to you. But if you do - and it doesn't need to be everywhere - then take a careful look at it. It can provide you with an awful lot of information just using the existing capabilities of the devices.