Transparency and the ability to see details play an essential role in the maintenance and security of networks.
It is in this context that managers can identify problems, detect incompatibilities and correct them.
Netflow is a protocol developed by Cisco that meets such goals and, while supporting more detailed data such as the type of IP service for detection, allows professionals to understand network patterns and protocol distribution.
Netflow is one of the network protocols that has been published for more than a decade, but some network experts do not know much about it.
Netflow not only allows network administrators to monitor users and applications, but also the ability to use the protocol for network process planning, performance reporting, security analysis, and data collection on how nodes interact with the network, and The amount of resource consumption used (Figure 1).
In general, a flow consists of a group of packets as part of the same exchange between two endpoints in a network.
A single stream is technically defined by a set of five data points that include the following:
- Origin and destination IP addresses
- Origin and destination ports
- protocol
figure 1
As expected, the protocol introduced by Cisco is supported by several network products manufactured by the company. The company’s IOS-XR routers use software that runs on the main processor.
The IOS XR operating system is slightly similar in structure to IOS. These differences are related to components and structures such as how to implement and use protected memory, multitasking, micro-core, and preemptive operating systems.
IOS-XR, like the classic IOS operating system, does not use an integrated core and shared memory space, but creates a memory space for each of the separate processes.
An important point to note as a network expert is that the Catalyst and Nexus series switches are based on TCAM proprietary hardware, which generally supports more streams and therefore interacts well with the Netflow protocol.
History and Diversity of Netflow Vendors
Cisco is not the only vendor of devices that support Netflow. Netflow has been around since 1996 with the release of iOS 11.x as a software solution (instead of hardware solutions).
The technology was originally designed on a small scale for local area networks. Cisco later realized the value of its work and added hardware-based implementations that provided more bandwidth.
As Netflow became more popular, several other popular vendors tried to take advantage of it.
Accordingly, various companies implemented their own versions of the protocol that were in line with their business goals.
These companies include Jflow from Juniper, NetStream from Huawei, and SFlow from HP. In 2008, the Internet Engineering Working Group (IETF) decided to introduce IPFIX as an official standard, offering various solutions and complicating matters.
IPFIX is sometimes referred to as Netflow v10, but in fact, the latest official version of Netflow is version v9, which bears many similarities to IPFIX. RFC 3954 mentions the version of Netflow9 in the information section instead of the standard, but IPFIX is introduced as standard in RFC 7012.
Netflow is generally supported in three versions.
Cisco did not release versions 2-4 to the public, and v1 is naturally obsolete. Routers and switches generally support Netflow versions v5, v8, and v9. The v6 version is no longer supported and the v7 version is intended for Catalyst 5K switches.
Netflow is generally supported in three versions. Cisco did not release versions 2-4 to the public, and v1 is naturally obsolete. Routers and switches generally support Netflow versions v5, v8, and v9. The v6 version is no longer supported and the v7 version is intended for Catalyst 5K switches.
Netflow is generally supported in three versions. Cisco did not release versions 2-4 to the public, and v1 is naturally obsolete. Routers and switches generally support Netflow versions v5, v8, and v9.
The v6 version is no longer supported and the v7 version is intended for Catalyst 5K switches.
Netflow records are sent via UDP and received by Netflow Collector. Suffice it to say that the IP address of the collector and the destination port of the UDP must be configured with the most common UDP 2055 port on the sender router.
Some Netflow implementations use SCTP technology to prevent packet loss.
Some companies and network experts believe that if several independent collectors work together, the packet loss rate will be zero, but the reality is that this approach does not always work well.
What information does the Netflow protocol provide to professionals?
As mentioned, the device on which Netflow is enabled examines several different parameters to determine different data streams. Ports and transfer protocols are key players in Netflow.
Source and destination addresses can tell network administrators which traffic clients have sent and received.
Ports indicate which applications are using traffic, specify the service class of priority, and the interface helps you specify how the device is using traffic.
The Netflow protocol can display packets and bytes exchanged on the network and the amount of instantaneous traffic and can combine time-stamp data associated with each byte, TCP markers to check exchanges and mask subnets to calculate prefixes.
This process is performed when each of the nodes under the network generates a significant amount of information, but Netflow can process all this information due to its special algorithm.
To be able to use the information provided by Netflow effectively, you need to use quality analysis tools.
With proper Netflow analysis, network administrators can use the collected data to determine the following:
- General traffic patterns
- Slow performance detection including network bottlenecks
- Unusual network behavior
- Network Impact on Specific Applications (Time-Sensitive Software)
- Unauthorized WAN traffic and detection of unusual network behavior such as denial of service (DoS) attacks
- Service Quality Validation (QoS)
Netflow Components
To fully understand the Netflow protocol, you need to be familiar with its various components and how each one works. These components include NETFLOW EXPORTER, NETFLOW COLLECTOR, and NETWORK ANALYZER, each of which has a specific function and function depends on the hardware on which it is implemented (Figure 2).
figure 2
Netflow Exporter is a network device such as a router or firewall. The task of this component is to collect packets in data streams, and when it decides that the stream expires, it sends the stream records to the collectors.
Netflow Exporter detects which data streams are new. When packets enter the network, they are checked with a table of recent streams called stream caches. If packets match this table, information such as packet count and byte length for the stream will be updated, otherwise, new input will be created.
The router expires, outputs, or deletes data streams in the cache.
The router receives these signals from TCP protocol flags such as FIN or RST or when one of the following conditions has occurred:
- Inactive timeout: Streams expire when no packets are detected within a specified time period. The default time interval is fifteen seconds, but it can be adjusted to suit network needs.
- During an active timeframe, if a stream does not expire, the network administrator will not receive any data, so it is essential to provide the network administrator with an accurate view of the network status. By default, after 30 minutes, the desired information is sent to the router. Of course, network administrators set this value to one minute.
Netflow Collector is a server or device that receives aggregate streams and stores them for use by processes performed by Netflow Analyzer.
Netflow Analyzer is a software solution that provides comprehensive information about network status (Figure 3).
Network administrators must be able to analyze the charts, tables, alerts, and reports provided by the tools to obtain accurate information.
Of course, the performance of Netflow Analyzer is good in this regard.
Figure 3
What is the difference between Netflow and SNMP?
If you have worked with Netflow, you are probably familiar with SNMP. However, some network experts mistakenly believe that both protocols are the same. But the point is that these two protocols are completely different. They take different approaches to monitoring and can be implemented in different scenarios. Unlike Netflow, SNMP
Able to restore data instantaneously.
This feature has obvious advantages, but it is not without its drawbacks. Although excellent at presenting bandwidth and network usage status, it is not transparent enough.
SNMP does not store important information required by network administrators, such as what the user or application is doing, the type of traffic, and the source and destination addresses.
Basically, SNMP can indicate that there is a problem, but it is not ideal for finding the cause. Most versions of SNMP, despite their high speed and low overhead, are used for quick revisions, while Netflow can be used for deeper analysis.
What is the difference between Netflow and IPFIX?
When it comes to comparing Netflow and IPFIX, the applications and capabilities of these two protocols are evaluated together. IPFIX is sometimes referred to as Netflow v10, which is derived directly from Netflow v9 and is compatible with earlier versions.
But with all these similarities, there are still various reasons why the two concepts are different. IPFIX offers more flexibility when deploying outside the Cisco ecosystem.
For example, the protocol can be used to add information typically intended for Syslog or to integrate SNMP directly into the package.
In addition, IPFIX has a major change in vendor ID support.
Users can assign a unique identifier to each piece of data to collect information. With this description, is it better to use only IPFIX? In response, you should note that flexibility is not always good.
In other words, sometimes flexibility, especially in monitoring network performance, causes inconsistencies and confusion.
The main thing to keep in mind is that although IPFIX is preferred in many scenarios, it is not always the best option for doing so. In contrast, Cisco’s Netflow protocol has the ideal function of collecting and recording all IP traffic passing through a router or switch on which Netflow is active.
This protocol allows you to collect and analyze traffic through the Netflow Collector or Analyzer program.
Currently, the Cisco switches that support the Netflow protocol are as follows: The main thing to keep in mind is that although IPFIX is preferred in many scenarios, it is not always the best option for doing so.
In contrast, Cisco’s Netflow protocol has the ideal function of collecting and recording all IP traffic passing through a router or switch on which Netflow is active.
This protocol allows you to collect and analyze traffic through the Netflow Collector or Analyzer program. Currently, the Cisco switches that support the Netflow protocol are as follows:
The main thing to keep in mind is that although IPFIX is preferred in many scenarios, it is not always the best option for doing so. In contrast, Cisco’s Netflow protocol has the ideal function of collecting and recording all IP traffic passing through a router or switch on which Netflow is active. This protocol allows you to collect and analyze traffic through the Netflow Collector or Analyzer program.
Currently, the Cisco switches that support the Netflow protocol are as follows:
- Cisco Catalyst 3650/3850 switch
- Cisco Catalyst 3750-X switch via 3K-X service module
- Cisco Catalyst 4500-X and 4500 switches via Sup 7
- Cisco Catalyst 4900M Switch, 4948E-F
- Cisco 6500 switch via SUP2T
- Cisco 6500 switch via SUP720
- Cisco Catalyst 3560-CX and 2960-CX switches
- Cisco Nexus 1000 Switch
- Cisco Nexus 2000 Switch
- Cisco Nexus 5000 switch via layer 3 module
- Cisco Nexus 7000 switch via F Card
- Cisco Nexus 7000 switch via M card
- Cisco Nexus 9000 Switch
- Cisco Nexus 1000v Switch
Cisco routers that support the NetFlow protocol:
- Cisco ISR G1 and G2 routers
- Cisco 7600 Series Router
- Cisco 10000 Series Router
- Cisco XR12000 / 12000 Series Router
- Cisco ASR 1000 Series Router
- Cisco ASR 9000 Series Router
- Cisco NCS 5000,6000 Router
- Cisco CSR 1000v Router