Each packet that is forwarded within
a router or switch (layer 3 only) is examined for a set of IP packet attributes.
These attributes are the IP packet identity, or fingerprint of the packet,
and determine if the packet is unique or similar to other packets.
Traditionally, an IP Flow is based on a set of 5 and up to 7 IP packet
attributes.
IP Packet attributes used by NetFlow:
IP source address
IP destination address
Source port
Destination port
Layer 3 protocol type
Class of Service
Router or switch interface
All packets with the same source/destination IP address, source/destination ports, protocol interface and class of service are grouped into a flow and then packets and bytes are tallied. This methodology of fingerprinting or determining a flow is scalable because a large amount of network information is condensed into a database of NetFlow information called the NetFlow cache.
Figure 1. Creating a flow in the NetFlow cache:
This flow information is extremely useful for understanding network behaviour:
Source address allows the understanding of who is originating
the traffic
Destination address
identifies who is receiving the traffic
Ports characterise
the application utilising the traffic
Class of service examines
the priority of the traffic
The device interface
identifies how traffic is being utilised by the network device
Tallied packets and
bytes show the amount of traffic
Additional information added to a flow includes
Flow timestamps to understand the life of a flow; timestamps are
useful for calculating packets and bytes/s
Next hop IP addresses
including BGP routing Autonomous Systems (AS)
Subnet mask for the
source and destination addresses to calculate prefixes
TCP flags to examine
TCP handshakes
There are two primary methods to access NetFlow data:
Command Line Interface (CLI)
with 'show' commands.
An application reporting
tool.
If you are interested in an immediate view of what is happening in your network, the CLI can be used. NetFlow CLI is very useful for troubleshooting.
The other choice is to export NetFlow to a reporting server or what is
called the "NetFlow collector". The NetFlow collector has the
job of assembling and understanding the exported flows and combining or
aggregating them to produce the valuable reports used for traffic and
security analysis. NetFlow export, unlike SNMP polling, pushes information
periodically to the NetFlow reporting collector. In general, the NetFlow
cache is constantly filling with flows and software in the router or switch
is searching the cache for flows that have terminated or expired and these
flows are exported to the NetFlow collector server.
Flows are terminated when the network communication has ended (ie: a packet contains the TCP FIN flag). The following steps are used to implement NetFlow data reporting:
NetFlow is configured to capture flows to the NetFlow cache
NetFlow export is configured
to send flows to the collector
The NetFlow cache is
searched for flows that have terminated and these are exported to the
NetFlow collector server
Approximately 30 to
50 flows are bundled together and typically transported in UDP format
to the NetFlow collector server
The NetFlow collector
software creates real-time or historical reports from the data
A flow is ready for export when it is inactive for a certain time (i.e.: no new packets received for the flow); or if the flow is long lived (active) and lasts greater than the active timer (i.e.: long FTP download).
Also, the flow is ready for export when a TCP flag indicates the flow is terminated (i.e. FIN, RST flag).
Their are timers to determine if a flow is inactive or if a flow is long lived and the default for the inactive flow timer is 15 seconds and the active flow timer is 30 minutes. All the timers for export are configurable but the defaults are used in most cases except on the Cisco Catalyst 6500 Series Switch platform.
The collector can combine flows and aggregate traffic. For example, an FTP download that lasts longer than the active timer may be broken into multiple flows and the collector can combine these flows showing total ftp traffic to a server at a specific time of day.
NetFlow is typically used on a central site because all traffic from the remote sites is characterized and is available within NetFlow.
The location where NetFlow is deployed may depend on the location of the reporting solution and the topology of the network.
If the reporting collection server is centrally located, then implementing NetFlow close to the reporting collector server is optimal.
NetFlow can also be enabled at remote branch locations with the understanding that the export data will utilize bandwidth. About 1-5% of the switched traffic is used for export to the collection server.
Figure 2. NetFlow export to a collector
Home - Contact us - Privacy Policy - Terms