Network Traffic Analysis through a Cisco ASA with NetFlow
Posted in ASA, Network Traffic Analysis, Scrutinizer on February 5th, 2010 by scottr
Yes, you can use NetFlow to monitor traffic and bandwidth usage on an ASA.
One of the primary uses for NetFlow on a Cisco ASA is as a transport protocol for security events. But if you are using the right NetFlow Analysis tool, you can also analyze traffic using NetFlow sent from the Cisco ASA.
This is really important as I have seen many companies that have remote sites that are connected with a Cisco ASA, but had no devices behind the ASA’s that supported NetFlow. This meant that they couldn’t leverage NetFlow to analyze traffic.
There is a caveat to the support of NetFlow on the ASA. NetFlow from a Cisco ASA is quite different from what other Cisco devices provide. It is called “Netflow Security Event Logging” or NSEL. In fact, ASA NetFlow was never intended to be used for realtime/live traffic analysis.
That being said, you need to keep the following facts in mind:
- You will not see the data 100% live. On most routers and switches you get flow statistics periodically while the flow is in progress. The NSEL monitoring sends a NetFlow data packet only after a connection has been torn down. If a connection is active for minutes or hours, the ASA sends one NetFlow packet with the total of the connection. This causes peaks when viewing traffic patterns in Scrutinizer’s reports.
- Flows on the ASA are bidirectional (all counters for a flow will increase for traffic flowing in and out)
- You will need a NetFlow collector/analysis tool, such as Scrutinizer, that has the ability to analyze ASA NetFlow data. Remember, NSEL utilizes Flexible NetFlow, and the data format is different from “normal” NetFlow v9 data.
Here is an example of Scrutinizer’s ability to show you the top conversations that took place during a specific period of time. Notice that the traffic pattern does indeed show peaks that you would not have seen if this was traffic from a standard NetFlow exporting device.
We’ve also documented the required configuration parameters for the ASA to enable NetFlow export.
For more information on ASA NetFlow, Take a Deeper look at NSEL.
-Scott
[...] it provides the best in traffic analysis, with its ability to support Flexible NetFlow, NBAR, and Cisco ASA NSEL. But did you know that as a Scrutinizer user, you have different options when it comes to how you [...]
this is so cool. I can’t wait getting my ASA analysis!
how does it affect the ASA and LAN performance (or what is NSEL’s footprint on the hardware and LAN traffic)?
NetFlow can have some performance impact, but it should not be any worse than normal syslog operations of the same information. There will be an uptick in memory but it should also be minimal. You should avoid having NetFlow configured with overlapping syslogs can cause a significant performance hit
We have been getting a few calls with questions on the uniqueness of the NetFlows exported by the Cisco ASA. Check out this PDF:
http://www.plixer.com/files/netflow-on-the-asa-11-18-09.pdf