How can my company benefit from Flexible NetFlow?

Prior Reading
In the first blog I covered the 3 key advantages of Flexible NetFlow. In the second blog I covered the 3 caches of Flexible NetFlow. In this third and final blog I will cover how companies may end up taking advantage of Flexible NetFlow.

Traditional NetFlow will Dominate
Probably the single most popular way companies use NetFlow won’t change. Traditional NetFlow using a Normal Cache exists for the same reason NetFlow v5 is still more popular than NetFlow v9. In most cases, it provides the details necessary to solve the major issues.
• who is causing the problem
• who are the top talkers, applications, etc.
• what are the abnormal behaviors

Permanent Cache
Permanent Cache on the other hand could end up replacing Cisco’s IP Accounting technology as this type of cache can mimic the running counters of a MIB table. It can also be used to store routing information that is fairly static and doesn’t need to be exported frequently. Note: since it is limited in size, packets matching the filter could be dropped if the cache is full. A counter is maintained on the number of dropped packets.

Immediate Cache
An Immediate Cache could be leveraged to trigger packet captures based on alerts initially triggered by a collector. The collector triggers the Immediate Cache by watching for network behavior patterns in traditional NetFlow. Once the packet captures come in, they can be:
• kept on the collection server until the administrator is ready to dig in for details
• sent off to an IDS for deeper inspection

NetFlow Event Logging
In some cases, NetFlow Event Logging (NEL) could replace traditional syslogs technologies as up to 18 events from the Cisco ASR 1000 can be packed into a single NetFlow datagram.

Information on Flexible NetFlow is slowly making it onto the web. As a Cisco Technology Partner, we work with key individuals at Cisco Systems.

Above is a picture of me at CiscoLive 2008 with Cisco’s NetFlow Visionary: Benoit Claise.  Check out Benoit’s book.

Michael Patterson
Scrutinizer Product Manager
Follow Me on Twitter

Flexible NetFlow Generates Cash?
In the What’s So Flexible About Flexible NetFlow? post I discussed the key advantages of Flexible NetFlow.  In this blog I will outline how Flexible NetFlow exports 3 types of flow caches (i.e not cash) depending on the nature of what you want to export.  These caches are as follows:

• Normal Cache: used for traditional NetFlow, has an additional benefit.  The Active time can be set as low as 1 second whereas in traditional NetFlow it can only go as low as 60 seconds.  This means the data can be exported to the collector closer to real time.

• Permanent Cache: is used for accounting and for security monitoring.  This cache is sometimes used to export a byte count on an interface for specific IP addresses for accounting purposes.  We have to be careful with a Permanent Cache because if it becomes full, all new flows will be dropped so, we need to be sure that we export frequently enough to avoid lost data.  It is generally used when the amount of flows expected will be low or when there is a need to keep long-term statistics on the router.  When a cache becomes full, all new flows are ignored.  Also, the counters represent totals seen for the lifetime and not just from the last export.

• Immediate Cache: is used when each packet matching the filter is to be exported immediately to the collector.  It is generally used to export up to the first 1000 bytes from the IP payload.  Usually, “something” is monitoring traditional NetFlow which triggers an Immediate Cache.  Loaded with a good portion of the original packet, a closer look into the potential problem can be taken.

For most of us, NetFlow collection using a Normal Cache won’t change however, a NetFlow solution which can take advantage of the other Caches (i.e. Permanent and Immediate) in a beneficial way may allow your IT team to better serve the business.

In the next blog “How can my company benefit from Flexible NetFlow?” I will discuss how the IT team may take advantage of the different caches.

Michael Patterson
Scrutinizer Product Manager
Follow Me on Twitter