So, have you asked yourself, should I upgrade to Flexible NetFlow?  And if you have, has the next question been, why?

Here are 10 reasons for using Flexible NetFlow over NetFlow v5.  We posted a blog some time ago on What is Flexible NetFlow (FnF)  that might be helpful to those not familiar with FnF.

  1. NBAR – provides deeper packet inspection to identify applications such as Skype, Webex, etc.  Without NBAR, NetFlow will display these apps via the port they use (e.g. port 80 or 443, etc.).
  2. Packet capture – we have played with this a bit, but it isn’t ready for prime time because the pre filtering is almost nonexistent.  Basically, the router can be configured to send actual packets inside NetFlow udp datagrams.  It is very cool, but you can’t specify what you want yet.  In short, you can ask for all TCP or UDP.  You basically can’t turn it on if the router is seeing serious traffic. It will be perfected over time.
  3. Syslogs – We are seeing this from the Cisco ASA already in the form of NetFlow Security Event Logging (aka NSEL).  These messages tell us what access list entry denied a flow.
  4. Accounting – You can setup a Permanent cache to export bytes for a particular subnet.  This is really useful if the volume of NetFlow is too great for any NetFlow collector.  Less details means less flows, however, the total byte count is still highly accurate.
  5. Sampling – this is useful for large enterprises and especially service providers.  It allows admins to get a great idea of traffic patterns by looking at samples of the data.  Sampling is necessary when flow exports are excessive.
  6. Layer 2 details – details on layer 2 can be exported (e.g. MAC addresses, VLAN IDs, etc.).
  7. IPv6 support – this will be important some day.
  8. Unlimited Exports – can export to more than 2 collectors.  FnF can send details to an unlimited amount of collectors.
  9. Option Templates – although you can do this in NetFlow v9, FnF is taking it to another level.  You can export the interface names (e.g. ifName, ifAlias, ifDesc, etc.) using NetFlow and no longer rely on SNMP.
  10. FnF is paving the way for the future of NetFlow and is a big part of IPFIX (the proposed NetFlow standard).

We also posted this blog on Cisco NetFlow v5 vs. NetFlow v9.  You might find it useful as well. We are seeing companies kick out some amazing details with IPFIX (e.g. latency, URLs, etc.).  FnF is definitely the future of NetFlow.  Our next release of Scrutinizer NetFlow Analyzer allows you to filter and report on all things FnF.

Hope this answers your questions on if and why to use Flexible NetFlow.

Joanne Ghidoni author pic

Joanne Ghidoni

Joanne is a Software Quality Assurance Engineer at Plixer. She has also held positions as Technical Support Engineer and Sales Engineer since joining Plixer in 2005. Prior to joining Plixer, Joanne has had numerous positions in the IT field, including data entry, computer operator, PC coordinator and support, mainframe programmer, and also Technical Support and web programmer at Cabletron Systems. In her spare time, Joanne enjoys traveling, always seeking out new and interesting places to visit.

Related

Big Data

Sankey Flow Graph

One of the greatest benefits of NetFlow collection for traffic analysis, is we’re provided with the ability to visualize the…

Leave a Reply