This is article 2 of a 3 part series on the differences between NetFlow version 5 and v9. Read Cisco NetFlow v5 vs. NetFlow v9: Part 1.

The Big Mac
You expected it but Cisco NetFlow v9 is really more than a Big Mac®. To hold to the analogy, the Big Mac brings cheese, lettuce and a sesame seed bun to the traditional McDonald’s burger. It brings more substance, more meat! It brings the coveted “special sauce”.


If you haven’t already, take a look at the format of Cisco NetFlow v9.  At first you might think “wow, too much information”.  Let’s keep it all in perspective.   You can get tons of information using SNMP and most people only scratch the surface.

Hey, I need a template
With NetFlow v5, the collection software is usually hard coded with the decode information necessary to digest the incoming flows.  It is predetermined and never changes.  It is always the same old fields in the same order. Some call it deterministic, and therefore, collection can be fast.

With NetFlow v9, templates are periodically sent out (e.g. every minute) on how to decode the packets. The collector often must hold off on decoding datagrams until a template is received. This template architecture makes v9 very dynamic with what it can send. Some of the new features in v9 that some customers might be looking for include:
• Source and Destination MAC addresses
• IPv6 support
• Improved details on VLANs and MPLS connections
• Flow sampling, which is kind of like sFlow.  See NetFlow vs. sFlow
• Interface Name and Description (usually requires SNMP)
• Egress Flows which I’ll digress on in another blog (Important)
• Many more capabilities.  I’ll talk about Flexible NetFlow later.

NetFlow v9 downfalls
Version 9 is not without its weaknesses. First of all, most people turning it on are using it to collect the same data you can get with version 5. How come? Most NetFlow collection packages don’t provide a reporting interface to view the additional information provided by v9. What’s more, the advanced exports are more complicated to configure, and without a reporting package, it is more work to figure out if it is exporting correctly.

Like SNMPv2, NetFlow v9 will take time to roll out. Customers need to ask for the additional features. Where’s the ‘demand’?  Too bad I wasn’t drawing comparisons to Wendy’s Hamburgers.  Anyway, we need to hear from you! Vendors need to hear from more than one customer that a feature is needed and why. A business case can then be justified and software development can begin.

What is Cisco up to?
NetFlow v9 is Cisco’s attempt to let the Network Administrator export nearly any information he/she wants from the router. It is my guess that someone at Cisco took a class on Microeconomics and is trying to encourage the IOS software developers to write more features into NetFlow in hopes that the consumer will strive for more ‘utility’  and ultimately ‘Demand’ will follow.   🙂 We’ll discuss flexible NetFlow in my 3rd and final blog in this series.

Update: All the parts to this series have been published. See Part 1 here, Part 2 here, and Part 3 here.

Mike Patterson author pic


Michael is one of the Co-founders and the former product manager for Scrutinizer. He enjoys many outdoor winter sports and often takes videos when he is snowmobiling, ice fishing or sledding with his kids. Cold weather and lots of snow make the best winters as far as he is concerned. Prior to starting Somix and Plixer, Mike worked in technical support at Cabletron Systems, acquired his Novell CNE and then moved to the training department for a few years. While in training he finished his Masters in Computer Information Systems from Southern New Hampshire University and then left technical training to pursue a new skill set in Professional Services. In 1998 he left the 'Tron' to start Somix which later became Plixer.


Leave a Reply