I recently learned that Cisco is planning to have integration with DPI (Deep Packet Inspection). What does this mean to your NetFlow collector and NetFlow Analyzer? More good stuff!
Seriously, it means more information on the applications on your network. What good is a NetFlow Reporting tool that only tells you the application is ‘HTTP’ (i.e. port 80)? Many applications today are using port 80 and a whole slew of others use random ports. This is a real problem for NetFlow monitoring tools because there often isn’t enough information in the traditional NetFlow v5 tuple to determine the actual application (e.g. skype, BitTorrent, H.323, GoToMeeting, etc.). It has to be done by the hardware or software that exports the IPFIX or NetFlow information.
Below is a screen capture of our BETA support for the SonicWALL IPFIX exports. You can click on any of the applications below to find out who is sending this data. When applicable, even the URLs involved with a flow can be accessed.
Some of the information Cisco plans to export in NBAR2 includes:
• HTTP Reports (e.g. Hostnames and URLs)
• SIP Reports (e.g. Calling Id, Caller Id)
The above is expected to be available in 15.0(1)M on the Cisco ISR-G2. This is an exciting advancement in the NetFlow industry. I hope that the folks behind the sFlow technology are thinking about similar exports. Below is a screen capture of the new SonicWALL VoIP report which includes Caller ID:
If you’re a hardware or software company looking to support Deep Packet Inspection, contact us for IPFIX consulting. We want to work with you.
BTW: If you are a company that is going to implement DPI, export the data using IPFIX. Even Cisco will eventually move away from NetFlow as the transport. I can’t reveal my sources…
~FlowFest 2011 – Advanced NetFlow Training [Registration Closed]