Blog :: Network Operations

NetFlow Collection

High volume NetFlow Collection usually can’t be attained by simply placing the NetFlow collector on beefier hardware. It requires understanding of the protocol, the preprocessing necessary to meet the demands of the front end, tweaking memory, optimizing database settings and of course powerful hardware.

The collection of flows is essentially a wait technology. With NetFlow v5 it isn’t such a big deal because there are no templates involved.  The collector sits there listening on UDP ports 2055, 2056, 9996, 6343, etc. waiting for a flow to come in and the collector knows exactly how to decode the flow.  With NetFlow v9 and IPFIX, the collector doesn’t know how to decipher what it is about to receive.  For this reason, as NetFlow v9 and IPFIX flows come in, they are either cached or more likely dumped until a template is received.  This is why in the Flexible NetFlow configuration, the person configuring the export should specify the “template data timeout 60”. This ensures that a template is exported every 60 seconds.  Once a template is received, the collector updates its memory on how to decipher the incoming flows and decoding of flows on the collector commences.  Some collectors perform better when collecting NetFlow v5 Vs one of the more recent versions which involve flow templates.

Measuring Flow Collection
Remember that a single flow datagram contains one or more flows.  Typically 24-30 flows are exported in NetFlow or IPFIX however, more or less are possible.  If one of the primary objectives is a faster collector, the number to pay attention to is the flows per second.  Still, some vendors like to tout flows per minute.  In either case, make sure you know what was being collected during the test.

Most lower cost software-based NetFlow collection systems are able to collect between 10,000 and 40,000 flows per second. What makes a flow collector fast? Well written code, minimal preprocessing of flows and fast hardware.  Minimal preprocessing of flows is the goal of many flow software programmers.  Unfortunately, when some vendors provide numbers cooing about exceptional collection rates, it was measured with NetFlow v5 and all preprocessing was turned off during the stress test.

Preprocessing is part of the magic that sets competitors apart in the flow business. It sometimes performs routines such as constantly calculating the top interfaces, watching for Missed Flow Sequence Numbers, network behavior analysis, determining and saving application classifications, breaking up the flows into multiple tables.  What preprocessing is being done and why is a good question to ask because it could impact your purchasing decision.

Flow Exports are Growing
Today we estimate that over 90% of companies aren’t capable of sending greater than 100,000 flows per second even with flow technology enabled on everything on the network. This is a statistic to keep in mind. Our NetFlow collector is capable of well over this number with a very high degree of accuracy (I.e. nothing dropped).

Enterprise NetFlow

As the newer flow technologies with additional details start being exported from existing routers, flow export rates will increase and collection rates will need to keep pace. Cisco recently announced the ability to export URLs in IPFIX via a technology called Application Visibility and Control.  This element will certainly increase the amount of disk space needed and may have a negative impact on the flow collection rates of some NetFlow collection solutions.

NetFlow URLs

Application Visibility and Control
The Cisco Application Visibility and Control (AVC) solution is a suite of services in Cisco network devices that provides application-level classification, monitoring, and traffic control to improve business-critical application performance.  It is available on Cisco Integrated Services Routers Generation 2 (ISR G2), Cisco ASR 1000 Series Aggregation Service Routers (ASR 1000s), and Cisco Wireless LAN Controllers. The Cisco AVC Solution helps you:

  • Identify and classify over 1,000 applications
  • Monitor basic flow statistics, response time, latency, jitter, and other performance metrics by application
  • Export application performance metrics to your network management software using NetFlow version 9 or IP information export
  • Set different QoS priorities based on application
  • Dynamically choose network paths based on performance

Exporting AVC NetFlow will cause a higher volume of flows back to your NetFlow collector. In our tests when we exported nearly everything possible with Cisco AVC, we saw only 4 flows per IPFIX datagram.

NetFlow Deduplication
A connection between two end systems often traverses one or more switches and routers. When this occurs, a similar flow will be exported one or more times to the collector in the same minute. When calculating the top applications, hosts, protocols etc. on the network, deduplication of data must be performed ensuring that volume reports are accurate as the same flow could be exported by multiple routers. The original data should also be saved for future analysis such as ToS (DSCP) changes, TTL problems, nexthop issues, MAC address investigations, etc.  Scrutinizer still saves 100% of all data as threat detection with deduplicated data is not as reliable without the original flows.

Flow Stitching
Communications on networks are recorded in one direction into a flow. The replies are recorded in a second flow. When looking at traffic on a single router or switch and trying to understand the traffic host A sent to host B and vice versa, both flows must be taken into account. The flows must be stitched together in order to display the communication in a bidirectional format. A problem found in one direction may not occur in the reverse. This is especially true with VoIP. Flow stitching ensures that we see both sides of the communication. Our NetFlow collector allows you to follow the flow and the respective changes end to end, allowing you to perform root cause analysis.

Distributed NetFlow Collection
Getting the data from the NIC to the hard drive can be a significant obstacle for many flow collection vendors.  Fast hardware, namely multiple 15,000 RPM or faster hard drives in a RAID 0 or RAID 10 configuration generally lead to the best collection rates.

In order to gain a competitive edge, vendors sometimes claim magnificent collection rates into the millions of flows per second.  These rates are accumulated through the deployment of multiple collectors (I.e. Distributed NetFlow collection) and adding up their individual collection capacities. Consumers should make sure they know the limitations of a single collector.

When evaluating NetFlow collection solutions, real world sustained collection rates should be obtained by talking directly with customer references.