As network administrators are looking to use NetFlow for more visibility on their network, they often have to decide what NetFlow version they need enabled on routers/switches.  Several times, these past few weeks, I was asked the difference between NetFlow v5 and v9. That is why in this blog, I intend to give you just enough information to make your choice between the two versions quick and easy, especially if you are using our NetFlow and sFlow Analyzer.

WHAT DO V5 AND V9 OFFER?

The information you want visibility into often dictates whether v5 or v9 should be exported. If you are simply interested in knowing things such as who is causing the most traffic, who they are talking with, where they are on the network, as well as how much data they transferred and for how long, v5 might do it for you. V9, on the other hand, not only offers what you already have in v5, but also:

  • Source and Destination MAC addresses
  • IPv6 support
  • Improved details on VLANs and MPLS connections
  • Flow sampling
  • Interface Name and Description (usually requires SNMP)
  • Egress Flow and more

CONFIGURATION

traffic reporting on Cisco hardwareIf your version of Cisco IOS supports NetFlow, use the following commands to enable flow exports on each physical interface you are interested in collecting flows from; VLANs and Tunnels are included automatically.

NeFLow v5:

ip route-cache flow

NetFlow v9

ip flow ingress (Can also be used to enable NetFlow version 5)

ip flow egress

BEST PRACTICES

  • Use v9 when you want to monitor a specific interface on your router. v5 is ingress only, which means the router only collects traffic that is inbound to an interface.  To display outbound traffic with NetFlow v5, the NetFlow analysis tool uses the egress interface information from flows exported on all interfaces. This is sort of weird, but it works great in most cases.  However, v9 can be used for both ingress and egress. By configuring NetFlow v9 your NetFlow Analyzer will give you a better report on broadcasted and compressed traffic.
  • Use v9 when you are interested in looking at changes in DSCP values. For example, A flow that enters interface 1 of the router with a DSCP value of 10 could be modified and then exit on interface 2 with a DSCP value of 14.  With NetFlow v5, you would have to look at the down stream router to see the DSCP change. Read up on implementing quality of service policies with DSCP to learn more.
  • If you intend to export NetFlow v5 and you are using our NetFlow reporting interface, please make sure NetFlow is enabled on all physical interfaces.

 

CONCLUSION

V5 and V9 might become archaic  in a few years. Now you hear more about Flexible NetFlow which allows for a more selective export of flow information and is useful for such things as targeted NetFlow billing in large scale service provider networks.

Also, several vendors have already adopted IPFIX (e.g. SonicWALL, nBox, Juniper, etc.) which is the proposed flow export standard. With the recent release of IOS 15.x, you get video performance reporting information, which means NetFlow can be used to export details on such things as jitter, packet loss and latency. Imagine reporting on VoIP and your business applications with this additional new information!

Please let me know if you have any questions.

Dale Locke author pic

Dale

Dale Locke is the Regional Manager for the southeast US at Plixer. He works with prospects to solve the unique needs of their network and visits existing customers to assist with training. He enjoys developing new partnerships and building long lasting relationships with his clients. Dale's favorite hobbies include fishing, hiking, soccer, and football.

Related

Big Data

Sankey Flow Graph

Posted on - by Jeff Morrison

One of the greatest benefits of NetFlow collection for traffic analysis, is we’re provided with the ability to visualize the…

Leave a Reply