In this blog series we have seen how the NetFlow packets are delivered to the collector and what is contained within each packet. Now let’s take a look at the devices that we can export flows from. While the focus has been on Cisco devices, many new vendors have come on board with new template exports using NetFlow v9 or IPFIX that drastically enhance what was seen with NetFlow v5.
Here is a list of some Cisco devices that support NetFlow and whether they can be configured with traditional, Flexible NetFlow, or both.
[table id=12 /]
As this series has progressed we have talked about how the NetFlow v9 format is superior over NetFlow v5 because it allows us to define what we want to export. Although most of what is defined is decided by the hardware vendor, some vendors such as Cisco and Dell-SonicWALL provide a front end to specify what we want to export. Cisco provides Flexible NetFlow to allow admins to define what ‘information elements’ they want to export (E.g. MAC address, VLAN, URL) and SonicWALL provides a web GUI.
Cisco uses Flexible NetFlow to export NetFlow v9 or as we saw in the new AVC NetFlow support, we can also leverage Flexible NetFlow to export IPFIX. Dell-SonicWALL supports both as well. Enterasys Networks is another vendor that allows us to decide NetFlow V9 vs V5 . Keep in mind that although these vendors allow us to export almost whatever we want, very few vendors allow us to report on these new elements without waiting for the NetFlow reporting vendor to come out with a new version. Even then, they may decide not to support the new element.
Our IPFIX and Cisco NetFlow analyzer allows vendors to report on new elements immediately.
In the “NetFlow V5 vs V9” blog linked above Mike Patterson stated, “Because of the additional overhead involved with exporting the new version, the volume of flows exported in a single datagram dropped from 30 in NetFlow v5 to 24 in NetFlow v9.”
Following up on that statement, Andrew Feren, a lead software developer at Plixer International replied, “This is only about 1/2 true and depends on what you mean when you say “overhead”. The number of records drops mainly because the bytes in each flow are longer. If you look at the screenshot from a Wireshark packet capture below you can see that many packets have 30 flows and in one case 31. For short flows I have seen many more than 30 flows in a given packet. The 30 flow limit is driven more by a desire to stay under the 1500 byte typical MTU.”
To spin this as an advantage for NetFlow v9 or IPFIX. If your v5 is exporting zeros for fields that you don’t have information about and you don’t export that information in v9, you may actually end up with more flows per packet.
Do you need help getting Flexible NetFlow or IPFIX configured so you can help you optimize your network management efforts and gain valuable insight into Network Anomalies and router Security?