NetFlow v9 Overview: NetFlow basics

Welcome to the first installment of our NetFlow v9 Overview, beginning (of course!) with NetFlow basics.

What is NetFlow?

A network flow is defined as a unidirectional sequence of packets between given source and destination endpoints.  Traditional NetFlow uses a 7-tuple of source and destination IP address, transport layer port numbers, IP Protocol, Type of Service (ToS), and the input interface port to uniquely identify flows. Flexible NetFlow (FNF) is a ground-up rewrite of NetFlow which allows the user to customize the NetFlow tuple to include (or exclude) a nearly infinite amount of different fields.

Take this excerpt from Cisco’s Introduction to Cisco IOS NetFlow – A Technical Overview:

“Successfully delivering mission critical, performance sensitive services and applications with NetFlow
NetFlow is an embedded instrumentation within Cisco IOS Software to characterize network operation. Visibility into the network is an indispensable tool for IT professionals. In response to new requirements and pressures, network operators are finding it critical to understand how the network is behaving including:

• Application and network usage
• Network productivity and utilization of network resources
• The impact of changes to the network
• Network anomaly and security vulnerabilities
• Long term compliance issues”

Focusing on the first line – “Successfully delivering mission critical, performance sensitive services and applications with NetFlow”.  Combine the NetFlow exports with the Best In Class NetFlow Solution collecting those flows, and you have the most successful Advanced NetFlow reporting and NetFlow analytics total solution.

NetFlow Versions and Terminology

Keep in mind that Flexible NetFlow (FNF) and (traditional) NetFlow (tNF) are Cisco features.  Whereas v1, v5, v9, v10 / IPFIX are export versions.  We’ll get into IPFIX later.   For now, understand that tNF exports NFv1, NFv5, NFv8, NFv9, and IPFIX, while FNF exports NFv5 and NFv9.

Even non-cisco features export NFv9 and IPFIX.  What I mean by this is that other companies have written NFv9 and IPFIX exporters, so “NFv9” or “IPFIX” doesn’t necessarily mean Cisco (I.e. if someone says they’re using NFv9, it could be coming from umpteen different vendors. Whereas if they’re using tNF or FNF, it’s from cisco).

Now that the terminology is behind us, lets talk about the different versions.  The first implementation of NetFlow, version 1, was first introduced in the 90’s. Then after several other iterations (v2, v3, v4), v5 was released and remained the most popular NetFlow version until NetFlow v9.  NetFlow v9 was standardized in IPFIX, while (traditional) NetFlow was enhanced in FNF.

Benefits of Network Monitoring with NetFlow

• Analyze new applications and their network impact
• Reduction in peak WAN traffic
• Troubleshooting and understanding network pain points
• Detection of unauthorized WAN traffic
• Security and anomaly detection
• Validation of QoS parameters

NetFlow Record Formats

NetFlow record formats have evolved over the introduction of new versions.  NetFlow v5 was and still is awesome but, the number of unique elements (i.e. things exported) is pretty narrow.  NetFlow v9 introduced support for tens of thousands of possible unique elements.

In this series, we’ll start with the NetFlow v5 record format and build on that through this blog series to show how Flexible NetFlow builds on version 9 with enhanced flow export capabilities.  We’ll top this blog series off with a final post on the proposed standard for NetFlow called IPFIX which is sometimes mistakenly called NetFlow v10 which it is not!  We also have plans to digress a bit on the IPFIXify agent which can turn any log file into flow data!

What do you need to get from NetFlow reporting?  Please let us know so we can help you optimize your network management.