Welcome to the first installment of our NetFlow v9 Overview, beginning (of course!) with NetFlow basics.

What is NetFlow?

A network flow is defined as a unidirectional sequence of packets between given source and destination endpoints.  Traditional NetFlow uses a 7-tuple of source and destination IP address, transport layer port numbers, IP Protocol, Type of Service (ToS), and the input interface port to uniquely identify flows. Flexible NetFlow (FNF) is a ground-up rewrite of NetFlow which allows the user to customize the NetFlow tuple to include (or exclude) a nearly infinite amount of different fields.

Take this excerpt from Cisco’s Introduction to Cisco IOS NetFlow – A Technical Overview:

Successfully delivering mission critical, performance sensitive services and applications with NetFlow
NetFlow is an embedded instrumentation within Cisco IOS Software to characterize network operation. Visibility into the network is an indispensable tool for IT professionals. In response to new requirements and pressures, network operators are finding it critical to understand how the network is behaving including:

  • Application and network usage
  • Network productivity and utilization of network resources
  • The impact of changes to the network
  • Network anomaly and security vulnerabilities
  • Long term compliance issues”

Focusing on the first line – “Successfully delivering mission critical, performance sensitive services and applications with NetFlow”.  Combine the NetFlow exports with the Best In Class NetFlow Solution collecting those flows, and you have the most successful Advanced NetFlow reporting and NetFlow analytics total solution.

NetFlow Versions and Terminology

Keep in mind that Flexible NetFlow (FNF) and (traditional) NetFlow (tNF) are Cisco features.  Whereas v1, v5, v9, v10 / IPFIX are export versions.  We’ll get into IPFIX later.   For now, understand that tNF exports NFv1, NFv5, NFv8, NFv9, and IPFIX, while FNF exports NFv5 and NFv9.

Even non-cisco features export NFv9 and IPFIX.  What I mean by this is that other companies have written NFv9 and IPFIX exporters, so “NFv9” or “IPFIX” doesn’t necessarily mean Cisco (I.e. if someone says they’re using NFv9, it could be coming from umpteen different vendors. Whereas if they’re using tNF or FNF, it’s from cisco).

Now that the terminology is behind us, lets talk about the different versions.  The first implementation of NetFlow, version 1, was first introduced in the 90’s. Then after several other iterations (v2, v3, v4), v5 was released and remained the most popular NetFlow version until NetFlow v9.  NetFlow v9 was standardized in IPFIX, while (traditional) NetFlow was enhanced in FNF.

 

VersionComment
v1First implementation, now obsolete, and restricted to IPv4 (without IP mask and AS Numbers).
v2Cisco internal version, never released.
v3Cisco internal version, never released.
v4Cisco internal version, never released.
v5Most common version, available (as of 2009) on many routers from different brands, but restricted to IPv4 flows.
v6No longer supported by Cisco. Encapsulation information (?).
v7Like version 5 with a source router field. Used (only?) on Cisco Catalyst switches.
v8Several aggregation form, but only for information that is already present in version 5 records
v9Template Based, available (as of 2009) on some recent routers. Mostly used to report flows like IPv6, MPLS, or even plain IPv4 with BGP nexthop.
v10aka IPFIX, IETF Standardized NetFlow 9 with several extensions like Enterprise-defined fields types, and variable length fields.

Benefits of Network Monitoring with NetFlow

  • Analyze new applications and their network impact
  • Reduction in peak WAN traffic
  • Troubleshooting and understanding network pain points
  • Detection of unauthorized WAN traffic
  • Security and anomaly detection
  • Validation of QoS parameters

NetFlow Record Formats

NetFlow record formats have evolved over the introduction of new versions.  NetFlow v5 was and still is awesome but, the number of unique elements (i.e. things exported) is pretty narrow.  NetFlow v9 introduced support for tens of thousands of possible unique elements.

In this series, we’ll start with the NetFlow v5 record format and build on that through this blog series to show how Flexible NetFlow builds on version 9 with enhanced flow export capabilities.  We’ll top this blog series off with a final post on the proposed standard for NetFlow called IPFIX which is sometimes mistakenly called NetFlow v10 which it is not!  We also have plans to digress a bit on the IPFIXify agent which can turn any log file into flow data!

What do you need to get from NetFlow reporting?  Please let us know so we can help you optimize your network management.

Joanne Ghidoni

Joanne Ghidoni

Joanne is a Software Quality Assurance Engineer at Plixer. She has also held positions as Technical Support Engineer and Sales Engineer since joining Plixer in 2005. Prior to joining Plixer, Joanne has had numerous positions in the IT field, including data entry, computer operator, PC coordinator and support, mainframe programmer, and also Technical Support and web programmer at Cabletron Systems. In her spare time, Joanne enjoys traveling, always seeking out new and interesting places to visit.

Related