Flexible NetFlow – What It Does and Why You Need It

Posted on December 2, 2011 by Petri IT Knowledgebase Team in Cisco with 0 Comments

So, what is Flexible Netflow and why would anyone care? Flexible Netflow is Cisco’s next generation technology that provides richer and more detailed information than the original NetFlow (V5 or V9) did. Let’s take a closer look at why you’d want to deploy Flexible NetFlow.

Why Deploy Flexible NetFlow

Flexible Netflow allows you to gain visibility into Layer 2 (MAC addresses, VLAN ID’s), Layer 3 and Layer 4 and all layers through Layer 7 with deep packet inspection. Combined with Cisco NBAR (Network Based Application Recognition), it also provides deep packet inspection for application identification (like Skype or YouTube)-details not available with traditional NetFlow.

Sponsored

Flexible NetFlow also handles the problems that traditional Netflow has with large flow volumes. You can setup a permanent cache to export all bytes seen and so Flexible Netflow will give you accurate volume numbers without overwhelming your Netflow collector. This eliminates the need for Netflow sampling to reduce router load.

Benefits of Flexible NetFlow

Flexible NetFlow also tracks different applications in different buckets. For instance, security information, traffic analysis, billing and compliance data can be tracked simultaneously and separately. Traditional NetFlow tracked all information in one single cache. Flexible NetFlow provides a new functionality where it can collect security information in one cache, traffic analysis and billing in separate caches. Flexible NetFlow also has the ability to export flow information to multiple collectors. Depending on your network performance vendors, this may or may not be relevant. More importantly, Flexible NetFlow can export interface data (name, alias, descriptions, etc.) natively thus eliminating the need for SNMP (Simple Network Management Protocol).

Flexible Netflow also allows tracking additional IP information like all the fields in the IPv4 and IPv6 header as well as individual TCP flags. This greatly helps in security monitoring and the end-user can export certain (security) sections of a packet for a deep dive. Last, but not least, Flexible Netflow offers three types of flows compared to the one type in traditional NetFlow:

  • normal cache
  • permanent cache
  • immediate cache
The normal cache (which is also what traditional NetFlow offers) uses flow timers to expire/age flows and export to a netflow collector. The permanent cache is configurable and aids in accounting as well as security monitoring. The immediate cache, like the name suggests, lets the end-user export a flow a packet at a time if needed, on demand.
Sponsored

There are several other benefits which are beyond the scope of this article and are still being implemented in production. They include intrusion detection, data warehousing and data mining and forensic packet analysis. It can also help with business specific needs like long term compliance and providing an audit trail.

Sponsored