Let's say you want to begin collecting historical data about the network traffic flowing across your network. Perhaps you want to create charts and graphs of network utilization over time, maybe you want to charge back departments that are using the most network traffic, or maybe you just want to monitor link utilization over time.
If any of these network accounting scenarios sound appealing, you should familiarize yourself with Cisco's NetFlow technology. Let's take a closer look.
What is NetFlow?
NetFlow is a proprietary Cisco protocol, and all current Cisco routers and switches support this protocol. These devices record all traffic that traverses the network links and send detailed information concerning that traffic to a NetFlow collector using UDP packets.
NetFlow is the new standard for network traffic analysis; SNMP management just isn't sufficient anymore. Using NetFlow, you can see the utilization on a router—as well as the traffic that's causing the utilization.
What exactly defines a "flow"? According to Cisco, a flow is a unidirectional sequence of packets that share the following pieces of information:
- Source IP address
- Destination IP address
- Source port number
- Destination port number
Because there are five components required to define a flow, Cisco calls this the 5-tuple (quintuple) traffic definition. Specific uses for NetFlow include network monitoring, application monitoring, user monitoring, network planning, security analysis, accounting and billing, and network traffic data warehousing and mining.
What's a NetFlow collector?
While it's great to be able to collect all of this data, you really want to be able to do more than that. To fully take advantage of the information, you need to actually analyze the statistics.
The first step is retrieval. How can you retrieve all of this important gathered data? Enter the NetFlow collector. This is a PC/server system that sits on the network and collects all of the data sent by the routers and switches.
To collect and analyze this data, you also need software. There are plenty of NetFlow applications available at a range of prices. It all depends on what you want to do and how many devices you have.
One example of an application that uses NetFlow is the Cisco Security Monitoring, Analysis and Response System (MARS). Using the NetFlow data obtained from network devices, MARS watches the network and responds to security events.
Cisco offers a list of third-party NetFlow applications on its Web site. In addition, it also lists freeware NetFlow software. One of the lesser expensive NetFlow application is PRTG. You can use NetFlow with PRTG for about $400—$250 for the enterprise license and $150 per NetFlow device.
Does my router have NetFlow capabilities?
If you're wondering whether you can use NetFlow on your existing router or switch, you can use the Cisco Feature Navigator to determine which IOS is required. However, in general, to determine whether a device already has NetFlow, you can use the ip flow? command while in Global Configuration Mode. Here's an example:
Router# conf t Enter configuration commands, one per line. End with CNTL/Z. Router(config)# ip flow? flow-aggregation flow-cache flow-export Router(config)# ip flow
If you see options like those listed above, your device should have the ability to send NetFlow data to a NetFlow collector. For more information, check out Cisco's Configuring NetFlow documentation.
For more information, check out Cisco's NetFlow Web page, which features an animated overview of how NetFlow works. For more in-depth technical information on NetFlow, check out Cisco's NetFlow Services Solutions Guide.
Are you using NetFlow? If so, which collector do you use? Share your NetFlow experiences in this article's discussion.
Miss a column?
Check out the Cisco Routers and Switches Archive, and catch up on David Davis' most recent columns.
Want to learn more about router and switch management? Automatically sign up for our free Cisco Routers and Switches newsletter, delivered each Friday!
David Davis has worked in the IT industry for 12 years and holds several certifications, including CCIE, MCSE+I, CISSP, CCNA, CCDA, and CCNP. He currently manages a group of systems/network administrators for a privately owned retail company and performs networking/systems consulting on a part-time basis.