Netflow is a popular network protocol developed by Cisco for the purpose of monitoring and recording traffic as it flows into and out of an interface. The Netflow datagram holds information such as source IP addresses, destination IP addresses, IP service type, and IP Protocol.
By using Netflow as a network traffic analyzer, IT professionals can determine the destination, volume, origin, and network paths. Netflow is the predecessor of the Simple Network Management Protocol (SNMP) which lacked the power to provide bandwidth use insight.
How Netflow Works
Netflow works by using three main components; flow exporter, flow collector, and flow analyzer.
The flow exporter is a networking device that collects flow information and exports it to a flow collector.
The flow collector is a device or appliance that receives exported flow information from the flow exporter.
A flow analyzer is an application that analyzes the resulting flow information with the context of metrics such as network intrusion or traffic profiling.
The process of generating Netflow data starts immediately after a packet is received. The device immediately scans for the presence of the packet’s 5-tuple in a table containing recently seen flows known as flow cache.
If the 5-tuple is available, the cache entry is updated with a packet increment of one byte. For instances where the flow is missing in the cache, it shows that the packet belongs to a previously undetected flow, hence a new entry is added to the table. The process by which information is exported to the flow collector is referred to as flow expiration.
Flow expiration is achieved in two scenarios namely Inactive timeout and Active timeout. For active timeouts, if the flow remains active for some time, it expires. For inactive timeouts, if there is no activity for some time, it is assumed that flow is complete hence the flow expires.
After the flow collector received the forwarded flow entry, is forwarded to the flow analyzer which analyzes and generates relevant insight.
Why Use Netflow?
Netflow has many beneficial applications, but the main ones include:
- Improved Network Visibility
- Bandwidth Utilization and Capacity planning optimization
- QoS Parameter Validation
- Increased Security awareness
- Enabling of Root Cause Diagnosis
- Identifying bottlenecks that need fixing
- Unauthorized WAN traffic detection
- Maximum utilization of network resources
Despite being superior in terms of functionality compared to Simple Network Management Protocol (SNMP), and other technologies, NetFlow has two major drawbacks that IT professionals should be aware of. Not only do Netflow-enabled Cisco devices export two flows, but also have limited visibility when it comes to routed traffic. This makes your network administrators blind to VLAN and LAN communications that exist within the organization. The risk of being overtaxed on infrastructure is also not something you can nullify.