Caligare home | What's Netflow | Formats | RFC | Configuration | Applications | Links | Netflow Forum

What is Netflow?

NetFlow evolved as a caching technique. To speed up network flows (source IP, source port, destination IP, destination port) and Layer 3 switching in the presence of access lists, the Cisco router and switch caches were re-organized based on the flow information. As this code became more efficient, a side benefit was the collection of useful flow statistics, without too severe a performance penalty. Even with CEF (Cisco Express Forwarding) for rapid Layer 3 switching, NetFlow caching can apparently still enhance performance of longer access lists (more than 10 to 25 entries or so), Policy Routing, and perhaps other features "NetFlow feature acceleration". But there is also real benefit to the reporting data it provides.

So there are two reasons you might be using NetFlow: to speed certain access list uses up, or to collect data.

Typical uses for this data: tracking what kind of traffic is entering or exiting an ISP or corporate network, tracking traffic flows between BGP Autonomous Systems (AS's), or enterprise network regions, etc. Lately several third parties are providing billing software, so that IP Service Providers can bill customers for the data sent or bandwidth used.

The way that NetFlow reports statistics is by flow export. As cache entries expire (or are actively expired by an algorithm), the packet/byte count data for the unidirectional flow is exported to a collector station(s).

NetFlow operates by creating a NetFlow cache entry that contains the information for all active flows. The NetFlow cache is built by processing the first packet of a flow through the standard switching path. A flow record is maintained within the NetFlow cache for each active flow. Each flow record in the NetFlow cache contains key fields that can be later used for exporting data to a collection device. Each flow record is created by identifying packets with similar flow characteristics and counting or tracking the packets and bytes per flow. The flow details or cache information is exported to a flow collector server(s) periodically based upon flow timers. The collector contains a history of flow information that was switched within Cisco device. NetFlow is very efficient, the amount of export data being about 1.5 percent of the switched traffic in the router. NetFlow accounts for every packet (non-sampled mode) and provides a highly condensed and detailed view of all network traffic that entered the router or switch.

The key to NetFlow-enabled switching scalability and performance is highly intelligent flow cache management, especially for densely populated and busy edge routers handling large numbers of concurrent, short duration flows. The NetFlow cache management software contains a highly sophisticated set of algorithms for efficiently determining if a packet is part of an existing flow or should generate a new flow cache entry. The algorithms are also capable of dynamically updating per-flow accounting measurements residing in the NetFlow cache, and cache aging/flow expiration determination.

Rules for expiring NetFlow cache entries include:

  • Flows which have been idle for a specified time are expired and removed from the cache.
  • Long lived flows are expired and removed from the cache. (Flows are not allowed to live more than 30 minutes by default; the underlying packet conversation remains undisturbed.)
  • As the cache becomes full a number of heuristics are applied to aggressively age groups of flows simultaneously.
  • TCP connections which have reached the end of byte stream (FIN) or which have been reset (RST) are expired with small delay.

Expired flows are grouped together into "NetFlow export" datagrams for export from the NetFlow enabled device. NetFlow export datagrams can consist of up to 30 flow records for version 5 or version 9 flow export. NetFlow functionality is configured on a per-interface basis. To configure NetFlow export capabilities, you need to specify the IP address and application port number of the Cisco NetFlow or third-party flow collector. The flow collector is a device that provides NetFlow export data filtering and aggregation capabilities.

NetFlow Export Version Formats

For all export versions, the NetFlow export datagram consists of a header and a sequence of flow records. The header contains information such as sequence number, record count, and system uptime. The flow record contains flow information, for example IP addresses, ports, and routing information. NetFlow version 9 export format is the newest NetFlow export format. The distinguishing feature of the NetFlow version 9 export format is that it is template based. Templates make the record format extensible. This feature allows future enhancements to NetFlow without requiring concurrent changes to the basic flow-record format.

The use of templates with the NetFlow version 9 export format provides several other key benefits:

  • You can export almost any information from a router or switch including Layer 2 through 7 information, routing information, IP version 6 (IPv6), IP version 4 (IPv4), multicast, and Multiprotocol Label Switching (MPLS) information. This new information allows new applications for export data and new views of network behavior.
  • Third-party business partners who produce applications that provide collector or display services for NetFlow are not required to recompile their applications each time a new NetFlow export field is added. Instead, they might be able to use an external data file that documents the known template formats.
  • New features can be added to NetFlow more quickly, without breaking current implementations.
  • NetFlow is "future-proofed" against new or developing protocols, because the version 9 export format can be adapted to provide support for them and for other non-NetFlow-based approaches to data collection.

The work of the Internet Engineering Task Force (IETF) IP Information Export (IPFIX) Working Group (WG) and the IETF Pack Sampling (PSAMP) WG are based on the NetFlow version 9 export format.

The version 1 export format was the original format supported in the initial Cisco IOS software releases containing NetFlow functionality and is rarely used today. The version 5 export format is a later enhancement that adds Border Gateway Protocol (BGP) autonomous system information and flow sequence numbers. The version 7 export format is an enhancement that adds NetFlow support for Cisco Catalyst series switches that use hybrid or native mode. Versions 2 through 4 and version 6 export formats were either not released or are not supported. Version 8 export format is the NetFlow export format to use when you enable router-based NetFlow aggregation on Cisco IOS router platforms.



(c) 2003-2006 Caligare s.r.o.
http://www.caligare.com
Last-modified: May 10 2006