Cisco Systems introduced Netflow v9 several years ago, but most enterprises are sticking with the less-effective NetFlow v5 for network traffic monitoring and analysis. That’s because NetFlow v9, which offers deeper visibility and the ability to consolidate network management technologies, is more complex to learn than the good old reliable v5. Still, enterprises will eventually be forced to make the transition.
NetFlow is a Cisco protocol that produces network activity data. Routers and switches generate NetFlow records that are then compiled and analyzed by a NetFlow collector. A variety of Cisco and Enterasys Networks switches and routers support the protocol and many other network vendors support alternative versions of it, such as JFlow and sFlow.
While NetFlow v5 is a fixed protocol that only provides very basic, static information on network traffic, such as source and destination IP addresses, NetFlow v9 is an extensible protocol that allows vendors and users to create new templates for exporting a variety of information about the network.
"You can create templates and create your own custom groupings of metrics that you want to transfer using NetFlow," said Jim Frey, research director for network management technologies at Enterprise Management Associates.
"Say you want to add a metric that checks [router] CPU usage or some deeper details on application type, NetFlow v9 lets you do that. You could even put things in like round-trip times or flags that would tell you if a synflood was happening. Anything that you could get from a router through SNMP (Simple Network Management Protocol) interfaces you can now put into NetFlow records using v9."
NetFlow v9 adoption is inevitable
In a few years enterprises will have no choice but to adopt NetFlow v9 because NetFlow v5 does not support IPv6, the next generation Internet Protocol. Once IPv4 address exhaustion occurs, enterprises will start doing IPv6 transport, at which time they will have to upgrade to the new version of the protocol.
"Service provider and enterprise customers who have deployed MPLS and/or IPv6 technologies need NetFlow v9 statistics from their network to enable traffic analysis, capacity planning or DDoS [distributed denial of service] detection solutions," said Joel Conover, senior manager of Borderless Networks at Cisco.
Network manager Ryan Laus, who uses Lancope's Stealthwatch for NetFlow collection and analysis at Central Michigan University, is still using NetFlow v5 on his university's network, but he anticipates an upgrade to NetFlow v9 once the school starts running IPv6.
"We are looking at starting to leverage [NetFlow v9], and we're going to be forced into it if we want to continue monitoring flows when we cut over to IPv6," he said.
The extensible nature of NetFlow v9 templates will eventually help Laus get better visibility into peer-to-peer (P2P) traffic among students on his network at the university.
"The biggest thing that interests us is the ability for NetFlow v9 to start looking at the data portion for those flows," Laus said. "It could give us insight into whether someone is actually doing legitimate HTTP traffic or BitTorrent over Port 80 to hide their traffic. It could also give us enhanced abilities to look at the applications being used on the network. It could fingerprint traffic so that we could determine what application is generating that traffic payload."
This visibility will help Laus with capacity management at the university. If NetFlow v9 monitoring shows him that 6,000 students in residence halls are streaming Netflix in a given day, he knows he'll have to increase his bandwidth capacity to support that.
Learning NetFlow v9’s flexibility is a challenge
If the power of NetFlow v9 is so great, why are only about 20% of Cisco’s customers using NetFlow v9 today?
Adoption has been slow in part because network monitoring and management vendors have not yet mastered the art of handling the open templates of NetFlow v9, said Frey. NetFlow v5 is easy to work with because the records the protocol produces are static and NetFlow collectors know what to expect. However, NetFlow v9 is dynamic. Cisco often publishes new templates for the protocol and end users have the power to create their own templates within the protocol as well. NetFlow collectors often don't know what they're looking at when they receive a NetFlow record with a new template and simply drop the information.
Many NetFlow collector vendors address this by supporting a fixed number of template configurations in NetFlow v9, but they haven't designed their products to be able to identify templates that network managers might configure in the NetFlow records, Frey said. Some NetFlow specialists, such as Lancope and Plixer, have done a good job of tackling the extensible nature of NetFlow v9, but other vendors are still catching up, he said.
Lancope, for instance, stays on top of changes to NetFlow v9 by collaborating closely with Cisco.
"There are 100-plus NetFlow collectors on the market today and a lot of those guys don’t keep up with the latest capabilities of NetFlow v9," said Adam Powers, CTO of Lancope. "They add basic support for NetFlow, like source and destination IP addresses, port numbers, and byte counts. But over time, as Cisco adds more stuff, they have to make sure NetFlow v9 won't break their existing implementation."
Even if a network manager has a NetFlow collector that works well with the new version of the protocol, he may still be reluctant to make the transition. The flexibility that makes NetFlow v9 so powerful also adds a little complexity.
"It takes people forever to feel comfortable that they're going to have the expertise to set it up properly and have tools on the backend that can handle a flexible format that might change at any time."
Consolidating and improving network management tools with NetFlow v9
NetFlow v9 may add an initial level of complexity to network management, but its capabilities also offer network managers a chance to consolidate their network management tools and get a more granular view of what's happening on the network.
Network engineers can configure NetFlow v9 to deliver information that they have traditionally gathered through SNMP polling tools, Frey said. This capability will allow enterprises to rely on a NetFlow collector for more of their network management and monitoring needs.
"When we can start getting round trip information or start pulling call quality metrics … (and)put that in the NetFlow stream there are a lot of side benefits, like fewer management systems, less administrative overhead, less licensing and support required, less correlating of data between multiple tools."
NetFlow is also more granular and reliable than SNMP polling, so network managers will find that NetFlow v9 will improve their overall management capabilities.
"SNMP is polling-based," Frey said. "You have to reach out and ask for it. SNMP is a low-priority function within network devices. If it's busy, [a router] might stop answering your request for information and you can get gaps in your SNMP data at the times you need it most -- during periods of heavy congestion. NetFlow does a publish model. It just sends the records out, and it doesn't stop doing that."
Tools that rely on SNMP polling tend to request data from network devices every 15 minutes by default. Some will make requests as often as every five minutes, Frey said. Collecting SNMP data at a rate higher than that for a sustained amount of time will strain the network. In contrast, NetFlow is always on and records are constantly being published without any threat of network congestion.
Let us know what you think about the story; email Shamus McGillicuddy, News Editor