Q&A: What You Can Learn by Monitoring Network Flows
We explain how to leverage data from switches and routers using flow monitoring.
Simple Network Management Protocol (SNMP) gives a high-level view of aggregate traffic on the network. Packet sniffers provide an in-depth view of packet content. What most enterprises are missing is the middle view: network flows. Most switches and routers are designed to generate information on exactly what traffic is passing through each port, but accessing this data requires additional software. Enterprise Strategies interviewed Michael Patterson, product manager for the Scrutinizer NetFlow and sFlow Analyzer at Plixer International to find out how to leverage the data available through flow monitoring.
Enterprise Strategies: What is Netflow? Is it a technology, a software agent, a hardware add-on?
Michael Patterson: NetFlow is a technology developed by Cisco Systems and embedded as part of Cisco IOS the operating system used by Cisco's routers and switches. The network device analyzes the traffic going through it by seven values:
- IP source address: Who is sending the traffic
- Destination IP address: Who is receiving the traffic
- Source and destination ports: Shows what application is using the network
- Layer 3 protocol
- Class of service: For services (such as VoIP) that need priority access
- Router or switch interface
When packets match on all seven of those criteria, they are considered part of the same flow. The device counts the number of packets in a given flow, bundles it with the data on up to 30 other flows (NetFlow v5), and sends it to a server containing a Cisco NetFlow analysis tool to collect and analyze the flow information. A single collector will gather data from multiple network devices.
The current version of NetFlow (v.9) forms the basis of the Internet Engineering Task Force's IP Flow Information Export (IPFIX) protocol. NetFlow v.9 also introduced Flexible NetFlow, which allows a user to select which of the seven key fields to track, and also to track additional fields such as time stamps, next-hop IP addresses, and subnet masks. Since the user can define what type of data and which parameters of that flow to track, it reduces the amount of data reported.
How is NetFlow used and who in IT uses it (network admins, security administrators, etc.)?
NetFlow is used by network administrators, security staff, accounting server admins, and others to view network traffic as it passes through a switch or router. Separate caches can be designated for different types of information. For example, network security can have its own data cache designed for network anomaly detection, while the network administrators could use a different cache optimized for detecting and troubleshooting VoIP quality of service issues.
Is Netflow sufficient these days to monitor network use, troubleshoot networks, and control network security? If not, what else is needed?
NetFlow, although a powerful and useful tool, is only one part of an administrator's complete tool kit, including SNMP, sFlow, and packet analyzers. SNMP, for example, provides a high-level view of the amount of traffic traveling through a port, but not what makes up that traffic or which user or device is generating it. NetFlow will tell you which users and applications are generating the network load. Packet analyzers provide a much more detailed look at the packets. Due to their cost, however, they cannot monitor all network links and are usually only deployed when there is a known problem.
Is IT using Netflow information in ways that it wasn't originally designed for?
Over the years, users have found a wide array of uses for NetFlow including:
- VoIP QoS: With NetFlow, administrators can use what DSCP value packets are using and spot any bottlenecks that are affecting VoIP and reroute traffic as needed.
- Capacity Planning and Management: SNMP gives overall bandwidth statistics, but not what traffic is using that bandwidth. With NetFlow, administrators can ensure that the traffic is valid, kill any unnecessary applications or services (such as watching YouTube during business hours), and move valid but low-priority services such as Patch Tuesday updates to off hours. By viewing the amount of traffic per user generated by a particular application, you can also see the impact of adding additional users and increase capacity as needed.
- Billing: Because NetFlow tracks the number of packets and bytes by user and protocol, that data can be used for chargeback.
- Security: Network security can have its own data cache designed for network anomaly detection. In addition, there are ways to turn NetFlow triggers into actionable security countermeasures. If you know what traffic is supposed to be traveling across a port, anything not expected is a potential security risk. If the NetFlow monitoring software detects unusual activity, it can send messages to the firewall or NAC to shut down that port or block that traffic.
What are the biggest misunderstandings about what Netflow is or how it should be used?
The biggest misunderstanding is that NetFlow is only used for locating bandwidth hogs. Although it does do this, the functions are much broader. A second is that it is limited to Cisco equipment. That was true initially, but NetFlow or other flow technologies (IPFIX, sFlow, Netstream) are now in use on switches and routers by Adtran, Enterasys, Extreme Networks, Juniper, Riverbed, Alcatel, Foundry, HP, 3Com, and others. Some NetFlow collectors will collect data using all of these protocols.
In what situations would you that recommend NetFlow not be used?
NetFlow’s dependence on the switch/router’s processor and memory can limit its deployment because too much NetFlow processing can slow the primary forwarding function. In such a case, you would only use it on key interfaces to avoid having a noticeable impact on the performance of the switch/router and the network. When more detailed information is needed, a packet analyzer should be deployed. Some vendors like Enterasys have implemented NetFlow in hardware but, it is not mainstream like sFlow implementations.
What might be considered the main pitfalls of NetFlow?
NetFlow does not provide visibility into switched or broadcast layer-2 traffic. In addition, because of its overhead, it cannot be used on all network links. FnF (Flexible NetFlow), which is an extension of NetFlow v9, does allow for a packet export as does sFlow. However, few vendors have taken advantage of it.
What tools does Plixer provide and how do they facilitate the use of NetFlow?
Cisco routers, and other equipment, will generate the NetFlow data, but you still need a way to collect and analyze that data. Plixer International, Inc. provides two tools for configuring Netflow commands on the hardware and then monitoring and reporting on the flow data. Flowalyzer is a free toolkit for testing and configuring hardware and software for sending and receiving NetFlow and sFlow data. It can help IT professionals troubleshoot hardware from Cisco, Enterasys, and other vendors, as well as NetFlow collector software, ensuring that whichever flow technology they use is configured properly on both ends.
Plixer's Scrutinizer analyzes and reports on NetFlow data (and other flow protocols such as sFlow, Netstream, jFlow and IPFIX) to provide information on what applications, conversations, flows, and protocols are generating network traffic and to analyze network behavior for troubleshooting purposes. A free version of Scrutinizer is also available from the Plixer Web site (http://www.plixer.com/support/download_request.php).