What is NetFlow Data?

Quick Definition: NetFlow data is a network protocol developed by Cisco for collecting and monitoring network traffic flow information. It provides detailed insights into network usage, helping to analyze traffic patterns, identify network issues, and enhance security.

One of my favorite things about Cisco is the wide array of tools it provides network engineers. One of the most widely used tools Cisco offers is NetFlow, an open-source tool for monitoring and analyzing network flow. 

Not only is NetFlow useful in the wild, but it is also a core component of the CCNA. While there are proprietary versions based on Cisco's original, such as jFlow and IPFIX, this post will focus on the original NetFlow.

NetFlow has many potential uses, so it gives us a lot to discuss. Let's first focus on a broad definition and how the thing actually works.

What is NetFlow Data?

Cisco developed NetFlow in the mid-1990s. Its primary purpose was (and still is) to collect IP traffic information and monitor network flows. NetFlow's audience consists of network engineers who use it to grasp network patterns, manage bandwidth, and enhance security. It proved to be so popular that industries everywhere adopted it in some form or fashion.

Basic Components of Network Flow

While there are several versions of NetFlow, they all rely on the same concept of network flow. Network flow refers to the basic structure of packets that flow through a network. It also relates to statistics regarding those packets, such as the rate of capture and speed. 

NetFlow captures this flow and provides statistics such as byte rate, number of packets, and duration of flow. Let's break that process down bit by bit (no pun intended), starting with defining the flow itself.

• Flow is a unidirectional sequence of packets with common attributes. Generally, these attributes are source and destination IP, ports, and the protocol used. A flow represents the communication between two devices. For example, there would be a flow between a router and a computer.

• Flow Records represent the data stored and created by NetFlow. They contain information about the flow's start and end time, packets transferred, and more. 

• Flow Exporters are devices configured to send and receive flow. These devices observe data flow and record it using NetFlow. After collecting this data, it sends it to a flow collector for analysis—generally, routers, switches, and firewalls export flow.

• Flow Collectors receive flow records from one or more flow exporters. Their main job is to store, process, and analyze flow data, which provides insight into network traffic patterns, usage statistics, and security issues.

Different NetFlow Versions

NetFlow is an open-source model, and many organizations have taken advantage of its design. Here are a couple of the most common NetFlow variants you'll come across in the wild.

• NetFlow v9 is the latest and greatest version of NetFlow. It introduced several enhancements to its predecessor. For example, NetFlow v9 provides dynamic templates to create flow records. Remember, a flow record represents the data we want to export and analyze. Dynamic templates allow engineers to describe the required data with more flexibility. V9 also provides IPv6 compatibility, increased scalability, and more security. 

• J-Flow is a proprietary version of NetFlow used by Juniper networks. It is similar to NetFlow v9 and provides all the same features.

• IPFIX (IP Flow Information Export) is an enhanced version of v9 that maintains backward compatibility. It is a vendor-neutral platform and is used by organizations such as HP, Dell, and others. 

Now that we understand what NetFlow is, let's talk about why we should use it. 

Why Use NetFlow Data in Network Operations?

NetFlow provides invaluable insight into the inner workings of any IT organization. Gaining visibility into network flows is useful in a wide range of disciplines. Let's review several areas that benefit from NetFlow.

• Troubleshooting: NetFlow data provides valuable historical records when things go awry. This information is used to diagnose and troubleshoot network problems. Reviewing NetFlow data reduces resolution times and minimizes downtime. For example, let's say a router stopped working for no apparent reason. NetFlow data could help determine precisely when the flow of data halted.

• Compliance and Auditing: There is nothing quite as painful as an audit. Luckily, NetFlow is a great tool for cataloging and monitoring all network transactions. It has become invaluable for reviewing data transmissions for audit purposes.

• Security Monitoring: NetFlow data is instrumental in detecting and mitigating security threats. NetFlow provides a way to identify suspicious traffic patterns like DDoS attacks. It also can bring unauthorized access attempts, malware infections, and data exfiltration to light.

• Traffic Visibility: The most obvious use of NetFlow is traffic visibility. NetFlow is crucial for understanding how the networks act in a production environment. It is generally used to identify bottlenecks, performance issues, packet drops, and much more.

How Does NetFlow Data Work?

NetFlow data is accomplished through a four-step process. The process is the same whether you're using IPFIX, jFlow, or NetFlow v9. Let's go over each step in more detail.

1. Flow Monitoring Process

Each packet is captured and categorized by its metadata, such as source or destination IP. It is then placed into a different flow. Flow exporters track the data in real time and measure the flow's time and several other bits of data.

2. Flow Exportation

This is when a flow log is created and exported. The flow records summarize the flow and the events that took place within them. This data is then exported to the collectors via UDP.

3. Flow Collection

Flow collection receives and stores all available flow records on a database optimized for fast data ingestion.

4. Flow Analysis

Flow data stored in the collectors is analyzed using specialized tools and software. The analysis involves traffic patterns, identifying trends, and monitoring bandwidth usage. From a security standpoint, analysis detects anomalies and assesses network performance.

How to Implement NetFlow Data in IT Environments

Several considerations must be taken into account before implementing NetFlow Data. Since there are several variants, it is important to know which one best fits your system. Let's go over some of the basics required to implement NetFlow effectively.

Supported Network Devices and Platforms

Verify that your devices are compatible with the NetFlow you want. For example, if you're on a Juniper network, make sure jFlow is used. On Cisco, NetFlow v9 or IPFIX will be just fine.

Configuration and Setup Process

First, enable NetFlow on all devices you would like to be NetFlow exporters. Refer to the documentation on your router for instructions on how to configure the device properly. Here are the instructions on a Cisco router. Juniper has its own documentation as well.

Ensure that a template is defined when configuring NetFlow v9 or IPFIX on any device. The template will determine what data is packaged for later analysis. 

Best Practices for NetFlow Implementation

Sometimes, despite our best efforts, things go wrong when implementing NetFlow Data. These steps will help you avoid key errors. 

Proper Sampling Rates

Verify the sampling rates are not too heavy. Sampling too much data may cause system degradation without providing much value. The sampling rate is controlled on the NetFlow exporter's CLI. It is set on percentage levels, which means it will take X% of packets out of the stream for analysis. 

As a general guideline, start sampling packets at a 1:100 to 1:1000 ratio.

Data Retention Policies

Data retention generally differs between organizations. Consider that the database will quickly fill up with NetFlow logs and define a plan to delete them after a certain amount of time.

Integration with SIEM and Other Tools

To increase your security posture, you'll want to integrate NetFlow with Security Information and Event Management (SIEM). SIEM provides additional visibility into the security aspect of your flow and offers tips and tricks on how to improve security and mitigate concerns. 

What Tools and Technologies are Required for NetFlow Analysis?

NetFlow is a great tool in and of itself, but it does not exist in a vacuum. Plenty of other tools work in tandem with it to produce a fuller picture of your network. Let's discuss three of the most common tools used in conjunction with NetFlow.

SolarWinds

Data is only good if it can be analyzed. Platforms like SolarWinds exist to help visualize flows. The graphs and charts generated will provide a holistic picture of the network. SolarWinds also provides a dashboard for easy access to data, traffic analysis, pain points, and more.

Cisco NetFlow Collector

Once you get all of those flow records, you've got to have a place to put them. Cisco NetFlow Collector gathers, processes, and stores NetFlow records from all your different devices. It acts as a central repository for subsequent flow data analysis.

Splunk

Splunk is a handy log aggregation system. It is a single command line with a powerful query language and can be connected to any database needed. Splunk is used to retrieve and analyze data for troubleshooting and auditing. If you are using NetFlow, you'd be remiss in excluding Splunk from your software repertoire.

Final Thoughts

NetFlow is an indispensable tool in network engineers' arsenal. It provides deep insights into network traffic and performance. Since its inception at Cisco, it has been a cornerstone of network analysis. It plays a critical role in understanding network flows and maintaining security compliance. 

It is also important to incorporate existing tools with NetFlow, such as Splunk, SolarWinds, and NetFlow Collector. These tools (and others) significantly enhance its utility. By leveraging NetFlow effectively, organizations ensure optimal network performance, robust security, and more. Ultimately, this will lead to more efficient and secure IT environments.

Want to learn more about becoming a Network Engineer? Consider our CCNA Training!