What is Cisco ISO® NetFlow?

Cisco NetFlow technology is software contained within the Cisco IOS that provides important information about traffic on the wide area network (WAN). Using Cisco NetFlow, engineers can determine the applications taking up the bandwidth, who is using them, and when.

*Download the Cisco NetFlow Best Practices White Paper

With Cisco NetFlow, the approach to data collection is simplified: a NetFlow-enabled router or switch collects network data – a less costly alternative to data collection by probes, which require deployment by network staff to gain visibility of traffic on the WAN. As its name suggests, Cisco NetFlow technology tracks the flow of IP packets as they enter the router through an interface. Each flow is unique and is identified by seven criteria (Source IP address, Destination IP address, Source Port number (TCP/UDP), Destination Port number (TCP/UDP), Layer 3 Protocol Type (IP/ICMP), Type of Service (ToS), and Input logical interface; any variation in these criteria distinguishes one flow from another.

Cisco NetFlow can collect information on a very granular basis, and this data can be analyzed to report such information as:

  • Top Hosts (for each of the top applications)
  • Top Conversations (for each of the top applications)
  • Top Applications (for every interface or group of interfaces)
  • ToS Markings (commonly used for applications such as Voice and Video)
  • Data Volumes, Rates, and Utilization (for interface, application, host, conversation, and ToS)

How can network managers benefit from Cisco NetFlow Monitoring?

Cisco NetFlow technology provides the data necessary to effectively analyze, trend, and baseline application data as it passes through the network.  It can then be exported to a reporting pack age and can provide the information necessary to manage critical business applications.  The types of information Cisco NetFlow monitoring can provide include:

Cicsco Network Traffic Analysis/Capacity Planning - Cisco NetFlow data helps improve network engineering decisions by revealing when traffic has exceeded a defined threshold (utilization, rate, or volume) on a network link.  Using Cisco NetFlow monitoring data, an engineer can determine if increasing capacity will solve a problem on a link, or if there are links that can be downgraded to save money.

Network, Server, Application Monitoring/Troubleshooting - Cisco NetFlow monitoring enables extensive, real-time network monitoring to help provide problem detection, efficient troubleshooting, and rapid problem resolution. 

Anomaly Detection - Cisco NetFlow measures traffic on routers and switches and includes details about the source, destination, and service ports of packets.  This information can be used to identify anomalous network traffic patterns and port-scanning activity - common indications of worms.

Accounting/Billing for IT Resources - Enterprises can use NetFlow monitoring data to understand how business units are using applications, servers, and the network, and to calculate the costs attributable to the use of such resources.   

Cisco NetFlow Technology vs. RMON2 Data

Prior to the widespread use of NetFlow monitoring data, information about network performance was primarily gathered with the assistance of RMON2 probes.  These dedicated instruments monitor data packets crossing the network at certain critical points, such as near WAN or LAN interfaces on a router.  While there are benefits to RMON2 network monitoring, the expense associated with establishing and maintaining such probes over a large-scale enterprise network is formidable - both in terms of capital expense and in terms of the personnel required to manage them.  Cisco NetFlow technology is available on nearly all Cisco routers and switches.  The financial and personnel investments necessary to benefit from Cisco NetFlow monitoring are substantially lower than an RMON2 solution.  The chart below outlines the benefits and considerations of each monitoring technology.

Benefits

Cisco NetFlow Technology
  • Low Capital Investment – The majority of networks are already instrumented with Cisco routers.
  • Simple Configuration – configuring NetFlow involves a few global commands and an interface command for each interface running NetFlow.
  • Dynamic Application Detection – NetFlow measures and reports automatically on all IP application traffic (most probe solutions require that each probe be configured to look for each traffic type).
  • Real-time Traffic Analysis
RMON2
  • Information on non-IP protocols such as IPX, AppleTalk, and DECnet
  • Packet Capture Capability
  • No Additional Router Load
  • Real-time Traffic Analysis

Considerations

Cisco NetFlow Technology
  • Support for IP Traffic Only
  • Increase in CPU Utilization on configured Routers (The amount of increase on router CPU utilization varies by router platform and the number of flows traversing the router. Typically the increase is less than 5%.)
  • Increase in Network Traffic Along Path between Configured Routers and NetFlow Collectors (Typically the increase is less than 1% of the capacity of the circuit.)
RMON2
  • High Capital Investment (e.g., how many probes will be needed to cover all or part of the network, and how much will that level of coverage cost?)
  • Resource Intensive (To perform configuration, planning, and deployment of probes)
  • Medium to High Lifecycle Maintenance (licensing, software upgrades, probe interface upgrades, and network bandwidth increases)
  • Applications Must Be Defined (Unlike NetFlow, RMON offers no dynamic detection of applications.)
Learn more about NetQoS NetFlow Monitoring

Read an article about the importance of NetFlow Monitoring Tools