Service providers these days are continuously facing a challenge and that challenge is someone intruding their network…Suspicious access from unknows IPs, hacking etc.. put pressure on service provider’s environment, their customer’s network and put a dent in their resources and revenues.

On the other hand, companies also spend quite a money in understanding user’s traffic patterns, monitoring network bandwidth utilization and WAN traffic, and performance monitoring. Whatever is their motive, some sort of protocol is needed to do all this as traditional method of monitoring via SNMP is just not enough and this give rise to Network protocol by Cisco called “Netflow”.

“NetFlow” is a network protocol developed by Cisco for collecting IP traffic information and monitoring network traffic. By analyzing flow data, a picture of network traffic flow and volume can be built. Using a NetFlow collector and analyzer, you can see where network traffic is coming from and going to and how much traffic is being generated.

While the term NetFlow was mostly used by Cisco, many other network hardware manufacturers support alternative flow technologies:

• Juniper (Jflow)
• 3Com/HP , Dell (s-flow)
• Huawei (NetStream)
• Alcatel-Lucent (Cflow)

Routers and switches that support NetFlow collect IP traffic statistics on all interfaces where NetFlow is enabled, and later export those statistics as NetFlow records, toward at least one NetFlow collector. Network collector is typically a server that does the actual traffic analysis. The NetFlow collector then processes the data to perform the traffic analysis and presentation in a user-friendly format. NetFlow collectors can take the form of hardware based collectors or software based collectors.

NetFlow v1 was originally introduced in 1990 and has since evolved to NetFlow version 9. Today, the most common versions are v5 and v9. Major difference between v5 and v9 version is that v5 is restricted to IPv4 flows however v9 can be used to report flows like IPv6, MPLS, or even plain IPv4 with BGP nexthop.

Monitoring IP traffic flows ensures that resources are used appropriately in support of organizational goals. It helps IT determine where to apply Quality of Service (QoS), plays a vital role in network security to detect Denial-of-Service (DoS) attacks, and other undesirable network events.

One last thing is, Netflow is not a standardized version of protocol and it was developed by Cisco however other vendors uses the same concept for their routers/switches. IETF took the Netflow v9 and standardized this protocol into “IP-FIX” (IP Flow Information Export) with some additional changes which vendors are implementing these days to have a consistent view and avoiding any inter-operability issues.

We can go through the IP-FIX in other blogs but for now I hope you have understood the usage of Netflow :).

Thanks

Mohit Mittal