This article will cover the basics of Netflow, including its use cases, Netflow supported devices, Netflow history, and variants. We’ll also dive into the technical details of how the Netflow protocol works, including the Netflow ports, and the various Netflow versions. This will lead onto coverage of the various Netflow components, including the Netflow Exporter, Netflow Collector, and Netflow Analyzer, with some brief coverage of its main competition. Here’s the full breakdown of what’s covered:
Visibility plays a key role in the maintenance and security of any network. With it, admins can identify issues, discover non-compliant users, refine their provisioning, and more. Netflow is a protocol developed by CISCO that fulfils this purpose, letting interested parties understand network patterns and protocol distribution, while supporting more granular data like IP service type for diagnosis.
Its relatively low overhead and trusted history means that Netflow is still around in some forms a decade after its release. As well as user and application monitoring, admins utilize Netflow for network planning, application reporting and profiling, security analysis, and usage-based reporting and billing.
Broadly, a flow is a group of packets part of the same conversation between two endpoints in a network. More technically, a single flow is defined by its 5-tuple, a collection of five data points that include:
- Source and destination IPs addresses
- Source and destination ports
- The protocol
As you’d expect, the Cisco-developed protocol is supported by a number of CISCO networking devices. The company’s IOS-XR routers use a software implementation running on line card CPU, while the IOS line runs software on route processor. Meanwhile, Catalyst and Nexus switches have a dedicated hardware TCAM implementation, generally supporting more flows.