The NetFlow export or transport mechanism sends the NetFlow data to a collection engine or network management collector. Flow collector engines perform data collection and filtering. They aggregate data from several devices and store the information. Different NetFlow data analyzers can be used, depending on the intended purpose. NetFlow data can be analyzed for the following key applications:
- Accounting and billing: Service providers can use NetFlow data for charging based on bandwidth and application usage and quality of service (QoS).
- Network planning and analysis: NetFlow data can be used to determine link and router capacity.
- Network and security monitoring: NetFlow data can be used to visualize real-time traffic patterns.
- Application monitoring and profiling: NetFlow data can be used to get time-based views of application usage.
- User monitoring and profiling: NetFlow data can be used to identify customer and user network utilization and resource application.
- NetFlow data warehousing and mining: NetFlow data can be warehoused for later retrieval and analysis.
Looking ahead, Cisco has introduced Flexible NetFlow as the next generation in flow technology. Flexible NetFlow has many benefits beyond the Cisco traditional NetFlow functionality available for years in Cisco hardware and software.
The key advantages to using Flexible NetFlow are as follows:
- Flexibility and scalability of flow data beyond traditional NetFlow
- The ability to monitor a wider range of packet information to produce new information about network behavior that was not available previously
- Enhanced network anomaly and security detection
- User-configurable flow information to perform customized traffic identification and the ability to focus and monitor specific network behavior
- Convergence of multiple accounting technologies into one accounting mechanism
Flexible NetFlow is an integral part of Cisco IOS software that collects and measures data, allowing all routers or switches in the network to become sources of telemetry and monitoring devices. Flexible NetFlow allows extremely granular and accurate traffic measurements and high-level aggregated traffic collection. Because it is part of Cisco IOS software, Flexible NetFlow enables Cisco product-based networks to perform traffic flow analysis without external probes being purchased, thus making traffic analysis economical for large IP networks.
Flexible NetFlow can track the following packet information for Layer 2, IPv4, and IPv6 flows:
- Source and destination MAC addresses
- Source and destination IPv4 or IPv6 addresses
- Source and destination TCP/User Datagram Protocol (UDP) ports
- Type of service (ToS)
- DSCP
- Packet and byte counts
- Flow timestamps
- Input and output interface numbers
- TCP flags and encapsulated protocol (TCP/UDP) and individual TCP flags
- Sections of packets for deep packet inspection
- All fields in the IPv4 header, including IP-ID and TTL
- All fields in the IPv6 header, including Flow Label and Option Header
- Routing information such as next-hop address, source autonomous system (AS) number, destination AS number, source prefix mask, destination prefix mask, BGP next hop, and BGP policy accounting traffic index