About NetFlow

Suggest Edits

Description

NetFlow is a telemetry protocol that allows for the collection of IP statistics on interfaces where it is enabled.  a "flow" is a unidirectional data set.  That is to say, it's one side of the connection not both.  Once selected and collected this data is then exported in binary format to a remote collector.  Typically, routing platforms export netflow whereas switching platforms export sflow. 

Versions Supported

  • v5
  • v9
  • v10 (IPFIX)

Version Differences of Note

  • v5 does not support IPV6 due to its specification.  IP fields are not big enough to hold an IPV6 address

  • v9, v10 are template based which gives flexibility however these templates are often set by vendors and not configurable by the end user. 

  • v9, v10 templates are NOT sent with the records themselves but at an independent interval.  Templates have to be received before data can be decoded.  Also if scaling horizontally, templates need to be replicated to other collectors or they will not be able to decode flows.

  • v9, v10 sample rate is no longer reported in every flow packet.  It it typically defined in an options template which comes at a configurable interval.   

Flow Sampling (NetFlow) vs. Packet Sampling (sflow)

There is no superior solution between the two as each have their advantages and disadvantages.  With flow sampling, the device picks a 5 tuple depending on the sampling algorithm and tracks relevant statistics for the duration of that flow and then exports them at the appropriate time.  With packet sampling, the exporter simply picks every Nth packet and reports up the details of that packet. 

NetFlow Advantages

  • Full byte and packet counts for a chosen flow
  • All seen TCP Flags for a chosen flow (critical with security algorithms)
  • flow start time 
  • flow end time
  • flow duration

Netography Use Case Recommendation

As you can see from the advantages above, NetFlow has a huge advantage in the realm of understanding the full communication between various endpoints on the network.  These could be security use cases but also performance.  For example, watching typical flow durations of clients to servers could tell you quite a bit about performance over time.  A security example might be if I see a large amount of short duration flows between 2 IPs, it might be an indicator that a brute force attack is ongoing.  DDoS detection remains another common use case however, sflow will provide more real time (< 1 minute) detection if that is the primary concern.

Netography Configuration Recommendation

  • Only sample input on chosen interfaces
  • Set active-timeout to 60
  • Follow sample rate table below based on traffic
  • set run-length to 0 if it exists on your platform

Sample Rate Guide

BandwithSample Rate
N < 1 Gbps10
1 Gbps < N < 10 Gbps100
10 Gbps < N < 25 Gbps1000
N > 25 Gbps8000

Juniper SRX Configuration Example

\> edit
# set services flow-monitoring version9 template prod-template flow-active-timeout 60
# set services flow-monitoring version9 template prod-template flow-inactive-timeout 60
# set services flow-monitoring version9 template prod-template template-refresh-rate seconds 20
# set services flow-monitoring version9 template prod-template option-refresh-rate seconds 20
# set services flow-monitoring version9 template prod-template ipv4-template
# set services flow-monitoring version9 template prod-template6 flow-active-timeout 60
# set services flow-monitoring version9 template prod-template6 flow-inactive-timeout 60
# set services flow-monitoring version9 template prod-template6 template-refresh-rate seconds 20
# set services flow-monitoring version9 template prod-template6 option-refresh-rate seconds 20
# set services flow-monitoring version9 template prod-template6 ipv6-template
# set forwarding-options sampling input rate 1000
# set forwarding-options sampling input run-length 0
# set forwarding-options sampling family inet output flow-inactive-timeout 15
# set forwarding-options sampling family inet output flow-active-timeout 60
# set forwarding-options sampling family inet output flow-server <flow destination> port 2000
# set forwarding-options sampling family inet output flow-server <flow destination> source-address <my public ip address>
# set forwarding-options sampling family inet output flow-server <flow destination> version9 template prod-template
# set forwarding-options sampling family inet6 output flow-inactive-timeout 15
# set forwarding-options sampling family inet6 output flow-active-timeout 60
# set forwarding-options sampling family inet6 output flow-server <flow destination> port 2000
# set forwarding-options sampling family inet6 output flow-server <flow destination> source-address <my public ip address>
# set forwarding-options sampling family inet6 output flow-server <flow destination> version9 template prod-template
# commit
# exit

Updated 7 months ago

What’s Next