What are key Cisco NetFlow limitations?

Hi Brad,

It's interesting that most of the limitations you've listed about NetFlow are not issues with sFlow. ProCurve has sFlow integrated into most of our managed switches, not just the high-end ones; and these switches can send traffic to up to 3 sFlow collectors. Whilst NetFlow can be setup to not over-tax the devices - sFlow is implemented in the ASIC - so there's no need to be concerned about over-taxing your CPU. sFlow visibility isn't limited to routed traffic - and is able to sample traffic from all ports.

From the white paper you've linked to on the Network Instruments site it looks like they support both - so using the NetFlow Agent will allow you to aggregate data from both ProCurve and Cisco kit.

An alternative solution could be to look at the InMon Traffic Sentinel software - which you can run on a server - or embed within the network on a ProCurve ONE Services zl Module
http://www.procurve.com/one/alliance/inmon/trafficsentinel.htm

Andy.

I have a few comments:

a) Using Flexible NetFlow v9, routers can export to more than 2 destinations. It can export to unlimited destinations until the hardware runs out of resources.

b) regarding "NetFlow overhead can overtax infrastructure" this is true in rare cases. Most networks see only a marginal increase in link utilization caused by NetFlow (i.e. maybe as high as a 2%-5% increase). The cpu and memory utilization are seldom impacted. In rare cases (e.g. edge routers) enabling NetFlow could crush the router.

c) regarding "NetFlow only shows routed traffic or packets." not true either. The cisco catalyst and Enterasys switches support NetFlow. Also sFlow can be used from many other vendors. Sometimes the TCP flags are ommitted.

d) regarding: "network engineers are blind to internal LAN and VLAN communications and activities" Again, it can be done with Flexible NetFlow. See the screen capture: http://www.plixer.com/blog/netflow/getting-mac-addresses-from-netflow-v9/

e) nProbe from ntop.org has a NetFlow agent that you can put on any server to send NetFlow. It's free. Vmware also has a NetFlow agent.

Finally a plug for Scrutinizer NetFlow and sFlow Analyzer: http://www.plixer.com/products/netflow-sflow/free-netflow-scrutinizer.php

Jake
www.plixer.com

With respect to Jakes comments, one should take all this with a grain of salt, as it is a blatant plug for his company’s product.

Starting at point "a" note that not all Cisco gear supports Flexible NetFlow, so an enterprise organization would potentially have to spend considerable capital to upgrade their infrastructure to utilize this new technology.

With respect to "b", this is a valid and real concern in the enterprise space. I agree that where Jake may sell the Plixar products (i.e. the SMB) utilization of gear may be low, but we listen to our customers, and respond to their concerns.

"c" is true for all but the latest Cisco gear, including the 6500s we see on most enterprise data centers. Also note, this was about NetFlow, sFlow or any other technology was and is not relevant to this discussion.

"d" see point "a".

For point "e" there may be other products that export NetFlow, but again most enterprise customers do not want to tax or burden existing systems (i.e. "any server") with additional software, or freeware for that matter.

We see you are keen to sell your product Jake, but you should find other appropriate avenues to do so.

I see what you are saying regarding the need to manage a server regardless, but I guess we never thought that one would purchase a GigaStor to just do NetFlow reporting. The GigaStor provides detailed packet and application transaction analysis, long term packet storage and a facility to retrospectively analyze problems. All this is why entities would use a GigaStor - the NetFlow export is simply an added feature.

It's been interesting reading through the conversation. Just a few points on NetFlow and Flexible NetFlow. While Flexible NetFlow may offer the ability to export to more than two destinations, Flexible NetFlow is limited to Data Center class switches/routers.

http://www.cisco.com/en/US/products/ps6601/prod_white_papers_list.html

Most large companies are not going to spend significant money to upgrade infrastructure solely to take advantage of Flexible NetFlow.

The point was also raised that, "most networks see only a marginal increase in link utilization caused by NetFlow (i.e. maybe as high as a 2%-5% increase)." I have seen several customers for whom this is a real issue and why they haven't enabled NetFlow on their infrastructure.

In routers and switches running near capacity even 2%-5% can be a concern. It's certainly as was mentioned earlier is less a risk today than with older routers and switches. The actual CPU/RAM load is highly dependent on the number and duration of flows and the specific NetFlow features enabled on a router/switch. The age and type of infrastructure in place also matters significantly. A good albeit dated Cisco paper that evaluates NetFlow's impact on routers:

http://www.cisco.com/en/US/technologies/tk543/tk812/technologies_white_paper0900aecd802a0eb9.html

Finally, a point was raised regarding Vmware also having a NetFlow agent. The VMware NetFlow Agent in ESX 3.5 was ‘experimental’ and was dropped in vSphere (ESX 4.0).

Inclusion: http://www.vmware.com/pdf/vi3_35_25_netflow.pdf
Removal: http://communities.vmware.com/thread/229105

Hello,
I tested FlowMon probes (www.invea-tech.com) and it looks that you developed the copy of the FlowMon. The FlowMon probes are hardware accelerated 10gbps probes, which do same job. But I don't like probes. The main disadvantage is if you want to monitor a router with 8x10Gbps interfaces, you need to order 16 probes ! For each line two probes (one for TX, second one for RX). Another disadvantage of probe is
that it doesn't know BGP. So in the flows there is missing information about src/dst ASes.

Regarding to article above:

Ad two netflow destinations:
Many netflow analyzers have upd flow duplicator. So you can duplicate one received netflow poackets to many destinations. I tried it in the Caligare Flow Inspector software. I love this software.

Only routed traffic:
It is not true. As somebody wrote, on Catalyst 6500 series, or on Cisco OSR 7600 you can use mls intervlan traffic dumping. SO you are able to see intervlan traffic. In default this feature is switch off, but if you enable it.
NetFlow will grow 100x up ;-)

Peter