Rediscovering NetFlow with NetQoS

NetQoS products use Cisco’s NetFlow for management

Industry analysis by Beth Schultz, plus the latest news headlines.

Several years ago, NetFlow was arguably one of the most underutilized management assets relevant to network performance and security. It was generally available as a part of Cisco IOS software, but was rarely activated. At that time, it was cumbersome to access, view and interpret, and it often ate network performance.

This was a shame, because NetFlow offers significant value for performance management, capacity planning, and security across the networked application infrastructure. Much like RMON-based probes, NetFlow offers granular information on where, how and by whom specific applications are being used and how that usage affects the network. As such it can identify inappropriate behavior - too much Kazaa bringing down response time for an ERP application, for example - catch and diagnose denial-of-service attacks, help to troubleshoot bottlenecks, monitor the efficacy of QoS parameters, and support usage-based accounting and billing. NetFlow reveals information like source IP address, destination IP address, source port, destination port, Layer 3 protocol type and class of service.

NetFlow is now becoming more broadly used. Cisco has made some smart investments in improving NetFlow performance and accessibility. Cisco is even working on a Management Information Base for simple, summary access to NetFlow information, and the company is currently talking with the IETF about standardizing NetFlow. And perhaps most of all, Cisco has recognized the value of industry partnerships in tapping NetFlow for a much broader audience.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Several years ago, NetFlow was arguably one of the most underutilized management assets relevant to network performance and security. It was generally available as a part of Cisco IOS software, but was rarely activated. At that time, it was cumbersome to access, view and interpret, and it often ate network performance.

This was a shame, because NetFlow offers significant value for performance management, capacity planning, and security across the networked application infrastructure. Much like RMON-based probes, NetFlow offers granular information on where, how and by whom specific applications are being used and how that usage affects the network. As such it can identify inappropriate behavior - too much Kazaa bringing down response time for an ERP application, for example - catch and diagnose denial-of-service attacks, help to troubleshoot bottlenecks, monitor the efficacy of QoS parameters, and support usage-based accounting and billing. NetFlow reveals information like source IP address, destination IP address, source port, destination port, Layer 3 protocol type and class of service.

NetFlow is now becoming more broadly used. Cisco has made some smart investments in improving NetFlow performance and accessibility. Cisco is even working on a Management Information Base for simple, summary access to NetFlow information, and the company is currently talking with the IETF about standardizing NetFlow. And perhaps most of all, Cisco has recognized the value of industry partnerships in tapping NetFlow for a much broader audience.

One of the most successful of these partnerships is with NetQoS, which offers SuperAgent for troubleshooting and diagnosing application performance, and ReporterAnalyzer for capacity-related troubleshooting and assessing the volume and impact of traffic flows. It’s ReporterAnalyzer that supports NetFlow and brings unique features to the process:

* ReporterAnalyzer can calculate outbound traffic for NetFlow. This is valuable because NetFlow only provides statistics for inbound traffic flows and so typically needs to be turned on at both ends of a link. While this calculation doesn’t include multicast traffic, broadcast traffic, bottleneck traffic, or router overhead measurements, it’s sufficiently detailed for many enterprise IT shops.

* ReporterAnalyzer is designed for scalability. Multiple “Harvesters” listen for NetFlow datagrams and reduce data prior to WAN transport. Harvesters feed NetFlow Managers for data aggregation. This is also where the “Out” calculation is done to estimate outbound traffic flow. Finally, multiple NetFlow Managers feed the ReporterAnalyzer itself, where a healthy set of readable reports are generated.

* ReporterAnalyzer can also monitor and throttle the amount of NetFlow traffic on the network, based on pre-established policies - for maximal allowable bandwidth usage. Some estimates of NetFlow CPU utilization with ReporterAnalyzer are only in the 3% to 5% range in many instances - a vast improvement over past numbers.

Schultz is a longtime IT journalist. You can email her or find her here.