Using Cisco NetFlow to Monitor WAN Traffic

Wide Area Networks (WANs) are commonly used to connect businesses and institutions with remote branches and field sites. One of the chief advantages of WAN connectivity is the ability to locate key services at a central location, and share those resources with many other geographically-disbursed sites. Technical staffing requirements can be significantly reduced by allowing remote administration and systems management to take place entirely from the main site.

One of the chief disadvantages of this approach, however, is that it can be very difficult to troubleshoot and diagnose network problems from tens or hundreds of miles away. Your router will probably tell you how much bandwidth you're consuming at a remote site, but who (or what) is responsible for all of that traffic?

Enter NetFlow

NetFlow is a protocol developed by Cisco which allows administrators to view real-time network activity at one or more remote locations, such as a field or branch offices, which are connected to a centralized monitoring site via a WAN/Internet link. This is done by configuring NetFlow support on a router or (occasionally) a switch.

In legacy environments, it was necessary to deploy standalone network probes (often referred to as sniffers or packet/protocol anlyzers) at each remote site, and it was difficult or impossible to make this data available to engineers from other sites. NetFlow was designed specifically to facilitate centralized monitoring and eliminate the need to deploy probes or agents at each site.

The NetFlow protocol itself is open, which means that other manufacturers can also implement NetFlow support into their own network devices without licensing the technology from Cisco. It is also a very lightweight protocol, and was designed from the outset to be transmitted over WAN links without introducing significant additional overhead.

How does NetFlow work?

NetFlow works by placing the packet inspection burden on the router or switch itself, eliminating the need for a probe or an agent. Since the device is already inspecting network traffic to begin with (in order to determine switching or routing paths) it makes the most sense to implement packet inspection faciities here.

NetFlow-enabled device collects useful information about the packets going across the wire, including their origin, destination, protocol and more. As it monitors network activity, it emits flow packets at regular intervals to a NetFlow collector device, such as Netmon Professional Edition or Netmon Enterprise Edition.

The NetFlow collector device receives these packets, which contain a summary of the network activity that took place on that particular network segment at that moment in time, and processes them accordingly.

How can I tell if my equipment supports NetFlow?

Most Cisco routers from the year 2000 and forward already have built-in support for NetFlow. Check the Cisco website (www.cisco.com [1]) for information on NetFlow support for your specific device. You'll need to make sure you're running a relatively recent version of Cisco's IOS software (12.0+) to take advantage of this protocol. In the last few years NetFlow support has also appeared in some of Cisco's higher-end switches. A few other manufacturers also support NetFlow. When in doubt, consult your manufacturer's documentation, or ask the support team for more information.

NetFlow ReportsIn order to analyze NetFlow data, you will need a NetFlow collector, which is a software or hardware system that processes the incoming flow packets. Good systems, like Netmon Professional Edition or Netmon Enterprise Edition, can present this NetFlow data in a variety of ways, including live visual maps of network activity, as well as provide reporting tools to analyze historical network activity for each site.

Wrapping Up

NetFlow allows network technicians and administrators to have an unprecedented level of visibility into remote network activity. If you use Cisco or other NetFlow-capable gear at your branch sites, you already heave most of what you need.

Netmon Software Edition [2], Netmon Professional Edition [3], Netmon Enterprise Edition [4] feature a fully integrated NetFlow v1, v5 and v7 Collector engine which allow you to process an unlimited number of incoming NetFlow streams.