Add a Comment Now - We Want to Hear From You
By John Mao, Product Manager at NetQoS
Cisco's NetFlow technology provides flow statistics from IOS-enabled routers capable of characterizing traffic on a network. Information provided by NetFlow includes network protocols, ports, IP addresses, and much more.
Five years ago, NetFlow was a new buzzword floating around various companies' networking groups. Some immediately saw the management benefits it could provide while others continued to use the network probes they knew best. However, fast forward to today, and a large majority of engineers are intimately familiar with the benefits and uses of NetFlow.
Although initially implemented by Cisco, NetFlow is emerging as an IETF standard: Internet Protocol Flow Information eXport (IPFIX). Based on the NetFlow Version 9 implementation, IPFIX is going to be the industry standard in the very near future. Network infrastructure vendors, including Nortel and others, are already adding IPFIX support to their enterprise switches and routers.
Thousands of IT enterprises worldwide have embraced NetFlow technology which is capable of providing them the same flow information traditional probes provide. Because of the lower cost to deploy and maintain NetFlow, it is easy to see why so many have made the switch.
The router's memory can retain the vast amounts of in-depth statistics only for a short time. NetFlow/IPFIX Management products (like NetQoS's own ReporterAnalyzer) export the NetFlow data periodically, store and parse the data.
That said, here are six tips for improving network visibility and performance using the NetFlow data that you're probably already getting from your routers. These tips work best with ReporterAnalyzer (hey, it's our company blog and if we didn't think our products were the best, we wouldn't be making them), but should be helpful even to those using more basic tools.
(Continued...)
Tip #1: Identify applications on your network.
To effectively troubleshoot network-related issues, you must have visibility into what applications the traffic is comprised of on a particular network interface. Traditional SNMP-based network management tools provide link utilization statistics but lack the ability to break down the distribution into individual protocols.
With NetFlow, routers export statistics about every single application routed through the device. This provides insight into the applications that are on your network and help you determine potential root causes of network performance problems.
(NetQoS ReporterAnalyzer collects and reports on NetFlow data to graphically show the distribution of applications across a network interface. When troubleshooting a network performance problem, this level of detail is absolutely critical in pinpointing the application responsible for the reduction.)
Tip #2: Find top talkers on your network.
Sometimes knowing the application responsible for performance problems is not enough. In fact, in many instances, it is more critical to identify which particular clients or servers are participating in the use of the application.
With NetFlow, the routers not only export information regarding the application flows on a network, but the actual hosts (clients, servers, networked devices, and so on) communicating via the application. This information is useful in isolating "top talkers" on your network and aids in identifying illegitimate hosts that can be eliminated or blocked.
Unlike flow sampling technologies, NetFlow reports every single host's IP address that passes through the routing device. Because of this, NetFlow also helps to report security and audit violations on the network. With other sampling technologies, some flows are omitted making them unsuitable for this purpose.
To understand whether the web traffic is legitimate or not, you need visibility into the actual hosts involved in conversations. While troubleshooting network performance problems, it is critical to have visibility into hosts responsible for impacting business-critical applications. (Again, NetQoS ReporterAnalyzer provides charts and tabular data to give you this level of host-based visibility.)
Tip #3: Investigate threshold exceptions.
As an option, routers can be configured to export network traffic statistics via NetFlow in near real time. With this level of exporting frequency from the routers, NetFlow collectors should have a mechanism to detect potentially problematic network conditions - so that you can be notified when alarm conditions occur.
(While there are many ways to set these alarms, NetQoS ReporterAnalyzer can automatically send SNMP traps to log and investigate whenever rates or utilization exceed thresholds - these traps can capture information such as the interface on which the exception occurred, the application causing the exception, and the actual value of rate, utilization, etc., recorded at the time of the alarm.)
Tip #4: Validate QoS Implementations.
Quality of Service (QoS) is commonly implemented when specific applications require a guaranteed priority on the network. Latency-sensitive applications like Voice-over-IP (VoIP) or streaming video often demand a high level of service to provide a good end-user experience.
The increasing popularity of Multiprotocol Label Switching (MPLS) networks is also driving network teams to become more educated on proper implementation strategies. One of the requirements for a successful MPLS implementation is to categorize specific applications into different classes within a given set of QoS policies.
Regardless of the business case, NetFlow is a great source of data to help validate QoS implementations. (ReporterAnalyzer can extract QoS information from NetFlow to report on different Type of Service (ToS) class usage as well as queue-based protocol distribution, to help you do exactly that.)
Tip #5: Compare application usage patterns.
Because routers are not intended to keep NetFlow indefinitely, collectors and external data stores are required to capture NetFlow for historical analysis and reporting purposes. Without long-term NetFlow data retention, there is no way to compare current traffic behavior with historical patterns for particular applications. Ideally, reporting products should marry up-to-the-minute real-time application performance data with historical data for trending and capacity planning.
Correlating application use patterns to a historical baseline (another thing ReporterAnalyzer can do, by the way), helps to track down the root causes of performance problems.
Tip #6: Understand bandwidth utilization and growth.
Another powerful use of long term, historical NetFlow data is the ability to plan for future capacity requirements. By understanding how bandwidth and application utilization grow over time, organizations are equipped with information to help them make educated resource predictions to accommodate future growth.
Many capacity planning groups are starting to realize the value of long term, historical NetFlow data when projecting resource. By trending application growth on particular interfaces, they can make informed decisions regarding bandwidth upgrades and when they will be required. For some organizations with global deployments, knowing when an interface requires upgrading allows them to plan for the long lead times that are needed to implement the upgrade and, as a result, avoid performance deteriorations.
By analyzing long-term, historical NetFlow data, you can make projections of capacity requirements one week, one month, or one year into the future. (And yes, ReporterAnalyzer can provide analysis of application growth trends as well - as well as chart them).
NetFlow and other flow technologies will continue to evolve to provide traffic analysis statistics useful to organizations of all sizes. By leveraging existing infrastructure investments, NetFlow is a very cost-effective technology.
--------------
More information:
