Using Netflow to understand your network and get the best performance from your network.
What is Network Netflow?
Netflow is a network protocol that collects information about network traffic that is flowing through a network device’s interface. Netflow was originally created by CISCO to collect flow data on CISCO devices. These days other vendors have their own versions of the Netflow protocol on their devices. For example, Juniper has j-flow and Huawei has NetStream and S-Flow, etc.
Netflow collects data, called flows that are moving through an interface. Flows are a collection of network information exchanged by almost all network devices. Collected flows are sent to a device that can analyze this data. Once collected and analyzed, flows can then be presented in a way that is useful to you, the network engineer. Netflow involves 3 important parts, which are:
- A Flow Exporter – The device that collects flow data and sends it to a flow collector
- Flow Collector – The device that receives flow data that has been exported
- An Analyzer – The device that analyzes flow data that has been collected.
In some cases, all 3 roles can be done by one device. Think about a CISCO router that has Netflow Configured. It can play the role of both the exporter and collector. When you run the “show ip flow top-talkers” command, the router now acting as an analyzer. It is helping you make sense of the flow data collected on the interface.
Why is Netflow Important?
Let’s now look at what makes NetFlow so popular and so useful to so many network engineers in the industry.
Netflow collects details and statistics about the data flowing through your network devices and exports this to another device. In most cases, a Network Traffic Analyzer or Network Monitoring device will get this exported data and present it to you, the network engineer in a form that is more useful.
Netflow helps you see information like…
- Traffic grouped by source, destination, protocol, port number, and domain
- Amount or volume of traffic
- Top IP addresses (Top Talkers) and Top conversations
- Source and destination locations of your traffic.
This kind of information is very useful because it gives you a picture of who is doing what on your network. For example, you will be able to tell which local IP address is using the most bandwidth and which protocol or application they are using the most. You could also be able to tell who on your network is downloading torrents, or which user is streaming the most video content.
Once you put these pieces of the puzzle together, you will be able to make important decisions about how you can control different types of traffic and network usage to improve performance for all your users, not just the torrent downloaders.
In my experience, finding out who is using certain applications like torrents, or who is hogging all the bandwidth by watching unnecessary Netflix shows during working hours makes a big difference. Having this information allows you to put in controls like block torrents, or restrict Netflix streaming during working hours. You will find that making one or two tweaks here and there will greatly improve network performance and improve your overall users’ experience on the network.
What Ways Can I Use Netflow?
Netflow can be used to do a number of things that can improve how you manage your overall network performance and user experience. These include:
LAN | WAN and Wi-Fi Monitoring
Netflow allows you keep a close eye on a number of important details on your network. some important ones include:
- Monitor key network links
- Monitor traffic patters to Wireless controller links
- Spot WiFi points of failure
- Monitor overall bandwidth utilization on your network
- Quickly discover traffic spikes which cause network congestion
By having your important links configured to collect and export Netflow data, you can closely monitor them and watch over your network effectively.
Security-Based Alerts and Detections
By monitoring network traffic regularly, it allows you to build a baseline for what normal traffic patterns and bandwidth usage looks like for your network. This is useful because, when there is an unusual traffic pattern, you will easily be able to detect it and investigate further. You will easily detect spikes in traffic, possible denial of service attacks (DOS), and any other anomalies on your network that may be caused by Malware or other forms of attacks internally or externally.
This gives you an upper hand and lets you take a pro-active approach to solving security-based issues on your network.
Improved Network Troubleshooting
As mentioned before, having a good overall view of your entire network and the traffic flowing through it really improves your ability to find and fix network problems quickly.
For example, you may notice a rise in video streaming traffic in the past week. Before this rise begins to affect other network users, you may want to dig a little deeper and find out what type of video streaming is on the rise. You may find that Netflix usage is up during working hours, and depending on your company policy, you can then take action to restric Netflix during working hours and only allow it after hours.
The ability to know when something is wrong and quickly troubleshoot and investigate further gives you the upper hand. In some cases it can allow you to discover a problem and solve it even before any of your users realize there is something wrong.
Network Planning Purposes
In my view, this can easily be one of the most important reasons to use Netflow. Having a constant flow of information about your network traffic patters over a long period of time allows you to know when your network is starting to get stretched. Imagine reviewing reports of your bandwidth usage over the last 6 months. You may observe that every 3 months there is a steady rise in your bandwidth usage. If you follow the patters over 1 year you may confirm your observation even further.
This can then allow you to plan ahead and make a well-informed forecast about your traffic usage. With this information, you can make future budgets more confidently knowing that your decision is backed by traffic usage numbers collected using Netflow.
Network and Application Awareness
Another important use of Netflow is to gain knowledge about the types of applications that are used on your network. You may want to know if you have TCP, UDP, Peer-to-Peer, DNS, Microsoft-DS, Sun Proxy, LDAP, etc. traffic flowing on your network. Some traffic types raise a red flag as they indicate usage that is unwanted.
It is also important to know what percentage of each type of traffic is active on your network. This helps you better understand which services are most used on your network and therefore know which services are most important to your users.
Awareness of the applications running on your network is important. It lets you plan how you can make changes to ensure that the important services are always available on your network.
Finding Top Talkers on Your Network
The first time I came across network Netflow was when I needed to find users on my network who were abusing network resources. By constantly downloading torrents and congesting the internet links, this made the network unusable for others.
The more I researched Netflow and how to use it the more I loved using it. With a few commands, I was able to find the top 20 users on my network and zero in on the kind of traffic they were using. This allowed me to deal with them and get the network performance back to normal in a few hours.
Check out the article I wrote on how to configure Netflow on a CISCO router. It can help you find the Top Talkers on your network and easily solve common network speed issues.
Conclusion
Now that you have an understanding of Netflow and what you can do with it, it is important to put this into practice. I have personally used it in the past to do a number of things including:
- Find Top Talkers (users abusing network resources)
- Control usage of high bandwidth users
- Plan for future bandwidth and network expansion
- Understand the most important application types by becoming aware of what traffic is most important to my users
- Improve my troubleshooting process by understanding the traffic patterns on my network.
For more on Finding Top Talkers and using Netflow effectively, look out for my e-book which will be out soon.
About The Author
William is a Network Engineer working in the Financial Sector as an Infrastructure and Network Administrator. Passionate about technology, he also runs a company providing a range of tech services for small, medium, and large organizations. William leverages 9 years of experience in the tech industry and has a passion for entrepreneurship with the goal of providing quality products and services to his customers. He also believes in sharing knowledge to grow the industry and help others. He maintains a blog as well as publishes ebooks to share what he has learned in his life and career. William Holds a Bachelors Degree in Computer Science (BSc) and a Huawei HCIA Certification in Routing and Switching.