NetFlow Monitoring

General

Netreo supports NetFlow data export from devices to use for traffic analysis and volume information. Flow export technologies such as NetFlow allow network devices (typically layer 3 devices like routers) to send “accounting level” information to Netreo for reporting purposes. Typical traffic flow data includes information such as source and destination addresses, ports, protocols, and volume data. See Data Retention in Netreo for information on how long flow data is retained.

Netreo also supports traffic flow data from sFlow and Flexible NetFlow (IPFIX) exporters.

Flexible NetFlow

When receiving ordinary NetFlow data, Netreo uses complex logic that does its best to characterize the flows and attempt to identify the applications involved. But, because there’s no connection between the packets and their applications in ordinary NetFlow flows, these characterizations are, necessarily, best estimates. Flow data from Flexible NetFlow, on the other hand, provides not only sources, destinations, times and bytes of packets, but a matrix of applications that directly maps to this data. Flexible NetFlow uses a built-in classification engine, called NBAR (Network Based Application Recognition), to identify exactly which applications are associated with which packets in a flow. This makes network traffic analysis much more accurate and useful, and allows for far better insights into your bandwidth usage.

No additional setup is required in Netreo to receive flows from Flexible NetFlow devices, but you will have to turn on the flow exporters—specifically the Flexible NetFlow exporter—for any devices that you want to send flow data to Netreo. If not all of your devices support Flexible NetFlow, that’s fine. Netreo will still accept other valid flows from those devices, and process them using the original logic. So, there’s no problem sending flows to Netreo from both ordinary NetFlow devices and Flexible NetFlow devices together at the same time.

Configuring NetFlow

The correct techniques to properly configure NetFlow on your particular devices are outside the scope of the Netreo documentation, so it is highly recommended that you consult with your router or other device manufacturer to determine and understand these techniques.

NetFlow is a push technology and, as such, cannot be controlled from within Netreo. Netreo can only listen for this data and receive what your device sends it (which it does automatically). So, in order for it to work correctly, NetFlow must be properly configured by you, on each of the devices on your network from which you want Netreo to receive flow data (per interface and per direction). It's important to recognize that the router (or other device) entirely controls how and when Netreo receives flow data from it. Please also note that, while doing its primary job of routing traffic, a router—if it becomes too busy—may start to "sample" the traffic flow data (or even drop it entirely), resulting in strange-looking readings in Netreo. This is a result of load on the device, not how Netreo processes the data. In fact, it's entirely possible that a given router always samples its flow data by design. So, it's extremely important to be familiar with how your particular device handles the collection and delivery of this data. By default, flow is typically configured on port UDP/2055 originating from the device—but the port number can vary by environment.

Configuration Guidelines

When configuring flow technologies on your devices, the goal is to configure the fewest number of exporters possible while still ensuring that Netreo can collect data on all the required traffic (see NetFlow Export Architecture below for examples). The configuration of flow technologies across a network is a nuanced and fairly sophisticated endeavor that should only be engaged in by an advanced network engineer. Typically, the proper way to configure flow in a simple hub and spoke network—as long as all traffic flows through a primary router—is to export flows on both the inbound and outbound interfaces of the primary router only. If remote nodes can communicate with each other without going through a primary router, or if you have a full- or partial-mesh network, the proper way to configure flow is to configure all devices to export flows only on the inbound or outbound interfaces, not both (inbound is most common). This ensures complete coverage while avoiding duplicate data. Netreo can automatically detect and deduplicate flows to avoid creating incorrect traffic counts, however, it may begin to consume excessive resources if over-configured.

Netreo supports versions 5 and 9 of NetFlow, and will automatically process any valid flow data it receives. No further configuration in Netreo is necessary to receive or display flow data.

General Recommendations

• Use a supported version of NetFlow (version 5 or greater).
• Configure NetFlow to export to the host address of Netreo using port UDP/2055.
• Configure sFlow to export to the host address of Netreo using port UDP/2056.
• Configure NetFlow on all of the outbound interfaces or all of the inbound interfaces only of layer 3 devices whenever possible.
• Avoid creating duplicate flow reporting by configuring flow on the minimum number of interfaces possible to get the information you need.
• Configure NetFlow data to be exported on a 5-minute or less time-out schedule to work best with Netreo's data collection schedule. Time-outs greater than 5 minutes will cause data to look wrong in Netreo.
• Netreo uses subnet information to correlate traffic with source/destination sites, so ensure that you have configured or detected the required subnets in Netreo.

NetFlow Export Architecture

The goal when configuring NetFlow is to configure the fewest number of exporters possible while still ensuring that Netreo can collect flow data on all of the required traffic paths. An example of a simplified network architecture is shown in the diagram below.

Given the above network architecture (which has redundant paths), it is not recommended to configure NetFlow on all of the routers, as this will result in the duplication of NetFlow records if the redundant path is taken. Additionally, NetFlow export works best on outbound interfaces—since inbound export requires more resources (at least with Cisco routers). Therefore, the recommended configuration for this architecture would be as shown in the diagram below.

In the above example, we have enabled NetFlow export outbound on the WAN interfaces of routers B1 and C1 to see the traffic from the client to the servers. Also, enabling NetFlow on the HQ1 router allows us to see the return traffic from the servers back to the clients. This configuration also allows us to see traffic from the clients even if the redundant path is used, as seen in the diagram below.

As you can see, even if router B1 exports traffic from client C, Netreo will identify the correct source and destination of the traffic flow (in this case, from Client C to Server 2)—since NetFlow traffic is identified by source IP.

For help determining exactly where to configure flow export for best visibility in your specific environment, please contact Netreo Support.