BradReese.Com Cisco vs. ZTE Price Quote Comparisons

Home About Repair Power Supplies Refurbished Blog Quick Links Site Map Contact Us

Mike Patterson speaks out
Learn more about Mike Patterson...


Power Supplies

VoIP Gateways

Cisco Repair

Refurbished Cisco

Cisco CPQRGs

New Cisco

New HP ProCurve

Cisco Tools

Competitive Lab Tests

Tech Forums

How-to Tutorials

CCIE Gossip


View the archive of Mike Patterson speaks out

Subscribe to Bloggers speak out on BradReese.Com

You don't know NetFlow

NetFlow v10 and sFlow v6 were never official revisions from Cisco or InMon. Both technologies live on as IPFIX.

Sanford, ME:   Mon, 9/16/13 - 11:59pm    View comments

Cisco DeveloperPlixer InternationalIf you haven't kept up with what's possible with NetFlow technologies over the past 3 years, then it's possible that you don't know NetFlow anymore.

For one thing, NetFlow has become the IETF standard called as IPFIX. This standard is sometimes known as NetFlow v10 or sFlow v6*.

The Problem with NetFlow

Hopefully you are asking yourself "So what's new?" or "What's wrong with NetFlow and IPFIX?" These are great questions which I will try to answer. The problem with NetFlow is that it is proprietary to Cisco which means that although it can be copied by other vendors, exporting unique metrics by carving out element identifiers runs the risk of being trumped by Cisco. In other words, NetFlow is not completely friendly to other vendors. Cisco did however offer ranges of elements to vendors who requested them (Riverbed, Enterasys, etc). How nice of Cisco was that?

The Problem with sFlow

The problem with sFlow is that it is proprietary to InMon. Although some refer to sFlow as a standard, to the best of my knowledge none exist. And by the way: an RFC is not a standard. The other problem is that sFlow is not a flow technology. It's a packet sampling technology that often misses the traffic the network analyst wants to see. Over the past few years, the adoption of sFlow has been petering out with more vendors adopting IPFIX. Despite its short comings, some software and hardware platforms, for various reasons, prefer sampling. For this reason, the team of IETF engineers behind IPFIX enhanced the technology to include both packet and flow sampling.

The Rise of IPFIX

IPFIX is the only true standard which means it isn't proprietary. It is in fact owned by all of us in the Internet community. For this reason, vendors can create nearly unlimited elements for unique metrics when a shared 'common' element for what they want to export doesn't exist. Common elements are IDs that are the same across all vendors (e.g. source and destination IP address). If a vendor feels that a particular metric should be a shared element, they can submit a request to the IETF. The advantage to doing this is that collection vendors can build reports that will work across the various vendor platforms.

IPFIX also supports variable length strings. This means that data such as HTTP Host or URL can be exported in an element that isn't a fixed length. Imagine a short URL such as being stuffed into a fixed length field that is capable of transporting a URL five times as long. Obviously, empty bytes would be sent resulting in wasted bandwidth and wasted storage space on the collector. NetFlow doesn't allow for this and sFlow... well, probably didn't sample it.

IPFIX for Logs and SNMP

IPFIX is also being used to export event logs, syslogs and other types of machine logs. It allows these messages to be exported in a structured format which shares common elements with more traditional flows. Again, this practice helps ensure interoperability between reporting solutions.

I have also seen data commonly exported in SNMP be exported in IPFIX (E.g. CPU and memory utilization). The IETF has efforts underway to broaden support for more traditional SNMP OID structures.

Now You Know More about IPFIX

Now that IPFIX is the official standard for all flow technologies, even Cisco Systems is making the switch. Their new Application Visibility and Control (AVC) export supports both NetFlow and IPFIX. This new export can include details on connection latency, packet loss, jitter, caller ID, retransmits and more. If however, you want to export the HTTP Host details, IPFIX must be used and now you know why: it's a variable length string.

Due to the richer exports possible with IPFIX, enterprise customers can expect flows stuffed with more details and possibly much higher flow volumes. With customers demanding richer contextual information such as those offered by Cisco AVC or SonicWALL, legacy flow collectors may not be able to handle these new details. For this reason, it could be time to start considering a next generation IPFIX collector.

Learn more by signing up for the Network Security Surveillance Webcast titled:

Cisco AVC Flow Exports turn Routers into Security Surveillance Solutions

Cisco AVC Flow Exports turn Routers into Security Surveillance Solutions<
*Note: NetFlow v10 and sFlow v6 were never official revisions from Cisco or InMon. Both technologies live on as IPFIX.

Related story:

Cisco Certifies Plixer's Scrutinizer for Application Visibility & Control Interoperability

Mike Patterson's other blog stories:

Dell solves complex business problems

Enterasys Secure Networks

Mike Patterson speaks out

Systrax High-Impact Network Monitoring

TMCnet Advanced NetFlow Traffic Analysis

Join the NetFlow Developments Group on LinkedIn

What's your take?

Subscribe to Bloggers speak out on BradReese.Com

Favorite Blog Story Picks

  1. Aruba, Cisco and HP top 2013 Gartner Wired and Wireless LAN Magic Quadrant
  2. Extreme Enterasys will become the new E & E of networking
  3. Audio tape of Cisco's lawyer being humiliated in court
  4. For the first time in history the Cisco overseas headcount now outnumbers the U.S. headcount
  5. View Cisco's entire RMA global customer database online
  6. Unconfirmed rumor Cisco gave totally fake TelePresence demo to President George W. Bush
  7. Unconfirmed rumor: Belkin will guillotine Linksys staff in October
  8. National security behind new murder trial of former Cisco employee
  9. Cisco's now actively considering external candidates to replace CEO John Chambers
  10. Is the National Security Agency (NSA) killing innovation at Cisco?
  11. Cisco could own the SDN market
  12. Cisco's abusive income tax evasion achieved 11% effective income tax rate during FY13
  13. The official list of Cisco executive direct reports
  14. Home Depot senior IT security architect, Ricky Joe Mitchell (Cisco CCNA), indicted for computer network sabotage costing $1 million
  15. Cisco appears to be running out of money for stock buybacks
  16. Cisco channel stuffing and days sales outstanding (DSO) appear out of control
  17. Unconfirmed rumor 6,000 Cisco employees will be laid off in a limited restructuring
  18. Is Cisco preparing to kick CCIEs to the curb?
  19. 3rd most controversial memo in tech history, Cisco VP Mike Quinn
  20. View the archive of Bloggers speak out on BradReese.Com
blog comments powered by Disqus

CCIE available Metro DC

Supplement Cisco SMARTnet Contracts


©2013 BradReese.Com - Home - About - Repair - Power Supplies - Refurbished - Blog - Quick Links - Site Map - Contact Us