Implementing NetFlow

Having a profile of captured flows that transit your network over time is a crucial first step in implementing a secure network. This NetFlow profile provides you with a good understanding of the actual group and individual behaviors that make up the roles you set by policy and to which you apply QoS. A profile can also be very helpful during network planning exercises, such as projecting how a network might react to the introduction of a new application prior to actual implementation. The following figure illustrates an example of a NetFlow network profile setup.

Click to expand in new window
NetFlow Network Profile Example
Graphics/netflow_profile.png

To complete a NetFlow network profile, enable NetFlow on all ports where packet flows aggregate. At the top of NetFlow Network Profile Example you will find an abbreviated sample of the independent flow records that are captured at each NetFlow-enabled port. These flow records will be retained locally in a cache until a flow expiration criteria has been met. As shown, when one of the flow expiration criteria is met, NetFlow export packets are then sent to the NetFlow collector server(s), where a collector and management application has been installed. The management application will process the records and generate useful reports. These reports provide you with a clear picture of the flows that traverse your network, based upon such data points as source and destination address, start and end time, application, and packet priority.

The following steps provide a high-level overview of a NetFlow implementation:

  1. Determine the business or network purpose of the information NetFlow will provide you.
  2. Choose a collector and management application(s), such as Extreme Networks SIEM, best suited for the purpose for which you are collecting the data. Install the application(s) on the NetFlow collector server(s).
  3. Identify the paths used by the data to be collected by NetFlow.
  4. Identify the “choke point” interfaces where the IP packet flows you want NetFlow to capture aggregate.
  5. Enable NetFlow on the identified interfaces.
  6. Identify up to four NetFlow collector servers by configuring the IP address for each collector.
  7. Use the data reporting generated by the NetFlow management application to address the purpose determined in step 1.