Next: The IETF RTFM Working Up: Existing Flow-based Measurement and Previous: Existing Flow-based Measurement and

Cisco: NetFlow Data Export

Cisco ``NetFlow Switching'', which is available for the 75xx and RSP-7000 platforms in the IOS 10.3 and later releases includes an accounting mechanism that allows network managers to track network traffic on an end-to-end or per-application basis. The feature, which is referred to as ``NetFlow Data Export'', is using the same flow table which the switch already maintains for flow switching and exports it via a proprietary, connectionless protocol to a management PC or workstation. Flow descriptors are used to integrate route lookup, access filtering and IP accounting into one single fast lookup operation. Figure 3.1 shows the architecture of the system. Since 100% of the traffic that is routed via the Cisco switch is assigned to flows in the flow table, it suffices for NetFlow Data Export to broadcast the information about each flow that is expired from the table to the management machine in order to account 100% of the transferred data.

**Figure 3.1:** The Cisco FlowSwitching / FlowDataExport Architecture
$\begin{figure} \begin{center} \leavevmode \epsfig {file=xfigpics/ciscoswitch.xfig.eps} \end{center}\end{figure}$

However, the solution bears some problems:

First of all, the connectionless (UDP) transmission of flow data can not guarantee that all data being broadcast is received by the managment station.
The flow specification used by Cisco is fixed to IP addresses of source and destination machine plus port numbers. This makes sense for switching, however it may be a severe limitation when it comes to traffic monitoring and analysis. Far more data is produced and has to be transmitted via the connectionless path than it really would be needed for accounting.

A solution for the second problem might be to reduce the amount of data at a later stage by preprocessing it with custom programs, but on high speed ATM links the sheer amount itself can become a problem, especially since the management station usually is connected via a standard 10 Mbit/s ethernet or even only over a serial port. Because of this unability to use user-defined flow specifications, `` NetFlow Data Export'' won't probably scale very well for accounting, measurement and analysis applications.

It also has to be mentioned that Cisco has not deigned to say what criteria are used for flow identification and/or timeout. This makes it difficult to use the measurement data for scientific analysis.

Next: The IETF RTFM Working Up: Existing Flow-based Measurement and Previous: Existing Flow-based Measurement and

root
8/4/1997