How to Improve Network Visibility with IPFIX
Network managers have always sought a better window into their networks. The new Internet Protocol Flow Information eXport (IPFIX) protocol offers the best path for gaining clear visibility across multiple brands of hardware, from the core to the branch office.
To get the best results collecting and monitoring IP traffic using IPFIX, follow these pointers.
1. Understand what you’re getting.
A standards-based replacement for Cisco NetFlow, IPFIX and a series of nearly identical protocols such as JFlow, cflowd and sFlow all share a common goal and similar formats: sending flow information to a management station for visibility, traffic management, capacity planning, monitoring and debugging. IPFIX focuses on flows — sets of packets with the same IP addresses and port numbers. That provides enough information to understand the top users, servers and applications on the network, along with where all that bandwidth is going.
Don’t expect IPFIX data to exactly match more precise measures such as Simple Network Management Protocol counters from interfaces or firewall session logs. Flow information isn’t exactly the same as bits on the wire, but it’s close enough for planning and debugging purposes. IPFIX is efficient and typically adds less than one percent overhead to existing WAN links, which is less than many other monitoring tools.
2. Go for the latest and greatest.
One network security innovation is deep packet inspection to understand precisely what application is running. Network managers need more than Port 80 traffic; they also need to understand whether they’re looking at BitTorrent or WebEx, Facebook or LinkedIn, Dropbox or Windows updates. Not every device can perform deep packet inspection and export it via IPFIX, but look for this feature in security and network equipment as well as IPFIX flow analysis consoles.
3. Choose interchangeable parts.
By selecting a standard, organizations can mix and match pieces from various manufacturers. Although there are minor variations in the different flow reporting protocols, most flow analyzers will readily accept any version: IPFIX, NetFlow, sFlow and so on.
A protocol-agnostic flow analyzer enables network managers to use whatever device is best able to export flows. Sometimes that’s a Juniper or SonicWALL firewall, sometimes a Cisco or HP switch, sometimes a Riverbed optimization device, sometimes a Blue Coat proxy or a VMware ESXi server. Picking a flow analyzer that isn’t tied to a particular vendor simplifies the process of getting flow data in a complex WAN by providing maximum flexibility.
4. Be careful of interface directions.
Because NetFlow was developed for ISP accounting, it has a strong concept of interfaces: traffic going in and traffic going out. Capturing full flow information requires looking at both the input and output side of things. This two-way thinking can be counter-intuitive for network managers who are used to looking at input octets and output octets on a single Ethernet port. Flow information usually requires monitoring at least two interfaces on a switch, firewall, router or other device to see both sides of the conversation.
5. Add probes only where installed equipment can’t do the job.
Because most modern network and security equipment includes flow export capability, there’s no need to purchase additional network probes just to see what is happening on the network. Make IPFIX or NetFlow export a requirement for any routing, switching or security device added to existing networks.
Organizations will need an add-on physical network probe in only a few situations, such as when they use older gear or special topologies. Rather than buy probes, put that money toward a better, faster or smarter flow analysis console.