Over the last few days I've been writing and talking a lot about NetFlow. This is a smokin' hot topic for network engineers nowadays and so we've created some new videos and webcasts to help explain the technology and how you can leverage it. One of the subjects that kept coming up is how to get NetFlow data from your Cisco ASAs. I had to do some research to verify my understanding of how this worked but now that I'm done I thought I should share it here.
When most of us think about NetFlow, we think about traffic analysis. When you enable NetFlow on a router or switch and send it to a NetFlow collector like the Orion NetFlow Traffic Analyzer (NTA) you're going to be able to analyze your network traffic in terms of applications, protocols, sources, and destinations. If you've never seen this, it's pretty cool. You can click here to see the traffic on one of our links here in the lab.
While traffic analysis is still the primary use case for NetFlow, in some cases it's starting to be leveraged as a transport protocol as well. On the Cisco ASA for instance, you can leverage NetFlow as a method of transporting security events. Additionally, in some of the new IOS beta code Cisco has started sending NBAR information within the NetFlow PDUs. As the adoption of flexible NetFlow (either NetFlow v9 or IPFIX) increases we'll see an increase in the types of data that are being sent within NetFlow packets that are not traffic analysis related.
This has caused confusion among network managers that are trying to analyze the traffic flowing through their Cisco ASAs because they're reading that these devices now support NetFlow. It's important to understand that they support NetFlow as a transport mechanism for security events but they don't support NetFlow for traffic analysis. If your desire is to utilize NetFlow to analye the traffic flowing through your ASAs you'll need to get that information from an adjacent device.
Hopefully this will help to clear up some of the confusion.
Flame on...
Josh
Follow me on Twitter