Thursday, 26 March 2015

netflow versions

Version 1 (V1) is the original format supported in the initial NetFlow releases.
Version 5 (V5) is an enhancement that adds Border Gateway Protocol (BGP) autonomous system information and flow sequence numbers.
Version 6 (V6) is similar to version 7. This version is not used in the new IOS releases.
Version 7 (V7) is an enhancement that exclusively supports NetFlow with Cisco Catalyst 5000 series switches equipped with a NetFlow feature card (NFFC). V7 is not compatible with Cisco routers.
Version 8 (V8) is an enhancement that adds router-based aggregation schemes.
Version 9 is an enhancement to support different technologies such as Multicast, Internet Protocol Security (IPSec), and Multi Protocol Label Switching (MPLS).
Versions 2, 3 and 4 either were not released.
In Versions 1, 5, 6, and 7, the datagram consists of a header and one or more flow records. The first field of the header contains the version number of the export datagram. Typically, a receiving application that accepts any of the format versions allocates a buffer large enough for the largest possible datagram from any of the format versions and then uses the header to determine how to interpret the datagram. The second field in the header contains the number of records in the datagram and should be used to search through the records.
We recommend that receiving applications perform a sanity check on datagrams to ensure that the datagrams are from a valid NetFlow source. You should first check the size of the datagram to verify that it is at least long enough to contain the version and count fields. You should next verify that the version is valid (1, 5, 6, 7, or 8) and that the number of received bytes is enough for the header and count flow records (using the appropriate version).
Because NetFlow export uses UDP to send export datagrams, it is possible for datagrams to be lost. To determine whether flow export information has been lost, Version 5, 6, 7, and Version 8 headers contain a flow sequence number. The sequence number is equal to the sequence number of the previous datagram plus the number of flows in the previous datagram. After receiving a new datagram, the receiving application can subtract the expected sequence number from the sequence number in the header to derive the number of missed flows.
Datagram format Version 8 offers five router-based aggregation schemes allowing you to summarize export data on the router before the data is exported to the collector. The result is lower bandwidth requirements and reduced platform requirements for NetFlow data collection devices. Router-based aggregation enables on-router aggregation by maintaining one or more extra NetFlow caches with different combinations of fields that determine which traditional flows are grouped together. These extra caches are called aggregation caches. As flows expire from the main flow cache, they are added to each enabled aggregation cache. The normal flow ager process runs on each active aggregation cache the same way it runs on the main cache. On-demand aging is also supported.

When to Select a Particular NetFlow Export Format
Export Format
Select When...
Version 9
You need to export data from various technologies, such as Multicast, DoS, IPv6, and BGP next hop. This format accommodates new NetFlow-supported technologies such as Multicast, MPLS, and BGP next hop.
The Version 9 export format supports export from the main cache and from aggregation caches.
Version 8
You need to export data from aggregation caches. The Version 8 export format is available only for export from aggregation caches.
Version 5
You need to export data from the NetFlow main cache, and you are not planning to support new features.
Version 5 export format does not support export from aggregation caches.
Version 1
You need to export data to a legacy collection system that requires Version 1 export format. Otherwise, do not use Version 1 export format. Use Version 9 or Version 5 export format.