Tactical Advice

How to Improve Network Visibility with IPFIX

Try these tips for implementing the standards-based flow collection protocol.
How to Improve Network Visibility with IPFIX
Credit: Fuse/Thinkstock

Network managers have always sought a better window into their networks. The new Internet Protocol Flow Information eXport (IPFIX) protocol offers the best path for gaining clear visibility across multiple brands of hardware, from the core to the branch office.

To get the best results collecting and monitoring IP traffic using IPFIX, follow these pointers.

1. Understand what you’re getting.

A standards-based replacement for Cisco NetFlow, IPFIX and a series of nearly identical protocols such as JFlow, cflowd and sFlow all share a common goal and similar formats: sending flow information to a management station for visibility, traffic management, capacity planning, monitoring and debugging. IPFIX focuses on flows — sets of packets with the same IP addresses and port numbers. That provides enough information to understand the top users, servers and applications on the network, along with where all that bandwidth is going.

Don’t expect IPFIX data to exactly match more precise measures such as Simple Network Management Protocol counters from interfaces or firewall session logs. Flow information isn’t exactly the same as bits on the wire, but it’s close enough for planning and debugging purposes. IPFIX is efficient and typically adds less than one percent overhead to existing WAN links, which is less than many other monitoring tools.

2. Go for the latest and greatest.

One network security innovation is deep packet inspection to understand precisely what application is running. Network managers need more than Port 80 traffic; they also need to understand whether they’re looking at BitTorrent or WebEx, Facebook or LinkedIn, Dropbox or Windows updates. Not every device can perform deep packet inspection and export it via IPFIX, but look for this feature in security and network equipment as well as IPFIX flow analysis consoles.

3. Choose interchangeable parts.

By selecting a standard, organizations can mix and match pieces from various manufacturers. Although there are minor variations in the different flow reporting protocols, most flow analyzers will readily accept any version: IPFIX, NetFlow, sFlow and so on.

A protocol-agnostic flow analyzer enables network managers to use whatever device is best able to export flows. Sometimes that’s a Juniper or SonicWALL firewall, sometimes a Cisco or HP switch, sometimes a Riverbed optimization device, sometimes a Blue Coat proxy or a VMware ESXi server. Picking a flow analyzer that isn’t tied to a particular vendor simplifies the process of getting flow data in a complex WAN by providing maximum flexibility.

4. Be careful of interface directions.

Because NetFlow was developed for ISP accounting, it has a strong concept of interfaces: traffic going in and traffic going out. Capturing full flow information requires looking at both the input and output side of things. This two-way thinking can be counter-intuitive for network managers who are used to looking at input octets and output octets on a single Ethernet port. Flow information usually requires monitoring at least two interfaces on a switch, firewall, router or other device to see both sides of the conversation.

5. Add probes only where installed equipment can’t do the job.

Because most modern network and security equipment includes flow export capability, there’s no need to purchase additional network probes just to see what is happening on the network. Make IPFIX or NetFlow export a requirement for any routing, switching or security device added to existing networks.

Organizations will need an add-on physical network probe in only a few situations, such as when they use older gear or special topologies. Rather than buy probes, put that money toward a better, faster or smarter flow analysis console.

Sign up for our e-newsletter

About the Author

Joel Snyder

Joel Snyder

Joel Snyder, Ph.D., is a senior IT consultant with 30 years of practice. An internationally recognized expert in the areas of security, messaging and networks, Dr. Snyder is a popular speaker and author and is known for his unbiased and comprehensive tests of security and networking products. His clients include major organizations on six continents.


Heartbleed: What Should Your... |
One of the biggest security vulnerabilities has almost every user and every industry...
Why Businesses Need a Next-G... |
Devices investigate patterns that could indicate malicious activity.
Review: HP TippingPoint S105... |
Next-generation firewall can easily replace a stand-alone intrusion prevention system....


The New Backup Utility Proce... |
Just getting used to the Windows 8 workflow? Prepare for a change.
How to Perform Traditional W... |
With previous versions going unused, Microsoft radically reimagined the backup utility in...
5 Easy Ways to Build a Bette... |
While large enterprises have the resources of an entire IT department behind them, these...

Infrastructure Optimization

Businesses Must Step Careful... |
Slow and steady wins the race as businesses migrate IT operations to service providers,...
Why Cloud Security Is More E... |
Cloud protection services enable companies to keep up with security threats while...
Ensure Uptime Is in Your Dat... |
Power and cooling solutions support disaster recovery and create cost savings and...


Securing the Internet of Thi... |
As excitement around the connected-device future grows, technology vendors seek ways to...
How to Maximize WAN Bandwidt... |
Understand six common problems that plague wide area networks — and how to address them.
Linksys Makes a Comeback in... |
The networking vendor introduced several new Smart Switch products at Interop this week.

Mobile & Wireless

Mobility: A Foundational Pie... |
Other technologies rely on mobile computing, which has the power to change lives, Lextech...
Now that Office for iPad Is... |
After waiting awhile for Microsoft’s productivity suite to arrive, professionals who use...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.

Hardware & Software

Review: HP TippingPoint S105... |
Next-generation firewall can easily replace a stand-alone intrusion prevention system....
New Challenges in Software M... |
IT trends such as cloud, virtualization and BYOD pose serious hurdles for software...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.