Use IPFIX (vendor-agnostic) for new deployments. Report prepared by: [Your Name/Team] For questions or hands-on workshop: Contact Network Observability Team End of Report
NetFlow v9 and IPFIX are template-based and can include additional fields (TCP flags, AS numbers, MPLS labels, etc.). 3. Deployment Architecture A standard NetFlow analysis stack consists of three components: netflow traffic analysis
| Panel | Purpose | Alert Threshold | |-------|---------|----------------| | Top Talkers (IPs) | Identify bandwidth hogs | >200 Mbps for >10 min | | Top Applications (by port & protocol) | Unusual app usage | Non-standard ports >10% of total | | Conversation Matrix | East-West traffic visibility | Unusual server-to-server chatter | | Protocol Distribution | TCP/UDP/ICMP ratio | >5% ICMP (possible scanning) | | Asymmetric Routing Flag | Flows with mismatched interfaces | >1% of total flows | | DDoS Signature (Flood) | Single IP with >10k flows/min | Threshold per interface | | Feature | Full NetFlow (All flows) | Sampled NetFlow (1 in N packets) | |---------|--------------------------|----------------------------------| | Accuracy | 100% | ~1/N probability of missing flows | | CPU load on router | High (10-20%) | Low (1-3%) | | Storage required | Very high | Low | | Security use (C2 detection) | ✅ Yes | ❌ Risky (can miss beacons) | | Bandwidth top-N reporting | ✅ Yes | ✅ Acceptable | Use IPFIX (vendor-agnostic) for new deployments