NetFlow

NetFlow is an open network protocol developed by Cisco System to collect IP traffic information; the information collected can be analyzed by a NetFlow Collector and used to create a pictorial representation of traffic flow and volume.

NetFlow support is enabled and configured per VPN Gateway device using the device profile stored in the AT&T Administration Server. The NetFlow service can be configured to use a specific VLAN local IP address or loopback address. This ensures that all NetFlow packets use the IP addresses configured for the VLAN or loopback interface, providing an easier configuration for enterprise firewall management.

The VPN Gateway supports NetFlow Versions 5, 7, 9, or 10. The version implemented is configurable in the device profile. For NetFlow version 10, the VPN Gateway supports sending hostnames (if available) instead of the source and destination IP addresses in the NetFlow packets.

Also configurable using the device profile is the packets per second sampling rate implemented by the NetFlow service on the VPN Gateway device. This allows a balance between logging and any potential negative consequence to overall performance. If the sample rate is set to a value of zero or one, then the sample rate is turned off. The ‘Active Session’ and ‘Idle Session’ timers can be configured in the device profile.

NetFlow statistics are not encrypted and can only be sent to collectors via an VPN Gateway IPSec-tunneled interface or via a local LAN connection. The VPN Gateway will use its default VLAN local LAN address to identify itself in NetFlow packets, preventing NetFlow visibility on VPN Gateways using many-to-one IP NAT connections.

The NetFlow collector being used may require additional configuration of the VPN Gateway to support NetFlow. For example, Fluke Networks collectors require SNMP to also be configured for the VPN Gateway. The VPN Gateway can send records to NetFlow collectors via either IPv4 or IPv6. The records can contain IPv4 or IPv6 records and are not dependent on the transport. For example, records that contain IPv6 data can be sent to a IPv4 NetFlow collector.

The VPN Gateway can be configured to add ingress and egress detection of forwarded packets.

NOTE: A single forwarded packet will generate two Netflow records, one ingress record when the packet enters the VPN Gateway and one egress record when the packet leaves the VPN Gateway.

Several other NetFlow settings are configurable via the device’s profile in the AT&T Administration Server.