1 00:00:06,700 --> 00:00:09,690 - [Narrator] Net flow was originally created by Cisco. 2 00:00:09,690 --> 00:00:13,400 It provides comprehensive visibility into network traffic 3 00:00:13,400 --> 00:00:16,230 when it traverses a network supported device. 4 00:00:16,230 --> 00:00:18,140 The original use for net flow 5 00:00:18,140 --> 00:00:20,660 was for billing and accounting purposes. 6 00:00:20,660 --> 00:00:22,900 For instance, during the dark ages 7 00:00:22,900 --> 00:00:25,010 of dial-up internet access, 8 00:00:25,010 --> 00:00:27,190 it was used to account for bandwidth 9 00:00:27,190 --> 00:00:29,130 in dial-up utilization. 10 00:00:29,130 --> 00:00:31,630 With the evolution of net flow, 11 00:00:31,630 --> 00:00:34,890 it now brings along the capability to be utilized 12 00:00:34,890 --> 00:00:37,810 as a tool for network visibility and security. 13 00:00:37,810 --> 00:00:40,900 Let's take a quick look at how net flow works. 14 00:00:40,900 --> 00:00:44,930 Here, you have device A and device B, 15 00:00:44,930 --> 00:00:48,750 in between, you have a switch A and switch B 16 00:00:48,750 --> 00:00:50,470 as well as router A. 17 00:00:50,470 --> 00:00:54,230 when a packet traverses from device A to B 18 00:00:54,230 --> 00:00:56,610 it touches each of these devices. 19 00:00:56,610 --> 00:00:59,560 If these devices are capable of net flow 20 00:00:59,560 --> 00:01:03,780 they will record a flow record for this transaction. 21 00:01:03,780 --> 00:01:08,170 One out the inbound and one for the return traffic 22 00:01:08,170 --> 00:01:10,430 it's like a phone call record. 23 00:01:10,430 --> 00:01:13,760 A flow is considered a unidirectional series of packets 24 00:01:13,760 --> 00:01:17,550 between a given source and a destination. 25 00:01:17,550 --> 00:01:20,350 With each flow, the source and destination IP address 26 00:01:20,350 --> 00:01:23,980 is recorded as well as the source and destination ports 27 00:01:23,980 --> 00:01:25,380 and protocol. 28 00:01:25,380 --> 00:01:27,603 This is referred to as the five tuple. 29 00:01:28,830 --> 00:01:33,470 The five tuple is depicted here in the graphic. 30 00:01:33,470 --> 00:01:35,610 There are many versions of net flow used 31 00:01:35,610 --> 00:01:36,630 in the industry today 32 00:01:36,630 --> 00:01:41,280 however, not all of them are useful for security visibility. 33 00:01:41,280 --> 00:01:45,660 The internet flow information export or IPFIX 34 00:01:45,660 --> 00:01:50,100 is a net flow standard led by the IETF. 35 00:01:50,100 --> 00:01:51,770 The purpose of IPFIX 36 00:01:51,770 --> 00:01:56,260 was to create a common universal standard of export 37 00:01:56,260 --> 00:01:59,530 for flow information from routers, switches 38 00:01:59,530 --> 00:02:01,860 and other infrastructure devices. 39 00:02:01,860 --> 00:02:06,767 IPFIX is documented in RFC 7011 through 7015 40 00:02:07,780 --> 00:02:10,690 as well as RFC 5103. 41 00:02:10,690 --> 00:02:15,120 Cisco Net flow Version 9 is what IPFIX was based on. 42 00:02:15,120 --> 00:02:20,063 Note that IPFIX records are exported via UDP messages.