It is possible to gather flows of network traffic as they traverse through devices.
This can be useful for many reasons, for billing or for checking if traffic is flowing optimally through the network.
This is done with Netflow, and requires two parts to be configured for it work, Netflow Data Capture and Netflow Data Export.
The Netflow Data Capture captures the traffic statistics on the network device.
The Netflow Data Export exports this data to a NetFlow collector, such as DNA Center or Cisco Prime Infrastructure.
Before enabling Network on a network device, it is important to note that it is does consume memory on the platform. Ensure the network device has enough memory to support Netflow and usual network operations.
Netflow can capture traffic on both the egress and ingress of a port.
Traffic that can be collected on egress/ingress on Netflow Version 9
| Ingress Traffic | Egress Traffic |
| IP to IP Packets | Netflow accounting for all IP traffic packets |
| IP to Multiprotocol Label Switching (MPLS) packets | MPLS to IP Packets |
| Frame Relay Terminated Packets | |
| ATM Terminated Packets |
Netflow collects information based on flows.
A flow is a unidirectional traffic stream that can contain a combination of the below data:
- Source IP address
- Destination IP address
- Source port number
- Destination port number
- Layer 3 Protocol Type
- Type of Service (ToS)
- Input Logical Interface
Configuring NetFlow
config terminal ip flow-export version 9 ip flow-export destination 192.168.1.50 9997 interface GigabitEthernet1/1 ip flow ingress ip flow egress
Network can be verified that it is working correctly with the commands show ip flow interface, show ip flow export, show ip cache flow
Top Talkers
Enabling NetFlow brings an advantage to network administrators that they can quickly view the top connections on the network device with a simple command, show ip flow top-talkers
It requires a little bit more configuration to enable it on the router in global configuration mode
ip flow-top-talkers sort-by bytes top 15
Flexible NetFlow
Flexible NetFlow was developed to provide an option for further network traffic analysis than is possible with normal NetFlow.
Flexible Netflow allows for the use and re-use of configuration components.
Flexible NetFlow allows the use of multiple Flow Monitors at the same time, meaning multiple flow policies can be applied to the same traffic as it flows through the device.
If there two different destinations to put NetFlow traffic, the same traffic can be analysed in two different ways then sent onto two different destinations.
Flexible NetFlow is broken down into four separate components
Flow Records
Flow records are a combination of key and non-key fields. Predefined and user records.
Flow Monitors
Flow monitors are applied to the interface to monitor network traffic
Flow Exporters
Flow exporters export NetFlow version 9 data from the Flow Monitor cache to a remote host
Flow Samplers
A flow sampler samples partial relevant NetFlow data rather than analysing all NetFlow data.
With the use of sampled NetFlow data, it reduces the load on memory and CPU on the network devices. There is a trade off that data collected may not give as accurate conclusions in comparison to all NetFlow data being collected.
Security is driver of the adoption of Flexible NetFlow due to the ability to track all parts of the IP header as well as the packet, normalising it into a single flow.
Flexible NetFlow can create a dynamic cache of each type of flow and filter ingress traffic to a specific destination.
Flow Records
Creating a customised Flow Record can be done with collect and match commands to match a flow record.
The match command is used to select a key field, the collect command is used to select a non-key field.
| Field | Key/Non-Key | Definition |
| IP ToS | Key | Value in type of service field |
| IP Protocol | Key | Value in IP Protocol Field |
| IP Source Address | Key | Source IP Address |
| IP Destination Address | Key | Destination IP Address |
| Transport Source Port | Key | Source Port |
| Transport Destination Port | Key | Destination Port |
| Interface Input | Key | Interface Received |
| Flow Sampler ID | Key | ID number of Flow Sampler |
| IP Source AS | Non-Key | Source AS number |
| IP Destination AS | Non-Key | Destination AS number |
| IP Next-Hop Address | Non-Key | Next-hop address |
| IP Source Mask | Non-Key | Subnet source mask |
| IP Destination Mask | Non-Key | Subnet destination mask |
| TCP Flags | Non-Key | Value in TCP flag field |
| Interface Output | Non-Key | Outbound interface |
| Counter Bytes | Non-Key | Number of bytes in flow |
| Counter Packets | Non-Key | Number of packets in flow |
| Time Stamp System Uptime First | Non-Key | System uptime when packet was first switched |
| Time Stamp System Uptime Last | Non-Key | System uptime when packet was last switched |
Configuring a flow record is important with Flexible NetFlow as the flow record defines what type of traffic will be monitored and analysed.
Custom flow records can have many different combinations to meet the needs of the configuration required.
To define a flow record:
- Define the flow record name
- Set a description for the flow record
- Set match criteria for key fields
- Set non-key field data to be collected
flow record MyFlowRecord description Capture Flow Record for IPv4 match ipv4 destination address collect counter bytes collect counter packets
Flow Exporter
With a custom Flow Record, they need to be exported with a Flow Exporter.
To create a Flow Exporter
- Define the flow exporter name
- Set a description for the flow exporter
- Specify a destination for the flow exporter
- Specify the NetFlow version to be used for export
- Specify the UDP port to be used for export
flow exporter MyFlowExport description My flow exporter destination 192.168.1.50 export-protocol netflow-v9 transport UDP 9997
Flow Monitor
With the Flow Record and Flow Exporter programmed, it needs to be tied together with the Flow Monitor.
The Flow monitor has it’s own cache. The Flow Record earlier describes how that cache is to be used for capturing NetFlow data.
The steps on configuring a Flow Monitor:
- Define the flow monitor name
- Set a description for the flow monitor
- Specify the flow record to be used
- Specify a cache timeout
- Assign the exporter to a monitor
flow monitor MyFlowMonitor description Flow Monitor record MyFlowRecord cache timeout active 60 exporter MyFlowExport
Turn on Flexible NetFlow
The flow monitor needs to be applied to the appropriate interface where traffic will be captured
interface GigabitEthernet0/1 ip flow monitor MyFlowMonitor input
Leave a Reply