NetFlow is a Cisco application that collects statistics on packets flowing through
a router. By analyzing the data provided by NetFlow, a
network administrator can determine the characteristics of network traffic such
as source, destination of traffic, class of service to get a hint on troubleshooting
network problems such as the causes of congestion.
NetFlow provides insights into the state of network traffic and this information
can be utilized in network and security monitoring, network planning, traffic
analysis, application monitoring, capacity planning, and IP accounting.
Most NetFlow devices support export versions 1, 5, and 9.
NetFlow provides the ability to view network traffic grouped by protocol. With
this feature, a baseline of network traffic can be performed before
the introduction of a new network service or implementation of traffic shaping.
For Internet-facing routers that run NAT, it is recommended that NetFlow be
configured on the router interface connecting to the local network i.e. before
NAT translations. If NetFlow is configured on the Internet-facing interface,
NAT will have been implemented and it becomes difficult to understand traffic
flow patterns of local devices as their local/internal IP addresses will already
have been translated by NAT.
A typical flow monitoring setup using NetFlow consists of three main components:
- Flow exporter: aggregates packet data into flows and exports flow records
to one or more flow collectors. This is usually a router.
- Flow collector: responsible for reception, storage and processing
of flow data received from a flow exporter.
- NetFlow cache: the record for each active flow is maintained
locally in the cache.
A network flow is a unidirectional stream of packets between a given source and
destination. A flow is uniquely identified by the following characteristics:
- Source IP address
- Source port number
- Destination IP address
- Destination port number
- Layer 3 protocol type
- Type of service (TOS)
- Logical input interface: router or switch interface
The combination of these fields make a flow uniquely identifiable.
NetFlow is used on top of an existing switching path such as CEF.
Traffic monitored by NetFlow can be classified into the following categories:
- Device: flow count, traffic and volume
- Interface: bandwidth utilization, traffic, packets, and volume.
- Application: traffic with port and protocol details.
- Conversation: source, destination, application, and traffic
- Quality of Server(QoS): DSCP and traffic.
NetFlow Cache
After you enable NetFlow on an interface, NetFlow reserves memory to accommodate a number of
entries in the NetFlow cache. Normally the default size of the NetFlow cache meets the needs of your NetFlow
traffic rates. The cache default size is 64K flow cache entries. Each cache entry requires 64 bytes of
storage. About 4 MB of DRAM are required for a cache with the default number of entries. You can
increase or decrease the number of entries maintained in the cache, if required.
To obtain
information on your flow traffic, use the command show ip cache flow.
A NetFlow cache can be resized depending on the platform and the amount of DRAM
on a line card using the command ip flow-cache entries <number>.
Parameters of the NetFlow cache can be modified using the following commands:
ip flow-cache timeout active <1-60>: the value is
in minutes. This specifies the number of minutes that an active flow remains
in the cache before the flow times out. The default is 30.ip flow-cache timeout inactive <10-600>: This specifies
the number of seconds that an inactive flow remains in the cache before it times
out. The default value is 15 seconds.
Note: If any parameters of the NetFlow main cache are modified after NetFlow
is enabled, the changes will not take effect until the router is rebooted. A better
option is to disable NetFlow on the interface first and then re-enabling NetFlow
on the interface.
Flow entries are deleted from the cache when they expire.
The following are the scenarios under which NetFlow cache entries expire:
- If a flow has been idle for 15 seconds by default.
- Flows that are continuous, such as routing protocol message exchanges, they
are categorized as long-lived flows. Long-lived flows, by default, expire after
a maximum of 30 minutes (cache timeout active configured value).
- If the NetFlow cache is full, the oldest flows get deleted.
- TCP connections that are ending with the FIN flag set or have been reset
(with the RST flag) are expired.
Collection Engine
The collection engine runs on the router or switch whose interface traffic is to be
monitored. The collection engine sends NetFlow data to a management collector
with 1.5% export data overhead. Flows are exported to the NetFlow collector
periodically or when they expire using datagrams in UDP format. The UDP port
number is arbitary; there is no default UDP port specified on which the collector
listens.
NetFlow Collector
NetFlow export, unlike SNMP polling, pushes
information periodically to the collector. Flows that have terminated or expired
(based on the NetFlow cache) are exported as well. Flows are terminated when the
network communication is ended. A maximum of two export destinations is allowed.
NetFlow Version 5
NetFlow version 5 has a fixed packet format that cannot be added or extended.
It supports IPv4 only. Support for BGP is included.
NetFlow v5 supports the export of data from the main cache only; the aggregation cache
is not supported.
NetFlow v5 does not have the concept of ingress and egress flows. The collector
engine reverses the information behind the scenes without any additional
configuration.
Information captured by NetFlow v5 includes the following:
- Source and destination ports
- Packet counts
- Byte counts
- Flow duration
- I/O interfaces
NetFlow v5 does not support multicast, IPSec and MPLS. Additionally
Configuration
To configure NetFlow version 5, the following configurations are made:
- Enable flows on the interface: in interface configuration mode:
ip flow ingress: enables NetFlow for inbound traffic on
an interfaceip flow egress: enables NetFlow for outbound traffic on
an interface.
R1(config-if)#interface g1/0
R1(config-if)#ip flow ingress
R1(config-if)#ip flow egress
The legacy interface command ip route-cache flow can also be
used as an alternative to the above commands on platforms that still support it.
It enables NetFlow on an interface as well as any configured sub-interfaces.
- Configure location of flow data storage: NetFlow data is stored locally
in the device cache or exported to a NetFlow collector.
- Local Retrieval:
Local retrieval is also known as stand-alone mode where NetFlow records are stored
in the local router memory. This information can be accessed using the CLI.
The following commands enable monitoring of bandwidth based on bytes or packet count:
R1(config)#ip flow-top-talkers
R1(config-flow-top-talkers)#top 10
R1(config-flow-top-talkers)#sort-by bytes
To view the flows, use the command show ip flow top-talkers.
NetFlow is a heavy resource hungry feature. It is recommended not to enable
NetFlow on a router that is experiencing heavy resource constraints.
-
Export (Configuration Only):
- Define the export destination: using the command
ip flow-export destination <ip-address> <port> [sctp|udp].
R1(config)#no ip flow-export destination 192.168.34.2 ?
<1-65535> UDP/SCTP port number
R1(config)#ip flow-export destination 192.168.14.2 9999
The NetFlow records are exported by the NetFlow exporter to the
collector using UDP. An IP address of a NetFlow collector and a destination UDP port
have to be configured on the flow exporter. A router (NetFlow exporter) will maintain
a track of flow record which is already exported, hence if the NetFlow packets are
dropped in the event of packet corruption or network congestion.
NetFlow export also uses SCTP (stream control transmission protocol)
to export the NetFlow records. This offers protection against the loss of packets.
In the case of NetFlow version 9, SCTP ensures that the NetFlow v9 template is
received by the collector before exporting the related record. The NetFlow
export only uses the network backbone link, packet loss can be negligible.
The NetFlow collector listens for NetFlow records on UDP or SCTP. However,
the port is not explicitly defined. The administrator can configure a UDP port
of choice; the commonly configured port number is 9995, 9996 or 9999. It is
important to note that when configuring a NetFlow collector
to collect NetFlow records from more than one NetFlow exporter, each NetFlow
exporter should be configured to export flow records to a different port number.
Otherwise the NetFlow collector will aggregate the flow records. So it is
recommended to configure one port for one NetFlow exporter.
ip flow-export version [5|9]: specifies the format of
exported NetFlow records. It is possible to configure NetFlow version 5 and export
Flow records in version 9.
R1(config)#ip flow-export version 5 ?
bgp-nexthop record BGP NextHop
origin-as record origin AS
peer-as record peer AS
<cr>
R1(config)#ip flow-export version 5
- Specify the source IP address: the source IP address can be configured
using the command
ip flow-export source <interface>.
R1(config)#ip flow-export source lo0
This is particularly important in scenarios where, with multipathing, NetFlow
records from one device may have different source IP addresses due to the different egress
interfaces that the NetFlow traffic may have used. This command ensures that the
source IP address is consistent for all flow records from a device.
Verification
show ip cache [verbose] flow
Displays basic statistics for NetFlow records that are stored in
the router's local cache.
The section "IP packet size distribution" displays the different packet sizes an
the percentage of network traffic that had be given size. A value of .855 is
equivalent to 85.5 percent of traffic has a packet size of 128 bytes.
R1#show ip cache flow
IP packet size distribution (9364 total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.000 .010 .132 .855 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000
512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000
IP Flow Switching Cache, 4456704 bytes
5 active, 65531 inactive, 122 added
12987 ager polls, 0 flow alloc failures
Active flows timeout in 30 minutes
Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 533256 bytes
5 active, 16379 inactive, 105 added, 105 added to flow
0 alloc failures, 0 force free
1 chunk, 2 chunks added
last clearing of statistics never
Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)
-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow
ICMP 81 0.0 99 99 1.6 4.1 15.8
IP-other 36 0.0 25 80 0.1 212.2 13.8
Total: 117 0.0 76 97 1.8 68.1 15.2
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
Gi2/0 192.168.14.2 Local 1.1.1.1 01 0000 0303 1
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
Gi3/0 192.168.13.2 Null 224.0.0.5 59 0000 0000 74
Gi0/0 192.168.12.2 Null 224.0.0.5 59 0000 0000 132
Gi1/0 192.168.15.2 Null 224.0.0.5 59 0000 0000 97
Gi2/0 192.168.14.2 Null 224.0.0.5 59 0000 0000 53
R1#
The port numbers are displayed in hexadecimal values.
From the output, under the Destination interface column(DstIf), ingress interfaces
have a * appended to the interface name.
R1#show ip cache verbose flow
IP packet size distribution (9530 total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.000 .011 .146 .841 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000
512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000
IP Flow Switching Cache, 4456704 bytes
5 active, 65531 inactive, 135 added
14644 ager polls, 0 flow alloc failures
Active flows timeout in 30 minutes
Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 533256 bytes
5 active, 16379 inactive, 118 added, 118 added to flow
0 alloc failures, 0 force free
1 chunk, 2 chunks added
last clearing of statistics never
Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)
-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow
ICMP 94 0.0 86 99 1.5 3.5 15.9
IP-other 36 0.0 25 80 0.1 212.2 13.8
Total: 130 0.0 69 97 1.7 61.3 15.3
SrcIf SrcIPaddress DstIf DstIPaddress Pr TOS Flgs Pkts
Port Msk AS Port Msk AS NextHop B/Pk Active
SrcIf SrcIPaddress DstIf DstIPaddress Pr TOS Flgs Pkts
Port Msk AS Port Msk AS NextHop B/Pk Active
Gi2/0 192.168.14.2 Local 1.1.1.1 01 C0 10 1
0000 /30 0 0303 /32 0 0.0.0.0 56 0.0
Gi3/0 192.168.13.2 Null 224.0.0.5 59 C0 10 112
0000 /30 0 0000 /0 0 0.0.0.0 80 1023.4
Gi0/0 192.168.12.2 Null 224.0.0.5 59 C0 10 171
0000 /30 0 0000 /0 0 0.0.0.0 80 1557.9
Gi1/0 192.168.15.2 Null 224.0.0.5 59 C0 10 135
0000 /30 0 0000 /0 0 0.0.0.0 80 1221.8
Gi2/0 192.168.14.2 Null 224.0.0.5 59 C0 10 91
0000 /30 0 0000 /0 0 0.0.0.0 80 825.3
show ip flow export
Displays the NetFlow data export configuration and statistics of NetFlow records
that are being exported.
R1#show ip flow export
Flow export v5 is enabled for main cache
Export source and destination details :
VRF ID : Default
Source(1) 1.1.1.1 (Loopback0)
Destination(1) 192.168.14.2 (9999)
Version 5 flow records
159 flows exported in 143 udp datagrams
0 flows failed due to lack of export packet
0 export packets were sent up to process level
27 export packets were dropped due to no fib
0 export packets were dropped due to adjacency issues
0 export packets were dropped due to fragmentation failures
0 export packets were dropped due to encapsulation fixup failures
R1#
show ip flow interface
Displays the NetFlow configuration for each interface
R1#show ip flow interface
GigabitEthernet0/0
ip route-cache flow
ip flow ingress
ip flow egress
GigabitEthernet1/0
ip flow ingress
ip flow egress
GigabitEthernet2/0
ip flow ingress
ip flow egress
GigabitEthernet3/0
ip flow ingress
ip flow egress
show ip flow top-talkers
This table displays real-time values for the top devices transmitting and receiving
traffic.
R1#show ip flow top-talkers
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Bytes
Gi0/0 192.168.12.2 Null 224.0.0.5 59 0000 0000 8248
Gi1/0 192.168.15.2 Null 224.0.0.5 59 0000 0000 5448
Gi3/0 192.168.13.2 Null 224.0.0.5 59 0000 0000 3608
Gi2/0 192.168.14.2 Null 224.0.0.5 59 0000 0000 1840
4 of 10 top talkers shown. 4 flows processed.
R1#show ip flow top-talkers verbose
SrcIf SrcIPaddress DstIf DstIPaddress Pr TOS Flgs Bytes
Port Msk AS Port Msk AS NextHop B/Pk Active
Gi0/0 192.168.12.2 Null 224.0.0.5 59 C0 10 8248
0000 /30 0 0000 /0 0 0.0.0.0 80 938.2
Gi1/0 192.168.15.2 Null 224.0.0.5 59 C0 10 5448
0000 /30 0 0000 /0 0 0.0.0.0 80 606.4
Gi3/0 192.168.13.2 Null 224.0.0.5 59 C0 10 3608
0000 /30 0 0000 /0 0 0.0.0.0 80 402.1
Gi2/0 192.168.14.2 Null 224.0.0.5 59 C0 10 1840
0000 /30 0 0000 /0 0 0.0.0.0 80 210.5
4 of 10 top talkers shown. 4 flows processed.
clear ip flow stats
Clearing statistics to observer NetFlow operations.
NetFlow Version 9
NetFlow version 9 is a flexible format, which provides the versatility needed for support
of new fields and record types. It provides support for export of packet data from
IPv6, multicast, Multiprotocol Label Switching(MPLS), BGP next hop etc.
NetFlow version 9 is template-based. Templates provide a means of extending the
record format, and ensures that NetFlow can be adapted to provide support for
new protocols. A template describes a NetFlow record format and attributes of the
fields within the record. The router assigns teach templete an ID, which is communicated
to the Collection Engine along with the template description. The template ID
is used for all further communication from the router to the Collection Engine.
However, NetFlow records generated with version 9 are not backwards compatible
with previous versions of NetFlow.
With NetFlow v9, templates used are preconfigured on the IOS.
These cannot be easily modified. However, with flexible NetFlow, these templates
can be manually configured. In version 9, the command flow-capture
can be used to add fields of the packet in NetFlow records.
Unlike version 5 which exports records only from the main cache, NetFlow 9 supports
the export of data from main cache and aggregation cache.
NetFlow v9 introduces the concept of "egress" flows. Traffic statistics on ingress
flows are calculated before compression. This may be a problem if WAN links are
using compression of packets. Egress flow statistics are calculated after compression.
In addition to information captured by NetFlow v5, the following information is
captured by NetFlow v9:
- Fragmentation flags
- Other TCP flags/counters
- Flow direction
- DSCP info
- ToS
- ICMP and IGMP
- TTL
Configuration
- Enable flows on the interface:
In interface configuration mode:
ip flow [ingress|egress]
- Configure the flow export destination: Define the export destination
using the command
ip flow-export destination <ip-address> <port> [sctp|udp].
- Define the source IP address:
using the command ip flow-export
source <interface>.
- Configure the export version:
ip flow-export version 9.
- The characteristics of the packets to be included in the NetFlow records are
defined using the template keyword which specifies that template specific
configurations follow. Some template-defined parameters include the following:
| Command |
Description |
ip flow-export template timeout-rate <minutes> |
Set the template timeout to one minute: ip flow-export template timeout-rate 1.
This ensures that there are no data gaps if the network service or server restarts.
The default setting for long active flows (long-lived flows) is 30 minutes. This
can cause high peaks well above circuit speeds. By breaking the cached flows into
one-minute fragments, we can avoid the high peaks by normalizing the data.
|
ip flow-export template options export-stats |
|
ip flow-export template options refresh-rate <1-600> |
Specifies the number of packets exported before the templates are resent.
The default is 20.
|
ip flow-export template options timeout-rate <minutes> |
Specifies time elapsed before templates are resent. The default is 30 minutes |
ip flow-capture fragment-offset |
Capture the fragment offset information |
ip flow-capture packet-length |
Capture the max and min packet length |
ip flow-capture ttl |
Capture the TTL |
ip flow-capture vlan-id |
Capture the VLAN ID |
ip flow-capture icmp |
Capture the ICMP type and code |
ip flow-capture ip-id |
Capture the IP ID |
ip flow-capture mac-addresses
| Capture the source and destination
MAC addresses. |
ip flow-cache timeout inactive <10-600>
|
Capture the inactive timeout value in seconds.
|
ip flow-cache timeout active 1 |
|
R1(config)#ip flow-capture packet-length
R1(config)#ip flow-capture ttl
R1(config)#ip flow-capture fragment-offset
R1(config)#ip flow-capture mac-addresses
R1(config)#ip flow-capture ip-id
- IfIndex Persistance:
To ensure that the interface indices persists across device reboots,
snmp-server
ifindex persist.
Flow Sampler
A flow sampler is used to define a subset of packets whose statistics are
representative of the traffic transiting an interface rather than all packets going through the interface.
Sampling flow data reduces the load on the CPU and memory. However, with sampling
flow data, some packet information may be missed.
A flow
sampler can be configured as follows:
R1(config)#flow-sampler-map ONE_TEN
R1(config-sampler)#mode random one-out-of 10
The flow sampler can then be applied to the interface using the interface command
flow-sampler ONE_TEN.
If ingress flow is configured on an interface and a flow sampler is applied to
the interface, an error message is generated Warning: ingress NetFlow
will override the sampler. The ingress flow command will have to be
removed.
R1(config-if)#flow-sampler ONE_TEN ?
R1(config-if)#flow-sampler ONE_TEN
*May 29 22:43:54.035: Warning: ingress NetFlow will override the sampler.
R1(config-if)#no ip flow ingress
*May 29 22:44:06.223: Warning: ingress sampler re-enabled.
Flow sampler with Class Map and Policy Map
A flow sampler can be combined with a class map and a policy map to view network
traffic statistics. This can be accomplished using the following commands:
- Configure the flow sampler:
R1(config)#flow-sampler-map ONE_ONE
R1(config-sampler)#mode random one-out-of 1
- Configure the class-map:
R1(config)#class-map match-all ICMP
R1(config-cmap)#match protocol icmp
- Configure the policy map:
R1(config)#policy-map PM_SAMPLER
R1(config-pmap)#class ICMP
R1(config-pmap-c)#NetFlow-sampler ONE_TEN
R1(config-pmap)#class class-default
R1(config-pmap-c)#NetFlow-sampler ONE_ONE
The default class-map captures statistics on all other traffic i.e., traffic
not matched by the class ICMP.
- Apply the service policy to the interface:
R1(config)#interface g0/0
R1(config-if)#service-policy input PM_SAMPLER
To verify the traffic statistics, use the command show policy-map interface.
The other NetFlow verification commands still apply.
On a remote device simulate ICMP traffic:
R2#ping 192.168.15.2 repeat 1000
R1#show policy-map interface g0/0 input
GigabitEthernet0/0
Service-policy input: PM_SAMPLER
Class-map: ICMP (match-all)
1000 packets, 114000 bytes
5 minute offered rate 00
00 bps, drop rate 0000 bps
Match: protocol icmp
NetFlow-sampler: ONE_TEN
Class-map: class-default (match-any)
25 packets, 2350 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: any
NetFlow-sampler: ONE_ONE
R1#
Verification
show ip flow export
Displays the statistics of the NetFlow export for the main cache and other enabled
caches.
R1#show ip flow export
Flow export v9 is enabled for main cache
Export source and destination details :
VRF ID : Default
Source(1) 1.1.1.1 (Loopback0)
Destination(1) 192.168.14.2 (9999)
Version 9 flow records
388 flows exported in 311 udp datagrams
0 flows failed due to lack of export packet
0 export packets were sent up to process level
27 export packets were dropped due to no fib
0 export packets were dropped due to adjacency issues
0 export packets were dropped due to fragmentation failures
0 export packets were dropped due to encapsulation fixup failures
R1#show ip flow export verbose
Flow export v9 is enabled for main cache
Export source and destination details :
VRF ID : Default
Source(1) 1.1.1.1 (Loopback0)
Destination(1) 192.168.14.2 (9999)
Version 9 flow records
388 flows exported in 311 udp datagrams
0 flows failed due to lack of export packet
0 export packets were sent up to process level
27 export packets were dropped due to no fib
0 export packets were dropped due to adjacency issues
0 export packets were dropped due to fragmentation failures
0 export packets were dropped due to encapsulation fixup failures
show ip flow export template
Displays statistics for the NetFlow data export for template specific configurations.
R1#show ip flow export template
Template Options Flag = 0
Total number of Templates added = 4
Total active Templates = 4
Flow Templates active = 4
Flow Templates added = 4
Option Templates active = 0
Option Templates added = 0
Template ager polls = 9546
Option Template ager polls = 0
Main cache version 9 export is enabled
Template export information
Template timeout = 30
Template refresh rate = 20
Option export information
Option timeout = 30
Option refresh rate = 20
R1#
Clearing NetFlow Stats on a Router
clear ip flow stats.
Flexible NetFlow
Flexible NetFlow improves on original NetFlow by adding the capability to customize
the traffic analysis parameters for your specific requirements.
Flexible NetFlow is an extension of NetFlow v9. It provides additional functionality
that allows you to export more information using the same NetFlow v9 datagram.
Flexible NetFlow facilitates the creation of more complex configurations for traffic analysis and
data export through the use of templates which are reusable configuration
components.
When configuring flexible NetFlow, consider the following:
- Ensure that the source interface is a loopback interface. This is because
this interface does not go down resulting in predictable source IP addresses
in the NetFlow records.
- Set the active timeout to 1 minute using the command
ip flow-cache
timeout active 1.
It supports the ability to configure different destinations(collectors) for
different categories of traffic.
IPFIX
IPFIX (IP Flow Information eXport) is the standards-based method for exporting
the flow information to a collector that was published by IETF. It is intended
to serve as a universal protocol for exporting flow information. IPFIX has extensive
flexibility in its configurations.
Cisco configuration commands will consider export format in IPFIX as NetFlow version 10.
Configuration of Flexible NetFlow
To configure flexible NetFlow:
- Create a flow record: a flow record explicitly specifies what exactly
we are sampling. This creates the template to match on. This template can be
modified using the
match and collect
commands.
- Define the flow record: using the command
flow record <flow-name>
- Match the traffic category: The key fields can be matched using the command
match [ipv4|ipv6|interface|flow|datalink|application|routing|transport]
Where:
| Parameter |
Description |
transport [destination-port | igmp | icmp | source-port] |
Specifies a match to the transport layer
fields. |
ipv4 [destination | protocol | source | tos | ttl | version] |
Specifies a match to IPv4 fields. |
ipv6 [destination | hop-limit | protocol | source | traffic-class | version] |
Specifies a match to the IPv6
fields. |
interface [input | output] |
Specifies a match to the interface
fields. |
datalink [dot1q | mac | vlan | ethertype] |
Specifies a match to the datalink
or Layer 2 fields. |
At least of these parameters must be configured for a flow record.
R3(config)#flow record FLOW-RECORD-G00
R3(config-flow-record)#description NetFlow Record for TTL, TOS, PACKET_LENGTH
R3(config-flow-record)#match interface input
R3(config-flow-record)#match interface output
R3(config-flow-record)#match ipv4 destination address
R3(config-flow-record)#match ipv4 destination mask
R3(config-flow-record)#match ipv4 source address
R3(config-flow-record)#match ipv4 source mask
R3(config-flow-record)#match ipv4 precedence
R3(config-flow-record)#match ipv4 protocol
R3(config-flow-record)#match ipv4 total-length
R3(config-flow-record)#match ipv4 ttl
R3(config-flow-record)#match ipv4 tos
- Specify the collection field: using the command
collect [ counter | interface | timestamp absolute | transport tcp flags]. The following
example collects the count of traffic in bytes: collect counter bytes.
Where:
| Parameter |
Description |
transport tcp flags [ack | cwr | ece | fin | psh | rst | syn
| urg] |
Collects TCP flags. On switches,
all TCP flags will be collected. Only with routers can the TCP flag type
be specified. |
timestamp absolute [first | last] |
Collects the fields for the
absolute time the most recent packet was last seen(in milliseconds). |
interface [input | output] |
Collects fields from the input or
output interface. |
counter [bytes [layer2 [long] | long] | packets [long]] |
Collects the counter fields total
bytes and total packets. |
R3(config-flow-record)#collect datalink mac source address output
R3(config-flow-record)#collect counter packets long
R3(config-flow-record)#collect counter bytes long
R3(config-flow-record)#collect flow direction
R3(config-flow-record)#collect application name
R3(config-flow-record)#collect transport tcp flags
R3(config-flow-record)#collect transport tcp destination-port
R3(config-flow-record)#collect timestamp absolute first
R3(config-flow-record)#collect timestamp absolute last
- Create Flow Export: Define export parameters for a flow.
- Define the flow export name:
flow exporter <name>
R3(config)#flow export FLOW-EXPORT-G00
- Specify the destination IPv4 address or hostname:
destination <ip-address> vrf <vrf-name>
R3(config-flow-exporter)#destination 192.168.15.2
- Specify the UDP port:
transport udp <1-65535>
R3(config-flow-exporter)#transport udp 9999
- Specify the NetFlow export version: using the command
export [ipfix | NetFlow-v5 | NetFlow-v9].
R3(config-flow-exporter)#export ipfix
- Define the source interface:
R3(config-flow-exporter)#source g0/0
- Configure a flow monitor: the flow monitor ties the flow record to
the flow exporter. The flow monitor calls the flow record.
- Define the flow monitor name using the command
flow monitor <name>.
R3(config)#flow monitor FLOW-MONITOR-G00
- Configure a description: using the command
description <text>.
R3(config-flow-monitor)#description NetFlow monitor for traffic transiting G0/0
- Specify the configured flow record: using the command
record <name>.
R3(config-flow-monitor)#record FLOW-RECORD-G00
- Specify the configured flow exporter: using the command
exporter <name>.
R3(config-flow-monitor)#exporter FLOW-EXPORT-G00
- Specify the active timeout in seconds: using the command
cache timeout active <1-604800>.
R3(config-flow-monitor)#cache timeout active 1
- Apply the flow monitor: Associate a flow monitor and optional flow
sampler to a Layer 2, Layer 3 or VLAN interface using the command
ip flow monitor <monitor-name> [sampler <sampler-name>]
[input | output].
The direction can be input or output.
R1(config)#interface g2/0
R1(config-if)#ip flow monitor FLOW-MONITOR_G00 sampler ONETEN input
R1(config-if)#ip flow monitor FLOW-MONITOR_G00 sampler ONETEN output
Flow Sampler
A flow sampler can be added to the configuration as follows:
- Define the flow sampler: using the command
sampler <sampler-name>.
- Define the mode: using the command
mode [1-out-of 10].
- Link the sampler to the flow monitor: using the interface command
ip flow monitor FNF sampler ONE_TEN input.
Verification
show flow record
To view configured flow records.
R3#show flow record
flow record FLOW-RECORD-G00:
Description: NetFlow Record for TTL, TOS, PACKET_LENGTH
No. of users: 1
Total field space: 70 bytes
Fields:
match ipv4 tos
match ipv4 precedence
match ipv4 total-length
match ipv4 ttl
match ipv4 protocol
match ipv4 source address
match ipv4 source mask
match ipv4 destination address
match ipv4 destination mask
match interface input
match interface output
collect datalink mac source address output
collect transport tcp destination-port
collect transport tcp flags
collect flow direction
collect counter bytes long
collect counter packets long
collect timestamp absolute first
collect timestamp absolute last
collect application name
show flow record NetFlow ipv4 original-input
Lists the builtin flow records templates in the IOS.
R3#show flow record NetFlow ipv4 original-output
flow record NetFlow ipv4 original-output:
Description: Traditional IPv4 output NetFlow with ASs
No. of users: 0
Total field space: 53 bytes
Fields:
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface output
match flow sampler
collect routing source as
collect routing destination as
collect routing next-hop address ipv4
collect ipv4 source mask
collect ipv4 destination mask
collect transport tcp flags
collect interface input
collect counter bytes
collect counter packets
collect timestamp sys-uptime first
collect timestamp sys-uptime last
show flow record NetFlow ipv4 prefix
Displays NetFlow record template for collecting IPv4 prefix information from
packets.
R3#show flow record NetFlow ipv4 prefix
flow record NetFlow ipv4 prefix:
Description: Source and Destination Prefixes aggregation schemes
No. of users: 0
Total field space: 38 bytes
Fields:
match routing source as
match routing destination as
match ipv4 source prefix
match ipv4 source mask
match ipv4 destination prefix
match ipv4 destination mask
match interface input
match interface output
collect counter bytes
collect counter packets
collect timestamp sys-uptime first
collect timestamp sys-uptime last
show flow exporter
Displays NetFlow exporter configurations.
R3#show flow exporter
Flow Exporter FLOW-EXPORT-G00:
Description: NetFlow export to destination 192.168.15.2
Export protocol: IPFIX (Version 10)
Transport Configuration:
Destination IP address: 192.168.15.2
Source IP address: 192.168.13.2
Source Interface: GigabitEthernet0/0
Transport Protocol: UDP
Destination Port: 9999
Source Port: 59235
DSCP: 0x0
TTL: 255
Output Features: Not Used
show flow exporter templates
R3#show flow exporter templates
Flow Exporter FLOW-EXPORT-G00:
Client: Flow Monitor FLOW-MONITOR-G00
Exporter Format: IPFIX (Version 10)
Template ID : 256
Source ID : 0
Record Size : 70
Template layout
_____________________________________________________________________________
| Field | ID | Ent.ID | Offset | Size |
-----------------------------------------------------------------------------
| ipv4 source address | 8 | | 0 | 4 |
| ipv4 destination address | 12 | | 4 | 4 |
| interface input snmp | 10 | | 8 | 4 |
| interface output snmp | 14 | | 12 | 4 |
| ipv4 total-length | 190 | | 16 | 2 |
| ipv4 source mask | 9 | | 18 | 1 |
| ipv4 destination mask | 13 | | 19 | 1 |
| ip tos | 5 | | 20 | 1 |
| ip precedence | 196 | | 21 | 1 |
| ip protocol | 4 | | 22 | 1 |
| ip ttl | 192 | | 23 | 1 |
| transport tcp flags | 6 | | 24 | 1 |
| flow direction | 61 | | 25 | 1 |
| datalink mac source address output | 81 | | 26 | 6 |
| transport tcp destination-port | 183 | | 32 | 2 |
| application id | 95 | | 34 | 4 |
| counter bytes long | 1 | | 38 | 8 |
| counter packets long | 2 | | 46 | 8 |
| timestamp absolute first | 152 | | 54 | 8 |
| timestamp absolute last | 153 | | 62 | 8 |
-----------------------------------------------------------------------------
show flow exporter statistics
Displays details of NetFlow exporter statistics such as bytes sent, number of records
added and sent.
R3#show flow exporter statistics
Flow Exporter FLOW-EXPORT-G00:
Packet send statistics (last cleared 02:08:51 ago):
Successfully sent: 155 (20566 bytes)
Client send statistics:
Client: Flow Monitor FLOW-MONITOR-G00
Records added: 175
- sent: 175
Bytes added: 12250
- sent: 12250
show flow monitor <flow-monitor-name>
Displays Flow monitor information.
R3#show flow monitor
Flow Monitor FLOW-MONITOR-G00:
Description: NetFlow monitor for traffic transiting G0/0
Flow Record: FLOW-RECORD-G00
Flow Exporter: FLOW-EXPORT-G00
Cache:
Type: normal
Status: allocated
Size: 4096 entries / 442396 bytes
Inactive Timeout: 15 secs
Active Timeout: 60 secs
Update Timeout: 1800 secs
show flow monitor <flow-monitor-name> cache
Display Flow monitor cache contents.
R3#show flow monitor FLOW-MONITOR-G00 cache
Cache type: Normal
Cache size: 4096
Current entries: 2
High Watermark: 5
Flows added: 319
Flows aged: 317
- Active timeout ( 60 secs) 68
- Inactive timeout ( 15 secs) 249
- Event aged 0
- Watermark aged 0
- Emergency aged 0
IPV4 TOTAL LENGTH: 56
IPV4 SOURCE ADDRESS: 192.168.15.2
IPV4 SOURCE MASK: /30
IPV4 DESTINATION ADDRESS: 192.168.13.2
IPV4 DESTINATION MASK: /0
INTERFACE INPUT: Gi0/0
INTERFACE OUTPUT: Null
IP TOS: 0xC0
IP PRECEDENCE: 6
IP PROTOCOL: 1
IP TTL: 253
datalink mac source address output: 0000.0000.0000
tcp destination port: 0
tcp flags: 0x00
flow direction: Input
counter bytes long: 56
counter packets long: 1
timestamp abs first: 00:13:44.970
timestamp abs last: 00:13:44.970
application name: prot icmp
IPV4 TOTAL LENGTH: 80
IPV4 SOURCE ADDRESS: 192.168.13.1
IPV4 SOURCE MASK: /30
IPV4 DESTINATION ADDRESS: 224.0.0.5
IPV4 DESTINATION MASK: /0
INTERFACE INPUT: Gi0/0
INTERFACE OUTPUT: Null
IP TOS: 0xC0
IP PRECEDENCE: 6
IP PROTOCOL: 89
IP TTL: 1
datalink mac source address output: 0000.0000.0000
tcp destination port: 0
tcp flags: 0x00
flow direction: Input
counter bytes long: 80
counter packets long: 1
timestamp abs first: 00:13:49.766
timestamp abs last: 00:13:49.766
application name: cisco unclassified
show flow monitor <flow-monitor-name> statistics
Displays Flow monitor statistics.
R3#show flow monitor FLOW-MONITOR-G00 statistics
Cache type: Normal
Cache size: 4096
Current entries: 2
High Watermark: 5
Flows added: 320
Flows aged: 318
- Active timeout ( 60 secs) 68
- Inactive timeout ( 15 secs) 250
- Event aged 0
- Watermark aged 0
- Emergency aged 0
R3#
Troubleshooting
Common NetFlow configuration problems on the VSM can occur if you attempt to do
the following:
- Use undefined records, exporters, samplers, or monitors
- Use invalid records, exporters, samplers, or monitors
- Modify records, exporters, samplers, or monitors after they are applied to an interface
- Configure a monitor on an interface which causes the VEM to run out of
memory and results in a verification error.
-
Consider the unidirectional nature of NetFlow traffic. Verify using the following
commands:
ip flow ingressip flow outboundshow ip flow interface
-
Consider the appropriate interface. Verify configured interfaces using
show ip flow
interface.
-
Consider exporting to a collector: verify configured settings using
show ip flow export.
- Consider the source of NetFlow export packets; verify with the commands:
ip flow-export source <interfaceshow ip flow export
- Consider versions 5 and 9, with version 9 being the more popular choice. Verify
using the command
ip flow-export version[5|9] and
show ip flow-export.
- Avoid duplication: When monitoring only one interface, configure
ip flow ingress
and ip flow egress. If monitoring more than one interface,
configure ip flow ingress only.
