Chapter 5: IP Services – Implementing Netflow

NetFlow is a software feature set in Cisco IOS that is designed to provide network administrators information about what is happening in the network, so that those responsible for the network can make appropriate design and configuration changes and monitor for network attacks. NetFlow has been included in Cisco IOS for a long time, and has evolved through several versions (currently version 9). Cisco has renamed the feature Cisco Flexible NetFlow. It is more than just a renaming, however. The original NetFlow implementation included a fixed seven tuples that identified a flow. Flexible NetFlow allows a user to configure the number of tuples to more specifically target a particular flow to monitor.
The components of NetFlow are
Records: A set of predefined and user-defined key fields (such as source IP address,
destination IP address, source port, and so on) for network monitoring.
Flow monitors: Applied to an interface, flow monitors include records, a cache, and
optionally a flow exporter. The flow monitor cache collects information about flows.
Flow exporters: These export the cached flow information to outside systems (typically a server running a NetFlow collector).
Flow samplers: Designed to reduce the load on NetFlow-enabled devices, flow samplers allow specifying the sample size of traffic, NetFlow analyzes to a ratio of 1:2
through 1:32768 packets. That is, the number of packets analyzed is configurable
from 1/2 to 1/32768 of the packets flowing across the interface.

Configuring NetFlow in its most basic form uses predefined flow records, configured for
collection by a flow monitor, and at least one flow exporter. Example 5-7 shows a basic
NetFlow configuration for collecting information and statistics on IPv4 traffic using the
predefined IPv4 record, and for configuring some timer settings to show their structure.
An exporter is configured to send the collected information to a server at 192.168.1.110
on UDP port 1333, and with a Differentiated Services Code Point (DSCP) of 8 on the
exported packets. The process consists of three steps: configuring the NetFlow monitor,
applying it to an interface, and configuring an exporter.

Example: Basic NetFlow Monitor and Exporter Configuration
EastEdge#show run | begin flow
 flow exporter ipv4flowexport
 destination 192.168.1.110
 dscp 8
 transport udp 1333
 !
 flow monitor ipv4flow
 description Monitors all IPv4 traffic
 record netflow ipv4 original-input
 cache timeout inactive 600
 cache timeout active 180
 cache entries 5000
 statistics packet protocol
 !
 interface FastEthernet0/0
 ip address 192.168.39.9 255.255.255.0
 ip flow monitor ipv4flow input
 ! output omitted
You can verify NetFlow configuration using these commands:
show flow record
show flow monitor
show flow exporter
show flow interface

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s