NetFlow is a software feature set in Cisco IOS that is designed to provide network administrators information about what is happening in the network, so that those responsible for the network can make appropriate design and configuration changes and monitor for network attacks. NetFlow has been included in Cisco IOS for a long time, and has evolved through several versions (currently version 9). Cisco has renamed the feature Cisco Flexible NetFlow. It is more than just a renaming, however. The original NetFlow implementation included a fixed seven tuples that identified a flow. Flexible NetFlow allows a user to configure the number of tuples to more specifically target a particular flow to monitor.
The components of NetFlow are
■ Records: A set of predefined and user-defined key fields (such as source IP address,
destination IP address, source port, and so on) for network monitoring.
■ Flow monitors: Applied to an interface, flow monitors include records, a cache, and
optionally a flow exporter. The flow monitor cache collects information about flows.
■ Flow exporters: These export the cached flow information to outside systems (typically a server running a NetFlow collector).
■ Flow samplers: Designed to reduce the load on NetFlow-enabled devices, flow samplers allow specifying the sample size of traffic, NetFlow analyzes to a ratio of 1:2
through 1:32768 packets. That is, the number of packets analyzed is configurable
from 1/2 to 1/32768 of the packets flowing across the interface.
Configuring NetFlow in its most basic form uses predefined flow records, configured for
collection by a flow monitor, and at least one flow exporter. Example 5-7 shows a basic
NetFlow configuration for collecting information and statistics on IPv4 traffic using the
predefined IPv4 record, and for configuring some timer settings to show their structure.
An exporter is configured to send the collected information to a server at 192.168.1.110
on UDP port 1333, and with a Differentiated Services Code Point (DSCP) of 8 on the
exported packets. The process consists of three steps: configuring the NetFlow monitor,
applying it to an interface, and configuring an exporter.
Example: Basic NetFlow Monitor and Exporter Configuration
EastEdge#show run | begin flow
flow exporter ipv4flowexport
transport udp 1333
flow monitor ipv4flow
description Monitors all IPv4 traffic
record netflow ipv4 original-input
cache timeout inactive 600
cache timeout active 180
cache entries 5000
statistics packet protocol
ip address 192.168.39.9 255.255.255.0
ip flow monitor ipv4flow input
! output omitted
You can verify NetFlow configuration using these commands:
■ show flow record
■ show flow monitor
■ show flow exporter
■ show flow interface