Flow key-fields

  • Source IP
  • Destination IP
  • Source port
  • Destination port
  • Layer 3 protocol type
  • ToS
  • Logical interface (ifIndex)

The flows are stored in the NetFlow cache.

Netflow’s operations

  • Create and update flow in NetFlow cache
  • Flows expire locally on router
    Netflow export it’s data only when a flow expire in the Netflow cache!

    • Inactivity Timer (15 seconds by default)
      ie.: a ping finished and Netflow do not see any more traffic for 15 seconds, then it will send the collected information to the collector
    • Active Timer expired (30 minutes default)
      ie.: long FTP session is up for more than 30 minutes, Netflow will send information to the collector (every 30 mintues or when session finished).
    • Netflow cache is full (FIFO)
    • TCP RST or FIN Flag seen
  • Aggregate
    For example it can aggregate flows for the same IP or port etc…
    When an aggregation scheme is configured and a flow expires, the aggratation data will also be exported.
  • Export the flow information
    • Non aggregated flows version v5 or v9
    • Aggregated flows v8 or v9
    • Transport protocol UDP or SCTP

Netflow exporting versions

  • Version 5 includes BGP AS information
  • Version 7 only supported on the Catalyst
  • Version 8 added aggregation support

  • Version 9. It is flexible and extensible using templates. Includes
    – BGP next, hop Multicast, MPLS, L2, etc
  • Version 10, IETF IP flow Information eXport(IPFIX) is underway, using the best features of version 9.

Netflow Pre Processing

  • Packet Sampling
    Sets up statistical sampling of network traffic for traffic engineering or capacity planning
  • Filtering
    Sets up a specific subset of network traffic for class-based traffic analysis

NetFlow templates

NetFlow sends template to the collector, so the collector knows what type of Flow data will be sent.

  • Options template
  • Flow record template

 


 

Basic configuration

ip flow-export source Loopback1
ip flow-export destination 10.0.0.1 9995 vrf BLUE     // UDP
ip flow-export version 9
!
interface Fa0/0
  ip flow ingress
  ip flow egress

Verification

Router1#show ip flow export 
Flow export v9 is enabled for main cache
 Export source and destination details : 
 VRF ID : 1
 Source(1) 10.1.1.1 (Loopback1)
 Destination(1) 10.0.0.1 (9995)
 Version 9 flow records
 2013643724 flows exported in 69676340 udp datagrams
 5982622 flows failed due to lack of export packet
 67660275 export packets were sent up to process level
 0 export packets were dropped due to no fib
 0 export packets were dropped due to adjacency issues
 0 export packets were dropped due to fragmentation failures
 0 export packets were dropped due to encapsulation fixup failures

Router1#sho ip flow interface 
FastEthernet0/0
 ip flow ingress
 ip flow egress

Router1#sho ip flow export template 
 Template Options Flag = 0
 Total number of Templates added = 2
 Total active Templates = 2
 Flow Templates active = 2
 Flow Templates added = 2
 Option Templates active = 0
 Option Templates added = 0
 Template ager polls = 96492101
 Option Template ager polls = 0
Main cache version 9 export is enabled
 Template export information
 Template timeout = 30
 Template refresh rate = 20
 Option export information
 Option timeout = 30
 Option refresh rate = 20

show ip cache flow

This gives statistics, historic information and currently active flows. You can get more information with the “verbose” command.

sho-ip-cache-flow.PNG

* symbol at the end of interface means it is an egress flow.

cache-flow.PNG

 

Top talkers

You can check the top talkers but first you need to enable this feature:

R1(config)#ip flow-top-talkers
R1(config-flow-top-talkers)#top 10
R1(config-flow-top-talkers)#sort-by packets
R1(config-flow-top-talkers)#match protocol 1

top-talkers.PNG

Flow sampler

R1(config)#flow-sampler-map Med-SAMPLER
R1(config-sampler)#mode random one-out-of 10
R1(config)#interface Fa0/0
R1(config-subif)#no ip flow egress
R1(config-subif)#flow-sampler Med-SAMPLER egress

You can set how the sampling happen.

If you leave the “ip flow egress” command in the interface config, then the ip flow would win and collect all packet (not just the one-out-of X).

 

Modifying templates

ip flow-export template refresh-rate 1
ip flow-export template timeout-rate 1

ip flow-export template options refresh-rate 10
ip flow-export template options timeout-rate 20
show ip flow export template
<...>
Main cache version 9 export is enabled
 Template export information
 Template timeout = 1
 Template refresh rate = 1
 Option export information
 Option timeout = 20
 Option refresh rate = 10

Important

Netflow is only working for physical interfaces and it’s subinterfaces. Not for loopback, tunnel, vlan etc..
If a subinterface is monitored netflow will stop collect information from the main interface (even if configured).

Some supervision engines like Supervisor Engine 720 and earlier hardware do not support egress Netflow accounting for unicast traffic. It is supported only for multicast traffic. However, Supervisor Engine 2T supports ingress and egress Netflow accounting for unicast traffic.