- Source IP
- Destination IP
- Source port
- Destination port
- Layer 3 protocol type
- Logical interface (ifIndex)
The flows are stored in the NetFlow cache.
- Create and update flow in NetFlow cache
- Flows expire locally on router
Netflow export it’s data only when a flow expire in the Netflow cache!
- Inactivity Timer (15 seconds by default)
ie.: a ping finished and Netflow do not see any more traffic for 15 seconds, then it will send the collected information to the collector
- Active Timer expired (30 minutes default)
ie.: long FTP session is up for more than 30 minutes, Netflow will send information to the collector (every 30 mintues or when session finished).
- Netflow cache is full (FIFO)
- TCP RST or FIN Flag seen
- Inactivity Timer (15 seconds by default)
For example it can aggregate flows for the same IP or port etc…
When an aggregation scheme is configured and a flow expires, the aggratation data will also be exported.
- Export the flow information
- Non aggregated flows version v5 or v9
- Aggregated flows v8 or v9
- Transport protocol UDP or SCTP
Netflow exporting versions
- Version 5 includes BGP AS information
- Version 7 only supported on the Catalyst
Version 8 added aggregation support
- Version 9. It is flexible and extensible using templates. Includes
– BGP next, hop Multicast, MPLS, L2, etc
- Version 10, IETF IP flow Information eXport(IPFIX) is underway, using the best features of version 9.
Netflow Pre Processing
- Packet Sampling
Sets up statistical sampling of network traffic for traffic engineering or capacity planning
Sets up a specific subset of network traffic for class-based traffic analysis
NetFlow sends template to the collector, so the collector knows what type of Flow data will be sent.
- Options template
- Flow record template
ip flow-export source Loopback1 ip flow-export destination 10.0.0.1 9995 vrf BLUE // UDP ip flow-export version 9 ! interface Fa0/0 ip flow ingress ip flow egress
Router1#show ip flow export Flow export v9 is enabled for main cache Export source and destination details : VRF ID : 1 Source(1) 10.1.1.1 (Loopback1) Destination(1) 10.0.0.1 (9995) Version 9 flow records 2013643724 flows exported in 69676340 udp datagrams 5982622 flows failed due to lack of export packet 67660275 export packets were sent up to process level 0 export packets were dropped due to no fib 0 export packets were dropped due to adjacency issues 0 export packets were dropped due to fragmentation failures 0 export packets were dropped due to encapsulation fixup failures Router1#sho ip flow interface FastEthernet0/0 ip flow ingress ip flow egress Router1#sho ip flow export template Template Options Flag = 0 Total number of Templates added = 2 Total active Templates = 2 Flow Templates active = 2 Flow Templates added = 2 Option Templates active = 0 Option Templates added = 0 Template ager polls = 96492101 Option Template ager polls = 0 Main cache version 9 export is enabled Template export information Template timeout = 30 Template refresh rate = 20 Option export information Option timeout = 30 Option refresh rate = 20
show ip cache flow
This gives statistics, historic information and currently active flows. You can get more information with the “verbose” command.
* symbol at the end of interface means it is an egress flow.
You can check the top talkers but first you need to enable this feature:
R1(config)#ip flow-top-talkers R1(config-flow-top-talkers)#top 10 R1(config-flow-top-talkers)#sort-by packets R1(config-flow-top-talkers)#match protocol 1
R1(config)#flow-sampler-map Med-SAMPLER R1(config-sampler)#mode random one-out-of 10 R1(config)#interface Fa0/0 R1(config-subif)#no ip flow egress R1(config-subif)#flow-sampler Med-SAMPLER egress
You can set how the sampling happen.
If you leave the “ip flow egress” command in the interface config, then the ip flow would win and collect all packet (not just the one-out-of X).
ip flow-export template refresh-rate 1 ip flow-export template timeout-rate 1 ip flow-export template options refresh-rate 10 ip flow-export template options timeout-rate 20
show ip flow export template <...> Main cache version 9 export is enabled Template export information Template timeout = 1 Template refresh rate = 1 Option export information Option timeout = 20 Option refresh rate = 10
Netflow is only working for physical interfaces and it’s subinterfaces. Not for loopback, tunnel, vlan etc..
If a subinterface is monitored netflow will stop collect information from the main interface (even if configured).
Some supervision engines like Supervisor Engine 720 and earlier hardware do not support egress Netflow accounting for unicast traffic. It is supported only for multicast traffic. However, Supervisor Engine 2T supports ingress and egress Netflow accounting for unicast traffic.