How to configure and verify Cisco Netflow

Netflow is a network protocol developed by Cisco for the monitoring and collection of traffic flow data. It is used to
analyze network traffic flow as well as traffic volume in order to learn: where the traffic originated, where it was going
to, as well as the quantity of traffic generated. A Netflow enabled router exports traffic statistics as a Netflow record
that is then gathered by a Netflow collector. A collector can be a form of software or a hardware appliance. This
section will guide through configuring and verifying Cisco Netflow version 5 and 9 and teach you how to retrieve the
data locally.

6.11 configure and verify Cisco Netflow

Network visibility is very important. Network visibility is accomplished through day to day troubleshooting, application
monitoring, QoS traffic views, compliance/security issues, bandwidth capacity planning and an understanding of
network utilization. Netflow offers an administrator with essential data to help them understand traffic movement.
Traditionally, Netflow is mainly used to understand network behavior, resolve and reduce the problems related to
application performance, bandwidth, as well as improper traffic classification. It also enables effective network
operation which will result in lower and in turn higher revenues due to better network infrastructure utilization.

Netflow offers usage-based network billing, security, network monitoring, denial of the service monitoring abilities,
and network traffic accounting. Netflow offers valuable information about applications and network users, traffic
routing routing and peak usage times. Ciscos Netflow is the leader in IP traffic flow technologies.

Netflow is transparent to an existing network such as application software, end stations and also network devices
such as LAN switches. Netflow performs independently on every internetworking device. By using NDE- Netflow data
export, you can export data to a remote workstation for gathering/processing. Network admins selectively invoke NDE
on a per-subinterface or router basis for the purpose of the traffic performance, accounting or control.

To ensure the proper functionality, remember the following when configuring the device:

1. Netflow configuration will vary a little per hardware model

2. Netflow has to be enabled for ingress traffic on an interface only. Choosing both egress and ingress statistics can
efficiently double the reported bandwidth for an existing flow and is not necessary in most cases.
3. An active timeout is set by minute intervals. This value indicates the amount of time to flush a cache of the
information pertaining to the active flow and also ensures the accurate rend as well as alarm information.
4. Netflow depends on a 7 key field. If any 1 of the fields is different, then a new flow record can be created in a flow
cache table for: destination IP address, source IP address, ToS byte, layer 3 protocol type, source port number, input
logical interface and destination port number.
5. It is best to source Netflow export from an interface which will never go down, such as loopback0.
6. Enable Netflow on each layer 3 interface for complete visibility

To configure Netflow, the first step is required. All other steps are optional :

Step 1: Enable Netflow

First, configure a router for IP routing to enable Netflow. Then after configuring IP routing, use the below commands.

1. Enter interface configuration mode.

Command:

Or

2. Enable Netflow for IP routing:

Command:

Step 2: export the Netflow statistics

In this step the Netflow information is exported to the network management application. To configure a router to
export Netflow statistics in a Netflow cache to the workstation when the flow expires (times out), make use of the
below command:

Command 1:

Command 2:

Step 3: customize the entry number in a Netflow cache

Generally, the default Netflow cache will be fine. However, you can also decrease or increase the entry numbers in a
cache. By default, the cache entry is 64 flows. Every cache entry needs about 64 bytes of storage. To customize the
entry number in a Netflow cache, make use of the below global configuration mode command:

Step 4: Manage Netflow statistics

In this configuration, you can display and clear Netflow statistics. The Netflow statistic comprises of the IP packet size
distributions, information to the IP flow cache and also flow information such as total flow, protocol and flows per
second. To manage the Netflow statistics make use of the given privileged EXEC mode command:

Below command displays Netflow statistics:

The Below command clears Netflow statistics:

Verification:

To verify information about aggregation cache, make use of the below command in the EXEC mode:

To confirm the data export, make use of the below command in the EXEC mode:

An example of Netflow configuration:

6.11.a Netflow v5, v9

 Network flow can be defined in many ways. Cisco Netflow v5 defines flow as the unidirectional packet sequence
which all share one or more of the below 7 values:

Internet protocol service type

IP protocol
Source IP address
TCP destination port
Ingress interface
UDP destination port
Destination IP address

In the below diagram, Netflow data is exported from a network device. The Netflow data is exported to a centralized
collector analyzer which processes the data and also generates reports.

The traditional Netflow (or Netflow v5) is used widely. It supports AS - autonomous system reporting as well as some
additional fields. These flows are calculated when they come into an interface. Outbound traffic is also reported by
using the inbound flow from another interface. Hence, it advised that netfow v5 is enabled on all device interfaces or
else the outbound utilization of some interfaces will not be captured. Packet formats are fixed and always be same.

The following commands enable Netflow v5 on Fa0/1 and also export it to the machine 10.199.15.103 on port 2055.
Perform the below task to verify the configuration:
 Netflow v9:

The basic output of Netflow is the flow record. There are various formats for flow records which have evolved as
Netflow has matured. The most recent evolution of a flow record format is the Netflow version9 format, which is the
basis for the IETF standard (which is template based). The template offers an extensible design to a record format,
and a feature which allows future enhancement to Netflow service without the need for concurrent changes to a basic
format of flow records. By using templates, there are a variety of benefits:

Information is exported through IETF standard mechanism.

New features can be added to Netflow without breaking any current implementations.
Netflow v9 format is very adaptive to new technologies/protocols
A 3rd party business which produced a collector application for Netflow does not need to recompile the application
every time a new feature of Netflow is added. Instead they can use an external data file which documents a known
template format.
Netflow v9 is the most flexible Netflow technology. Netflowv9 accommodates custom fields, including IPv6, NBAR
protocols, VLAN ID, MPLS labels, real time performance of the media flows, multicast IP traffic and much more.

This config enables Netflowv9 on Fa0/1 and exports to 10.199.15.103 on port 2055.
Verify Netflow v9 configuration:
Once Netflow is configured, Netflow packets are sent to a designated collector or server.

6.11.b Local retrieval

The Cisco Netflow MIB offers real time access to a limited number of fields in a flow cache. Traditionally, SNMP has
been used to gather network information. SNMP allows retrieval of critical information from network devices. A
Netflow MIB uses SNMP to gather Netflow statistics and to configure Netflow. This MIB allows Netflow statistics and
other Netflow data for a managed device to be retrieved by SNMP. You can retrieve Netflow information from the
managed device either by entering the SNMP command from an NMS workstation or by entering the commands on
the managed device to configure a router through the MIB. Suppose the Netflow information is configured from an
NMS workstation - no access to a router will be needed and all the configuration will be performed through SNMP. A
Netflow MIB request for information is mainly sent from the NMS workstation through SNMP, to a router and it is
retrieved from a router. That information will be viewed or stored, allowing the information of Netflow to be easily
transported and accessed across a multi-vendor type environment.

6.11.c Export ( configuration only)

The Netflow record is traditionally exported using UDP and is collected by a Netflow collector. The IP address/UDP
port of the Netflow collector has to be configured on the sending router. For many reasons, a router will track a flow
record which already been exported, in cases where packets are dropped (due to configuration or network issues).
So the modern Netflow implementation uses the SCTP - stream control transmission protocol to export the packets to
offer protection against the loss of packets. It also assures that the Netflow v9 templates are received before
exporting the related record. The Netflow export only uses the network backbone link, packet loss can be negligible.

Use the below commands to enable Netflow export:

Then, enable Netflow on the each layer 3 interface that youd like to monitor traffic for:

Interface <interface>

Ip flow ingress

By analyzing the data offered by Netflow, the network administrator can easily find out things such as destination and
source of the traffic, causes of the congestion and class of service. Netflow is becoming the de-factto industry
standard and is supported by the platforms like Cisco including 3com/HP, Netgear, Huawaei, Ericsson, Alcatel-lucent,
and Juniper. Cisco developed this flow technology which allows bandwidth monitoring of the network. It allows
extremely granular as well as accurate bandwidth monitoring by recording the network traffic to a device cache.