6.11.a NetFlow v5, v9

Routers and switches that support NetFlow can collect IP traffic statistics on all interfaces where NetFlow is enabled, and later export those statistics as NetFlow records toward at least one NetFlow collector - typically a server that does the actual traffic analysis.

NetFlow VersionComment
v5Most common version. Available on many routers from different brands, but restricted to IPv4 flows.
v9Template Based. Mostly used to report flows like IPv6, MPLS, or even plain IPv4 with BGP nexthop.
NetFlow Version 5

The most widely used version and supports Autonomous Systems (AS) reporting. All flows are calculated when they are inbound to the interface. It is generally advised that NetFlow is enabled on all interfaces otherwise you may not get the full picture of the network usage.

A network flow can be defined in many ways. Cisco standard NetFlow version 5 defines a flow as a unidirectional sequence of packets that all share the following 7 values:

  1. Ingress interface (SNMP ifIndex)
  2. Source IP address
  3. Destination IP address
  4. IP protocol
  5. Source port for UDP or TCP, 0 for other protocols
  6. Destination port for UDP or TCP, type and code for ICMP, or 0 for other protocols
  7. IP Type of Service
NetFlow Version 9

NetFlow Flow-record or NetFlow Version 9 is template-based which allows flexibility in the flow reports. Templates can be provisioned with user defined key and non-key fields and has the ability to monitor a lot more IP packet information that Traditional NetFlow/NetFlow v5 can not. There are more fields than I could reasonably fit on this page so instead here is a link to the Cisco document on NetFlow Version 9 Flow-Record Format

6.11.b Local retrieval

The Cisco Netflow MIB supported on a Cisco router offers real time access to the limited number of fields in a flow cache. The SNMP has used to gather network information in the earlier days. The SNMP allows retrieval of the critical information from the network elements such as workstation, switches and router. A Netflow MIB feature also uses the SNMP, to gather the Netflow statistics and to configure the Netflow. This MIB feature allows the Netflow statistics and also other Netflow data for a managed device on the system that has to be retrieved by the SNMP. Specify the retrieval of the Netflow information from the managed device either by entering the SNMP command from an NMS workstation or by entering the commands on the managed device to configure a router through the MIB. Suppose, the information of the Netflow is configured from an NMS workstation, then no access to a router is needed and all the configuration will be performed through SNMP. A Netflow MIB request for information is mainly sent from the NMS workstation through the SNMP, to a router and it is retrieved from a router. That the information will be viewed or stored, since allowing the information of the Netflow to be easily transported and accessed across the multi-vendor type programming environment.

Enable Netflow to a destination

ip flow-export destination 10.10.10.1 9996
ip flow-export source loopback0
ip flow-cache timeout active 1
ip flow-cache timeout inactive 15

The 9996 is the port that the Netflow application at 10.10.10.1 is listening on.

Under each interface you must also add:

ip route-cache flow

Enable Netflow locally

ip flow-top-talkers
top 10
sort-by bytes

You still need to add ip route-cache flow under the interfaces

Viewing Netflow Information

show ip flow top-talkers

router#show ip flow top-talkers
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Bytes
Se1/0 169.51.51.6 Local 169.51.51.5 2F 0000 0000 2448M
Gi0/2 10.1.240.78 Tu0 10.125.1.5 06 05DC 26D9 708M
Se1/0 169.51.51.6 Local 169.51.51.5 32 E556 29EA 431M
Tu0 10.125.1.5 Gi0/1 10.1.240.78 06 26FD 05DC 362M
Tu0 10.125.1.5 Gi0/1 10.1.240.78 06 26FC 05DC 343M
Tu0 10.125.1.5 Gi0/1 10.1.240.78 06 26ED 05DC 332M
Tu0 10.125.1.5 Gi0/1 10.1.240.78 06 2701 05DC 329M
Tu0 10.125.1.5 Gi0/1 10.1.240.78 06 26FB 05DC 300M
Tu0 10.125.1.5 Gi0/1 10.1.240.78 06 26F9 05DC 294M
Tu0 10.125.1.5 Gi0/1 10.1.240.78 06 26D9 05DC 163M
10 of 10 top talkers shown. 2598 flows processed.

You can see the source and destination IP's, Ports, and the volume. Note that the ports are in hexadecimal.You can find hex to decimal conversion at http://easycalculation.com/hex-converter.php

6.11.c Export (configuration only)

An IP address of a Netflow collector and a destination UDP port has to be configured on a sending router. Routers maintain track of flow records which have already been exported, if the Netflow packets are dropped because of the packet corruption or network congestion.

So that the modern Netflow implementation uses the SCTP - stream control transmission protocol to export the packets to offer protection against the loss of packets and also assures that the Netflow v9 templates are received before exporting the related record. The Netflow export only uses the network backbone link, packet loss can be negligible.

Configuring NetFlow v5:

router(config)#ip flow-export <IP Address> <UDP/SCTP port number>
router(config)#ip flow-export source <interface>
router(config)#ip flow-export version <1|5|9>
router(config)#ip flow-cache timeout active 1
router(config)#ip flow-cache timeout inactive 15
The following should be input on each interface that should send statistics:
router(config)#interface <interface>
router(config-if)#ip route-cache flow Δ
router(config-if)#exit

Δ There is another command that can be used in place of this, ip flow ingress. While ip route-cache flow enables flows on the physical interface and all associated sub-interfaces, ip flow ingress enables flows on individual interfaces or sub-interfaces.
Configuring NetFlow v9:

Flexible NetFlow is comprised of 3 components:

1. Flow Record
2. Flow Exporter
3. Flow Monitor

The following is a set of commands that are issued on a Cisco router to enable Flexible NetFlow on the GigabitEthernet0/1 interface and export to the machine 10.10.10.100 (IP Address of NetFlow collector) on port 2055 (UDP port to
export NetFlow packets).

Creating Flow Record:
router(config)# flow record NTArecord
router(config-flow-record)# match ipv4 source address
router(config-flow-record)# match ipv4 destination address
router(config-flow-record)# match ipv4 protocol
router(config-flow-record)# match transport source-port
router(config-flow-record)# match transport destination-port
router(config-flow-record)# match ipv4 tos
router(config-flow-record)# match interface input
router(config-flow-record)# collect interface output
router(config-flow-record)# collect counter bytes
router(config-flow-record)# collect counter packets
Creating Flow Exporter:
router(config)# flow exporter NTAexport
router(config-flow-exporter)#destination 10.10.10.100
router(config-flow-exporter)# source GigabitEthernet0/1
router(config-flow-exporter)# transport udp 2055
router(config-flow-exporter)# template data timeout 60
Creating Flow Monitor:
router(config)# flow monitor NTAmonitor
router(config-flow-monitor)# record NTArecord
router(config-flow-monitor)# exporter NTAexport
router(config-flow-monitor)# cache timeout active 60
router(config-flow-monitor)# cache timeout inactive 15
Associating the Monitor to an Interface:
router(config)# int FastEthernet0/1
router(config-if)# ip flow monitor NTAmonitor input

If you need a new website or your website needs updating go to https://10kinds.tech.

10 Kinds Technology
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram