NetFlow is used to collect data flows from interfaces. The information can be stored on the switch but more commonly sent to a server which collects the NetFlow data and spits it out into something shiny. Okay, not shiny but data more easily digestible.
Each packet is looked at for a set of IP packet attributes which are called key fields. The key fields help determine if the information within a packet is unique or similar to the other packets. If there are new values in the key fields then a new flow is created.
With that data you can create trend reports or gather protocol and interface statistics. In near real time you can find out who your top talkers are and what your most widely used protocols are traversing your network. It can even act as a security tool in finding network anomalies.
Netflow has 4 components:
The following NetFlow configuration was tested on a Cisco Catalyst 3850 running IOS version 15. On the Catalyst 3850, the exact version used is Flexible NetFlow (FNF). You will need at least IP Base licensing to use NetFlow. In short, Flexible NetFlow is Cisco’s migration from the traditional NetFlow. Aw how cute, it’s growing up.
Here is the full configuration I ended up with. After the configuration I go into more detail.
flow record AUNTFLOW match ipv4 destination address match ipv4 source address match ipv4 protocol match interface input match transport destination-port match transport source-port collect counter bytes long collect counter packets long collect interface input collect transport tcp flags collect timestamp absolute first collect timestamp absolute last ! ! flow exporter AUNTFLOWEXPORT description Export to netflow system destination 192.168.1.10 source vlan 10 transport udp 4739 ttl 60 ! ! flow monitor AUNTFLOWMON description Netflow monitor exporter AUNTFLOWEXPORT record AUNTFLOW cache timeout active 30 ! ! sampler AUNTFLOWSAMPLER description AUNTFLOW mode random 1 out-of 32 ! ! interface range g1/0/1 - 48 ip flow monitor AUNTFLOWMON sampler AUNTFLOWSAMPLER input
Step 1: Configure the Records
NetFlow uses key and nonkey values called a record. These records are then assigned to a monitor. Additionally, you can define what counters to collect. A key is used to match on attributes of a flow. A nonkey is used to identify what to collect from the matched flow.
flow record AUNTFLOW is the command to create the flow record.
match ipv4 destination address configures the IPv4 destination address as a key field. I found that you can have either ipv4 or ipv6 match statements but never both in the same flow. The switch gives you an error when you try to add ip flow monitor command to an interface.
match ipv4 source address configures the IPv4 source address as a key field.
match ipv4 protocol configures IPv4 protocol as a key field.
match interface input configures the input interface as a key field. You have the ability to use output as another option.
match transport destination-port configures the transport field as a key field.
match transport source-port configures the transport field as a key field.
collect counter bytes long sets the number of bytes in a flow as a nonkey field for a record. The bytes parameter configures the number of bytes seen in a flow as nonkey field and with the long parameter the flow uses a 64-bit counter.
collect counter packets long sets number of packets in a flow as a nonkey field. Uses a 64-bit counter.
collect interface input configures the input interface as a nonkey field and enables collection of the input interface from the flows.
collect transport tcp flags sets one or more TCP fields as a nonkey field
collect timestamp absolute first configures the absolute time of the first seen packet in a flow as a nonkey field.
collect timestamp absolute last configures the absolute time of the last seen packet in a flow as a nonkey field.
Step 2: Configure the Flow Exporter
The flow exporter exports the NetFlow data to a NetFlow collector. A NetFlow collector is a server that helps you analyze all the information you’re collecting.
flow exporter AUNTFLOWEXPORT creates a flow exporter called AUNTFLOWEXPORT.
description Export to netflow system creates a description for this flow exporter.
destination 192.168.1.10 sets the destination host of the NetFlow collector.
source vlan 10 sets the source interface of the flow exporter.
transport udp 4739 sets the UDP port number to reach the NetFlow collector. Ranges from 0 – 65535.
ttl 60 sets the time-to-live (TTL) for datagrams sent by the exporter. Ranges from 1 – 255 seconds. Defaults to 255.
Step 3: Configure the Flow Monitor
The NetFlow monitor is what associates the exporter and the recorder. It is then applied to the
interface ip flow monitor command.
flow monitor AUNTFLOWMON creates a flow monitor called AUNTFLOWMON.
description Netflow monitor sets a description.
exporter AUNTFLOWEXPORT associates the flow exporter we previously defined.
record AUNTFLOW associates the flow record we previously defined.
cache timeout active 30 associates a flow cache for the flow monitor to 30 seconds.
Step 4: Create a Sampler
I’m not talking about a beer sampler. A sample is used to select one out of “X” packets. This helps keep performance on the device in check.
sampler AUNTFLOWSAMPLER defines a sample called AUNTFLOWSAMPLER.
description AUNTFLOW creates a description.
mode random 1 out-of 32 creates a random sampling at a packet interval of one out of thirty-two packets.
Step 5: Apply NetFlow to Interfaces
interface range g1/0/1 - 48 selects a range of ports.
ip flow monitor AUNTFLOWMON sampler AUNTFLOWSAMPLER input applies the NetFlow monitor, AUNTFLOWMON, and NetFlow sampler, AUNTFLOWSAMPLER, to the interface for input packets.
Step 6: Verification
There are a number of show commands to keep handy when needing to troubleshoot or view your NetFlow data (on the router/switch).
show flow exporter show flow interface show flow monitor show flow monitor cache format show flow record show sampler
That’s my afternoon with NetFlow.