Flexible Netflow Concepts and Configuration | Flexible Netflow Concepts and Configurat...

Page 1 of 5

Flexible Netflow Concepts and Configuration

Date: Jul 22, 2011 By Sean Wilkins. Article is provided courtesy of Cisco Press.
In modern networks, there is a need to compile and maintain a good set of traffic
records for a number of different purposes. These purposes include the ability to
monitor network traffic for network planning, security and analysis as well as track
traffic usage for billing purposes. To provide this ability, Cisco developed the
Netflow feature; the Netflow feature was then extended to provide further
configuration flexibility and the Flexible Netflow feature was created. This article
takes a look at the typical uses for the Flexible Netflow feature, how it works and
how it can be configured into a complete solution.
In modern networks, there is a need to compile and maintain a good set of traffic
records for a number of different purposes. These purposes include the ability to
monitor network traffic for network planning, security and analysis as well as track
traffic usage for billing purposes. To provide this ability, Cisco developed the Netflow
feature; the Netflow feature was then extended to provide further configuration
flexibility and the Flexible Netflow feature was created. This article takes a look at the
typical uses for the Flexible Netflow feature, how it works, and how it can be
configured into a complete solution.

Flexible Netflow Concepts

There are a number of different uses for a traffic statistics feature when dealing with
modern networks; the Flexible Netflow feature can provide a solution for a number of
different tasks, including those shown in Table 1 below:
Table 1Typical Netflow Uses

Network Monitoring

Application Monitoring and

Profiling

User Monitoring and Profiling

Netflow can provide

extensive network monitoring
capabilities that can be used
by network operators to
visualize traffic patterns
across the network.
Netflow can be used to view
time-based application
network usage information
that can be used to help
understand usage patterns.
This analysis can then be
used to plan for new
application resource
deployment and/or to further
refine application resources.
Netflow can be used to view
user (or customer) network
and application resource
usage patterns. This analysis
can then be used to plan for

http://www.ciscopress.com/articles/printerfriendly/1730890

12/16/2015

Flexible Netflow Concepts and Configuration | Flexible Netflow Concepts and Configurat... Page 2 of 5

Network Planning

Security Analysis

Billing and Accounting

Data Warehousing and Mining

new network and application

resource deployment and/or
to further refine network and
application resources.
Netflow can be used to track
the usage (longer term) of
the various links across a
network; this information can
be used to better allocate
future network expansion
resources to those parts of
the network with the most
usage.
Netflow can be used to
identify and classify Denial of
Service (DoS), virus and
worm attacks in real time.
Netflow can be used to
provide a very granular
picture of the resources
being used on a network.
This information can then be
used to produce very
detailed resource usage
accounting across the
various network components.
Netflow can be used to
warehouse data for later
retrieval and analysis; there
are a number of different
uses for this ability including
historical analysis.

Netflow Components
The basic concept with Flexible Netflow (and the Original Netflow) is to categorize
and track different traffic flows.
Records
These flows are defined by a number of different pieces of traffic information; the
information used when using Flexible Netflow can be defined by user records or
within standard records. With the original Netflow, a flow was defined by seven
different pieces of information that is used to categorize traffic; this information
includes the following fields:

Source IP address
Destination IP address
Source port number
Destination port number
Layer 3 protocol type
Type of service (ToS)

http://www.ciscopress.com/articles/printerfriendly/1730890

12/16/2015

Flexible Netflow Concepts and Configuration | Flexible Netflow Concepts and Configurat... Page 3 of 5

Input logical interface

Traffic with the same values for these seven fields was defined as a flow and
individually tracked. Flexible Netflow provides the ability to either use this original flow
definition (Record) or to create a new, more specific flow definition. When creating a
user-defined flow definition, the fields that are going to be tracked are selected and
then defined as either a key field or as a nonkey field; these key fields are then used
by Flexible Netflow to define traffic flows; the fields that are defined as nonkey are
captured with the flow but are not used to define specific flows.
Flow Monitor
The Netflow flow monitor component is used to provide the actual traffic monitoring
on a configured interface. When a flow monitor is applied to an interface, a flow
monitor cache is created that is used to collect the traffic based on the key and
nonkey fields in the configured record. There are three different modes of flow
monitor cache that can be used with each flow monitor:
Layer 3When in the normal mode, cache entries are aged out according to
timeout parameters, based on the activity of a flow. This is the default mode.
ImmediateWhen in the immediate mode, cache entries are aged out as
soon as created. When in this mode, each flow contains only one packet; this
is used when traffic information is required immediately at the flow export
destination (see next section).
PermanentWhen in the permanent mode, cache entries that are newer are
aged out. This is useful when long term statistics on a device are required and
the number of flows is expected to be low.
Flow Exporter
A flow exporter is used to transfer the contents of the Netflow cache from the device
to a remote system. The Netflow Data Export Format Version 9 is used with Flexible
Netflow (as opposed to Version 5) in order to provide additional flexibility. Multiple
flow exporters can be configured and assigned to a variety of different flow monitors if
there is a need to export to multiple locations.
Flow Sampler
A flow sampler is used when there is a high volume of traffic to analyze that could
potentially affect the performance of the monitored device. In this situation, a flow
sampler can be used to limit the number of packets that will be analyzed by the flow
monitor. For example, 1 out of every 2 packets could be captured and analyzed.

Flexible Netflow Configuration

The exact configuration that is required to setup Flexible Netflow depends on whether
a flow exporter is going to be used and whether a flow sampler is required to be
configured. The steps required to setup a basic Flexible Netflow exporter
configuration are shown in Table 2 below:
Table 2Flow Exporter Configuration

Step
1
Step
2
Step
3

Enter global
configuration mode.
Create and configure
a flow exporter.
Configure the
exporter destination.

router#configure terminal
router(config)#flow exporter
exporter-name
router(config-flow-exporter)
#destination {hostname | ipaddress}

http://www.ciscopress.com/articles/printerfriendly/1730890

12/16/2015

Flexible Netflow Concepts and Configuration | Flexible Netflow Concepts and Configurat... Page 4 of 5

Step Configure the UDP

4
port used by the flow
exporter (by default,
UDP port 9995 is
used).
Step Enter flow monitor
5
configuration mode.
Step Apply the flow
6
exporter.
Step Exit configuration
7
mode.

router(config-flow-exporter)
#transport udp udp-port

router(config-flow-exporter)#flow
monitor flow-monitor-name
router(config-flow-monitor)
#exporter exporter-name
router(config-flow-monitor)#end

The steps required to setup a basic Flexible Netflow sampler configuration are shown
in Table 3 below (for application, see the flow monitor configuration):
Table 3Flow Sampler Configuration

Step
1
Step
2
Step
3

Enter global
configuration mode.
Create and configure
a flow sampler.
Configure the
sampler mode.

Step Exit configuration

4
mode.

router#configure terminal
router(config)#sampler samplername
router(config-sampler)#mode
{deterministic | random} 1 outof window-size
router(config-sampler)#end

The steps required to setup a basic Flexible Netflow monitor configuration are shown
in Table 4 below:
Table 4Flow Monitor Configuration

Step
1
Step
2
Step
3

Enter global
configuration mode.
Create and configure
a flow monitor.
Define the record
format that will be
used by the flow
monitor.
Step Enter interface
4
configuration mode.
Step Apply the flow
5
monitor (during
application of a flow
monitor, the flow

router#configure terminal
router(config)#flow monitor
monitor-name
router(config-flow-monitor)
#record {record-name | netfloworiginal | netflow {ipv4 | ipv6}}
router(config-flow-monitor)
#interface interface-type
interface-number
IPv4 Flow Monitor:
router(config-if)#ip flow monitor
monitor-name [[sampler]
sampler-name] input

http://www.ciscopress.com/articles/printerfriendly/1730890

12/16/2015

Flexible Netflow Concepts and Configuration | Flexible Netflow Concepts and Configurat... Page 5 of 5

sampler is also
applied).

or
IPv6 Flow Monitor:

Step Exit configuration

6
mode.

router(config-if)#ipv6 flow
monitor monitor-name
[[sampler] sampler-name] input
router(config-if)#end

Summary
The Flexible Netflow feature provides a solution for a number of different needs within
an organization. With little investment in time and resources, the Flexible Netflow
feature can save an organization money, provide better accounting of organizational
traffic, and provide a solution that can help solve a number of different problems
within an organizational network. Hopefully, the information in this article can be used
to become familiar with the Flexible Netflow feature as well as help with initial feature
configuration.
2015 Pearson Education, Cisco Press. All rights reserved.
800 East 96th Street, Indianapolis, Indiana 46240

http://www.ciscopress.com/articles/printerfriendly/1730890

12/16/2015