Home / Cisco R&S / Introduction to Flexible Netflow

Introduction to Flexible Netflow

Today I am going to talk about the one of the switching platform features named as Flexible Netflow. Before discussing Flexible NetFlow, you should aware of Netflow. NetFlow delivers the capability to gather IP network traffic as it arrives or departures an interface. By examining the data delivered by NetFlow, a network supervisor can conclude things such as the source and destination of traffic, class of service, and the causes of bottleneck.

Introduction to Flexible Netflow
Flexible Netflow is the advanced and next generation NetFlow technology. It enhances the network structure, decreasing set-up costs and enhancing capability development and security occurrence discovery with improved flexibility and scalability. 

The capability to describe IP traffic and recognize its source, traffic destination, timing, and application data is critical for network accessibility, performance, and troubleshooting. The monitoring of IP traffic flows upsurges the correctness of capacity planning and confirms that resource allotment maintenances administrative aims. 
Fig 1.1- Flexible Netflow
Flexible NetFlow helps clients to conclude how to enhance resource handling, plan network capacity, and recognize the optimal application layer for Quality of Service (QoS).Flexible NetFlow (FNF) permits you to gather and optionally export a flow record that identifies several flow characteristics. NetFlow gathering supports IP, IPv6 and Layer 2 traffic.

Flexible Netflow in VSS Environment- Cisco 4500 and Cisco 9400
  • Catalyst 4500 series switch supports ingress flow statistics collection for switched and routed packets, but it does not support Flexible Netflow on egress traffic with IOS-XE 3.10 IOS release while in Cisco 9400 chassis, it supports both at ingress and egress traffic with IOS-XE 16.6.X release.
  • Here in the VSS environment, Switch has the capability of independent NFE (Netflow Engine). Which means that when there is ingress traffic on both the VSS Active and Standby switches, every switch is capable of creating flows for its ingress traffic
  •  Netflow show commands containing high utilized ports, aggregate cache, and clear commands must be accomplished independently on VSS Active and Standby switch. The VSS Standby console will be accessible via remote console access from the VSS Active switch.
  • Flexible NetFlow improves Cisco NetFlow as a security observing tool. For example, new flow keys can be described for packet length or MAC address, permitting users to explore for a specific type of attack in the network.
  • Flexible NetFlow permits you to swiftly recognise how much application traffic is being sent between hosts by particularly chasing TCP or UDP applications by the class of service in the packets.
Flexible Netflow Components

  • Flow Records: A flow record explains the keys that Flexible NetFlow uses to recognize packets in the flow, as well as other fields of interest that Flexible NetFlow collects for the flow.
  • Flow Exporters: Flow exporters transfer the data in the flow monitor cache to a remote system, such as a server running NetFlow collector, for analysis and storage
  • Flow Monitors: Flow monitors are the Flexible NetFlow component that is applied to interfaces to achieve network traffic monitoring.
  • Flow Samplers: Flow samplers are generated as separate components in a router’s configuration. Flow samplers are used to diminish the load on the device that is running Flexible NetFlow by limiting the number of packets that are selected for analysis.
Configuration Example
The below example describes how to configure the flow monitor m1 cache to hold 1000 entries. With this configuration, interface gig 1/1/0 (on the VSS Active) can create a maximum of 1000 flows and interface gig 2/2/0 can create a maximum of 1000 flows:

Configuration Example
The below example describes how to configure the flow monitor RouteXP_Monitor cache to hold 1000 entries. With this configuration, interface gig 1/1/0 (on the VSS Active) can create a maximum of 1000 flows and interface gig 2/2/0 can create a maximum of 1000 flows:

!
flow exporter RouteXP_Exporter
destination 10.10.10.1
!
flow record RouteXP_Record
match ipv4 source address
match ipv4 destination address
collect counter bytes long
collect counter packets long
collect timestamp sys-uptime first
collect timestamp sys-uptime last
!
flow monitor RouteXP_Monitor
record RouteXP_Record
exporter RouteXP_Exporter
cache timeout active 60
cache timeout inactive 30
cache entries 1000
! interface GE 1/1/0
! layer2-switched allows collection of flow records even when the packet is
! bridged
ip flow monitor m1 layer2-switched input
!
interface GE 2/2/0
ip flow monitor RouteXP_Monitor input
!