NetFlow is a Cisco IOS application that provides statistics on packets flowing through routers. NetFlow is primarily used for network accounting and identifies flows of packets coming in and going out of an interface. The beauty of NetFlow is that it does not involve any additional protocol setup between network devices or hosts. NetFlow is completely transparent to the existing network devices, hosts, and applications. NetFlow can be enabled individually on some network devices like routers and switches, without having to enable it on all devices in the network.
NetFlow Operation
The components used in a complete NetFlow system include a router enabled with NetFlow and a NetFlow collector. A number of free software packages like Caida (www.caida.org) and NetFlow Monitor (netflow.cesnet.cz) are available to act as NetFlow collector.
The figure below shows basic traffic monitoring with NetFlow.
Figure 14-4 Basic NetFlow
NetFlow provide near real-time stastics that can be used for visualization and analysis by the collector software. The software can present NetFlow statistics in a nice manner with the help of bar charts, pie charts, visualizations, and so on.
The concept of a flow is basic to NetFlow, which is defined as a unidirectional stream of packets from a source to destination. NetFlow considers a number of fields in packets being monitored including source IP address, destination IP address, source port number, destination port number, layer 3 protocol, and ToS (Type of Service). These fields are used by NetFlow to classify packets into separate flows. If a packet has a key field that’s different from another packet, the two packets are considered to belong to two different flows.
NetFlow Configuration
NetFlow is configured in the interface configuration mode on a router. First, you must specify if you want monitoring of ingress traffic, egress traffic, or both. Second, you have to specify the IP address of the NetFlow collector and also the UDP port on which the collector is listening. Cisco has been improving NetFlow continually and the most recent version is 9. You have to configure the NetFlow version as well.
Here is an example of NetFlow configuration on a Cisco router.
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#interface FastEthernet0/0
R1(config-if)#ip flow ingress
R1(config-if)#ip flow egress
R1(config-if)#exit
R1(config)#ip flow-e
R1(config)#ip flow-export destination 192.168.1.2 9996
R1(config)#ip flow-export version 9
R1(config)#end
R1#
The above configuration assumes that a NetFlow collector is available at IP address 192.168.1.2 and is listening at UDP port number 9996. The Cisco default port number on which NetFlow collectors listen for NetFlow packets is 9996. The verification of NetFlow can come directly from analyzing data collected on the NetFlow collector. However, you may also verify NetFlow operation using relevant show commands on the NetFlow router itself.
The show ip flow interface command tells you the interfaces and directions for which NetFlow has been enabled.
FastEthernet0/0
ip flow ingress
ip flow egress
You may also use other show commands like show ip flow export to view more detailed information on NetFlow operation.