Flexible Netflow helps in optimizing network infrastructures by providing a detailed characterization on IP traffic and identifying its source, traffic destination, as well as application protocols. With this, it reduces the risk of potential security threats due to its improved capacity planning with increased flexibility and scalability.
Flexible NetFlow Components
| Component Name | Description |
| Flow Records | Combination of key and non-key fields. There are predefined and user-defined records. |
| Flow Monitors | Applied to the interface to monitor network traffic. |
| Flow Exporters | Exports NetFlow Version 9 data from the Flow Monitor cache to a remote host or NetFlow collector. |
| Flow Samplers | Samples partial NetFlow data rather than analyzing all NetFlow data |
There are trade-offs in using sampled NetFlow data. The biggest one is that there is a reduced load on the device in terms of memory and CPU. However, by sampling NetFlow data only at specific intervals, something could be missed as the accuracy goes down with sampling compared to when gathering all data. Flexible NetFlow can dynamically create individual caches for each type of flow data. In addition, Flexible NetFlow can filter ingress traffic destined for a single destination. These factors make Flexible NetFlow a very powerful security asset. You can use the collect and match commands to create a customized flow record. To create a custom flow record, certain key and non-key fields must be matched so the flow record is usable. The match command is used to select key fields, and the collect command is used to select non-key fields. The table below shows a list of the key and non-key fields that can be used to mimic the original NetFlow capabilities when building a custom flow record.
| Field | Key or Non-Key Field | Definition |
| IP ToS | Key | Value in the type of service (ToS) field |
| IP protocol | Key | Value in the IP protocol field |
| IP source address | Key | IP source address |
| IP destination address | Key | IP destination address |
| Transport source port | Key | Value of the transport layer source port field |
| Transport destination port | Key | Value of the transport layer destination port field |
| Interface input | Key | Interface on which the traffic is received |
| Flow sampler ID | Key | ID number of the flow sampler (if flow sampling is enabled) |
| IP source AS | Non-key | Source autonomous system number |
| IP destination AS | Non-key | Destination autonomous system number |
| IP next-hop address | Non-key | IP address of the next hop |
| IP source mask | Non-key | Mask for the IP source address |
| IP destination mask | Non-key | Mask for the IP destination address |
| TCP flags | Non-key | Value in the TCP flag field |
| Interface output | Non-key | Interface on which the traffic is transmitted |
| Counter bytes | Non-key | Number of bytes seen in the flow |
| Counter packets | Non-key | Number of packets seen in the flow |
| Time stamp system uptime first | Non-key | System uptime (time, in milliseconds, since this device was first booted) when the first packet was switched |
| Time stamp system uptime last | Non-key | System uptime (time, in milliseconds, since this device was first booted) when the last packet was switched |
The following steps in configuring a custom flow record:
- Define the flow record name.
- Set a useful description of the flow record.
- Set match criteria for key fields.
- Define non-key fields to be collected.
Having the ability to build a custom flow record for a specific and unique use case makes it extremely powerful.
The example below shows a custom flow record called CUSTOM being defined on the router. This example uses the match command to match the IPv4 destination address and the collect command to gather the byte and packet counts. To verify the flow record configuration, the command show flow record CUSTOM can be used.
Configuring and Verifying the Custom Flow Record
Router# configure terminal
Router(config)# flow record CUSTOM
Router(config-flow-record)# description Custom Flow Record for IPv4 Traffic
Router(config-flow-record)# match ipv4 destination address
Router(config-flow-record)# collect counter bytes
Router(config-flow-record)# collect counter packets
Router(config-flow-record)# exit
Router(config)# do show flow record CUSTOM
Now that a custom flow record has been configured, the flow exporter can be created.
Important steps to complete when building a flow exporter:
- Define the flow exporter’s name.
- Set a useful description of the flow exporter.
- Specify the destination of the flow exporter to be used.
- Specify the NetFlow version to export.
- Specify the UDP port.
In this instance, the exporter that will be created will point to the 192.168.1.10 host that has been used in other examples in this chapter.
Configuring and Verifying the Custom Flow Exporter
Router# configure terminal
Router(config)# flow exporter CUSTOM1
Router(config-flow-exporter)# description EXPORT-TO-NETFLOW-COLLECTOR
Router(config-flow-exporter)# destination 192.168.10.10
Router(config-flow-exporter)# export-protocol netflow-v9
Router(config-flow-exporter)# transport UDP 999
Router(config-flow-exporter)# exit
Router(config)# exit
Router# sh run flow exporter
Now that a custom flow exporter called CUSTOM has been configured, the flow monitor must be created. Each flow monitor requires a flow record to be assigned to it. Each flow monitor has its own cache, and the flow record provides the layout and how to carve up the cache for the defined traffic defined in the flow record. The flow monitor can use predefined flow records or custom flow records. For the purpose of this section, the CUSTOM flow record is used to illustrate the configuration steps.
High-level steps to configure flow monitor:
- Define the flow monitor name.
- Set a useful description of the flow monitor.
- Specify the flow record to be used.
- Specify a cache timeout of 60 for active connections.
- Assign the exporter to the monitor.
Configuring a flow monitor is a pretty straightforward task. The cache timeout tells the device to export the cache to the collector every 60 seconds. It is important when creating a flow monitor for the description of the flow monitor to be useful and to map back to the flow record. Similarly, when configuring QoS, it is nice to have the descriptions self-document the intent of what the policy is doing.
Configuring and Verifying the Custom Flow Monitor
Router(config)# flow monitor CUSTOM
Router(config-flow-monitor)# description Uses Custom Flow Record CUSTOM for IPv4$
Router(config-flow-monitor)# record CUSTOM
Router(config-flow-monitor)# cache timeout active 60
Router(config-flow-monitor)# end
Router# show run flow monitor CUSTOM
The next step is to map the flow exporter CUSTOM to the flow monitor CUSTOM.
Configuring and Verifying the Flow Exporter Mapping to the Flow Monitor
Router# configure terminal
Router(config)# flow monitor CUSTOM
Router(config-flow-monitor)# exporter CUSTOM
Router(config-flow-monitor)# end
The final step necessary in enabling Flexible NetFlow is to apply the flow monitor to the interfaces. This step turns on the collection of NetFlow statistics, and it can be enabled for ingress or egress, or both.
Configuring and Verifying the Flow Monitor Interface Commands
Router(config)# interface ethernet1/1
Router(config-if)# ip flow monitor CUSTOM input
Router(config-if)# interface ethernet1/2
Router(config-if)# ip flow monitor CUSTOM input
Router(config-if)# end
The modularity of Flexible NetFlow makes the tool much more scalable and powerful than traditional NetFlow. Having the ability to export to multiple destinations or collectors as well as having the capability of using the tool for security forensics to identify DoS attacks and worm propagation is tremendous.
Download our Free CCNA Study Guide PDF for complete notes on all the CCNA 200-301 exam topics in one book.
We recommend the Cisco CCNA Gold Bootcamp as your main CCNA training course. It’s the highest rated Cisco course online with an average rating of 4.8 from over 30,000 public reviews and is the gold standard in CCNA training:
