Flexible NetFlow Configuration and Verification

Flexible Netflow helps in optimizing network infrastructures by providing a detailed characterization on IP traffic and identifying its source, traffic destination, as well as application protocols. With this, it reduces the risk of potential security threats due to its improved capacity planning with increased flexibility and scalability.

Flexible NetFlow Components

Component NameDescription
Flow RecordsCombination of key and non-key fields. There are predefined and user-defined records.
Flow MonitorsApplied to the interface to monitor network traffic.
Flow ExportersExports NetFlow Version 9 data from the Flow Monitor cache to a remote host or NetFlow collector.
Flow SamplersSamples partial NetFlow data rather than analyzing all NetFlow data


There are trade-offs in using sampled NetFlow data. The biggest one is that there is a reduced load on the device in terms of memory and CPU. However, by sampling NetFlow data only at specific intervals, something could be missed as the accuracy goes down with sampling compared to when gathering all data. Flexible NetFlow can dynamically create individual caches for each type of flow data. In addition, Flexible NetFlow can filter ingress traffic destined for a single destination. These factors make Flexible NetFlow a very powerful security asset. You can use the collect and match commands to create a customized flow record. To create a custom flow record, certain key and non-key fields must be matched so the flow record is usable. The match command is used to select key fields, and the collect command is used to select non-key fields. The table below shows a list of the key and non-key fields that can be used to mimic the original NetFlow capabilities when building a custom flow record.

FieldKey or Non-Key FieldDefinition
IP ToSKeyValue in the type of service (ToS) field
IP protocolKeyValue in the IP protocol field
IP source addressKeyIP source address
IP destination addressKeyIP destination address
Transport source portKeyValue of the transport layer source port field
Transport destination portKeyValue of the transport layer destination port field
Interface inputKeyInterface on which the traffic is received
Flow sampler IDKeyID number of the flow sampler (if flow sampling is enabled)
IP source ASNon-keySource autonomous system number
IP destination ASNon-keyDestination autonomous system number
IP next-hop addressNon-keyIP address of the next hop
IP source maskNon-keyMask for the IP source address
IP destination maskNon-keyMask for the IP destination address
TCP flagsNon-keyValue in the TCP flag field
Interface outputNon-keyInterface on which the traffic is transmitted
Counter bytesNon-keyNumber of bytes seen in the flow
Counter packetsNon-keyNumber of packets seen in the flow
Time stamp system uptime firstNon-keySystem uptime (time, in milliseconds, since this device was first booted) when the first packet was switched
Time stamp system uptime lastNon-keySystem uptime (time, in milliseconds, since this device was first booted) when the last packet was switched


The following steps in configuring a custom flow record:

  1. Define the flow record name.
  2. Set a useful description of the flow record.
  3. Set match criteria for key fields.
  4. Define non-key fields to be collected.

Having the ability to build a custom flow record for a specific and unique use case makes it extremely powerful.

The example below shows a custom flow record called CUSTOM being defined on the router. This example uses the match command to match the IPv4 destination address and the collect command to gather the byte and packet counts. To verify the flow record configuration, the command show flow record CUSTOM can be used.


Configuring and Verifying the Custom Flow Record

Router# configure terminal

Router(config)# flow record CUSTOM

Router(config-flow-record)# description Custom Flow Record for IPv4 Traffic

Router(config-flow-record)# match ipv4 destination address

Router(config-flow-record)# collect counter bytes

Router(config-flow-record)# collect counter packets

Router(config-flow-record)# exit

Router(config)# do show flow record CUSTOM

Now that a custom flow record has been configured, the flow exporter can be created.


Important steps to complete when building a flow exporter:

  1. Define the flow exporter’s name.
  2. Set a useful description of the flow exporter.
  3. Specify the destination of the flow exporter to be used.
  4. Specify the NetFlow version to export.
  5. Specify the UDP port.

In this instance, the exporter that will be created will point to the host that has been used in other examples in this chapter.


Configuring and Verifying the Custom Flow Exporter

Router# configure terminal

Router(config)# flow exporter CUSTOM1

Router(config-flow-exporter)# description EXPORT-TO-NETFLOW-COLLECTOR

Router(config-flow-exporter)# destination

Router(config-flow-exporter)# export-protocol netflow-v9

Router(config-flow-exporter)# transport UDP 999

Router(config-flow-exporter)# exit

Router(config)# exit

Router# sh run flow exporter

Now that a custom flow exporter called CUSTOM has been configured, the flow monitor must be created. Each flow monitor requires a flow record to be assigned to it. Each flow monitor has its own cache, and the flow record provides the layout and how to carve up the cache for the defined traffic defined in the flow record. The flow monitor can use predefined flow records or custom flow records. For the purpose of this section, the CUSTOM flow record is used to illustrate the configuration steps.


High-level steps to configure flow monitor:

  1. Define the flow monitor name.
  2. Set a useful description of the flow monitor.
  3. Specify the flow record to be used.
  4. Specify a cache timeout of 60 for active connections.
  5. Assign the exporter to the monitor.

Configuring a flow monitor is a pretty straightforward task. The cache timeout tells the device to export the cache to the collector every 60 seconds. It is important when creating a flow monitor for the description of the flow monitor to be useful and to map back to the flow record. Similarly, when configuring QoS, it is nice to have the descriptions self-document the intent of what the policy is doing.


Configuring and Verifying the Custom Flow Monitor

Router(config)# flow monitor CUSTOM

Router(config-flow-monitor)# description Uses Custom Flow Record CUSTOM for IPv4$

Router(config-flow-monitor)# record CUSTOM

Router(config-flow-monitor)# cache timeout active 60

Router(config-flow-monitor)# end

Router# show run flow monitor CUSTOM

The next step is to map the flow exporter CUSTOM to the flow monitor CUSTOM.


Configuring and Verifying the Flow Exporter Mapping to the Flow Monitor

Router# configure terminal

Router(config)# flow monitor CUSTOM

Router(config-flow-monitor)# exporter CUSTOM

Router(config-flow-monitor)# end

The final step necessary in enabling Flexible NetFlow is to apply the flow monitor to the interfaces. This step turns on the collection of NetFlow statistics, and it can be enabled for ingress or egress, or both.


Configuring and Verifying the Flow Monitor Interface Commands

Router(config)# interface ethernet1/1

Router(config-if)# ip flow monitor CUSTOM input

Router(config-if)# interface ethernet1/2

Router(config-if)# ip flow monitor CUSTOM input

Router(config-if)# end

The modularity of Flexible NetFlow makes the tool much more scalable and powerful than traditional NetFlow. Having the ability to export to multiple destinations or collectors as well as having the capability of using the tool for security forensics to identify DoS attacks and worm propagation is tremendous.

Download our Free CCNA Study Guide PDF for complete notes on all the CCNA 200-301 exam topics in one book.

We recommend the Cisco CCNA Gold Bootcamp as your main CCNA training course. It’s the highest rated Cisco course online with an average rating of 4.8 from over 30,000 public reviews and is the gold standard in CCNA training: