Understanding NetFlow: Overview, Configuration, Verification

NetFlow is a network protocol system created by Cisco that collects active IP network traffic as it flows in or out of an interface. The NetFlow data is then analyzed to create a picture of network traffic flow and volume — hence the name: NetFlow.

The NetFlow protocol is used by IT professionals as a network traffic analyzer to determine its point of origin, destination, volume, and paths on the network. Before, network engineers and administrators used Simple Network Management Protocol (SNMP) for network traffic analysis and monitoring.

While SNMP was effective for network monitoring and capacity planning, it didn’t provide detailed insight into bandwidth usage. NetFlow is now part of the Internet Engineering Task Force (IETF) standard as Internet Protocol Flow Information eXport (IPFIX, which is based on Version 9 implementation), and the protocol is widely implemented by network equipment vendors.

Gathering statistics about a network during its operations is useful and important. Gathering statistical information on network traffic flow is necessary for a number of reasons. Some businesses, such as service providers, use it for customer billing. Other businesses use it to determine whether traffic is optimally flowing through the network. Some use it for troubleshooting if the network is not performing correctly. This is very versatile and provides a wealth of information without much configuration burden.

That being said, NetFlow has two components that must be configured: Data Capture and Data Export. Data Capture captures the traffic statistics. Data Export exports the statistical data to a NetFlow collector, such as Cisco DNA Center or Cisco Prime Infrastructure. Examples of each of these are provided in this section. There are a couple of things to note from a design perspective prior to enabling NetFlow. First, NetFlow consumes memory resources. The traffic statistics are captured in the memory cache. The default size of its cache is platform specific and should be investigated prior to its enabling . This is especially the case with older platforms that potentially have lower memory resources available. NetFlow captures traffic on ingress and egress—that is, traffic that is coming into the network device as well as traffic that is leaving them. Below are the lists of different types of ingress and egress traffic collected with NetFlow Version 9 on a Cisco IOS device.


NetFlow Ingress and Egress Collected Traffic Types


IP to IP packets


NetFlow accounting for all IP traffic packets


IP to Multiprotocol Label Switching (MPLS) packets


MPLS to IP packets


Frame Relay terminated packets

ATM terminated packets

NetFlow collects traffic based on flows. A cisco Netflow is a unidirectional traffic stream that contains a combination of the following key fields:

    • Ip source address
    • Destination IP addresses
    • Source port number
    • Destination port number
    • Layer 3 protocol type
    • Type of service (ToS)
    • Input logical interface




Router1# configure terminal
Router1(config)#ip flow-export destination 2055
Router(config)#ip flow-export version 9
Router1(config)#ip flow-export source GigabitEthernet 0/0
Router1(config)#interface GigabitEthernet 0/0
Router(config-if)#ip address
Router1(config)#interface GigabitEthernet 0/1
Router(config-if)#ip route-cache flow


Another great option for NetFlow is being able to configure the top specified number of talkers on the network. A very useful and quick configuration allows you to gain a great snapshot of what is going on in a device from a flow perspective.

Router1#show ip flow export
Flow export v9 is enabled for main cache
Export source and destination details :
VRF ID : Default
Source(1) (FastEthernet0/0)
Destination(1) (2055)
Version 9 flow records
433 flows exported in 28 udp datagrams
0 flows failed due to lack of export packet
0 export packets were sent up to process level
0 export packets were dropped due to no fib
0 export packets were dropped due to adjacency issues
0 export packets were dropped due to fragmentation failures
0 export packets were dropped due to encapsulation fixup failures

Download our Free CCNA Study Guide PDF for complete notes on all the CCNA 200-301 exam topics in one book.

We recommend the Cisco CCNA Gold Bootcamp as your main CCNA training course. It’s the highest rated Cisco course online with an average rating of 4.8 from over 30,000 public reviews and is the gold standard in CCNA training: