Home > NetFlow Tutorial

NetFlow Tutorial

in ENCOR Knowledge Go to comments

Configure NetFlow

NetFlow version 5 and version 9 are commonly used nowadays so this part will show how to configure NetFlow in version 5 and 9. We only show the minimum configuration to help NetFlow work well.

Configure NetFlow version 5

The following configuration enables NetFlow version 5 on Fa0/1 interface and export to a NetFlow collector at 10.1.1.1 on UDP port 2055.

NetFlow_Configs.jpg

Router(config)#interface fa0/1
Router(config-if)#ip route-cache flow
Router(config-if)#exit
Router(config)#ip flow-export destination 10.1.1.1 2055
Router(config)#ip flow-export source fa0/2 //NetFlow will use Fa0/2 as the source IP address for the UDP datagrams sent to the NetFlow Collector
Router(config)#ip flow-export version 5
Router(config)#ip flow-cache timeout active 1 //export flow records every minute.

Note:

+ NetFlow version 5 can inspect inbound traffic only.
+ We can use either the command “ip route-cache flow” or “ip flow ingress” in this case. The former will enable flows on the physical interface and all sub-interfaces associated with it while the latter can be used on sub-interfaces and will enable flows on sub-interfaces only.
+ The last command “ip flow-cache timeout active 1” is necessary for NetFlow to work well. If you leave it at the default of 30 minutes your traffic reports will have spikes.

Configure NetFlow version 9

To configure NetFlow version 9 (Flexible NetFlow), we need to configure three components:
1. Flow Record
2. Flow Exporter
3. Flow Monitor

The following configuration enables NetFlow version 9 on Fa0/1 interface and export to a NetFlow collector at 10.1.1.1 on UDP port 2055.

1. Configure the Flow Record:
Router(config)# flow record TUT_Record
Router(config-flow-record)# match ipv4 destination address
Router(config-flow-record)# match ipv4 source address

2. Configure the Exporter:
Router(config)# flow exporter TUT_Exporter
Router(config-flow-exporter)# destination 10.1.1.1

3. Configure the Flow Monitor
Router(config)# flow monitor TUT_Monitor
Router(config-flow-monitor)# record TUT_Record //Must match the above Flow Record name
Router(config-flow-monitor)# exporter TUT_Exporter //Must match the above Exporter name

4. Apply to an interface
Router(config)#interface fa0/1
Router(config-if)#ip flow monitor TUT_Monitor input //Monitor the receiving traffic on this interface

Small note: CEF should be enabled on the NetFlow Exporter router when running NetFlow. CEF decides through which interface traffic is exiting the router. Any NetFlow Collector will calculate the OUT traffic for an interface based on the Destination Interface value present in the NetFlow packets exported from the NetFlow Exporter. If the CEF is disabled on this router, the exported NetFlow packets will have “Destination interface” as “null” and this leads NetFlow Collector to show no OUT traffic for the interfaces.

Verification

After finishing configuration, we may need some commands to verify and troubleshoot our NetFlow configuration. Some popular commands used to check the NetFlow operation are listed below:

+ show ip cache flow: display a summary of the NetFlow accounting statistics. The output of this command has been showed above
+ show ip flow export: display the status and the statistics for NetFlow accounting data export, including the main cache and all other enabled caches

Router# show ip flow export
Flow export v5 is enabled for main cache
  Exporting flows to 10.1.1.1 (2055)
  Exporting using source interface FastEthernet0/2
  Version 5 flow records
  39676332 flows exported in 1440719 udp datagrams
  0 flows failed due to lack of export packet
  153 export packets were sent up to process level
  0 export packets were dropped due to no fib
  0 export packets were dropped due to adjacency issues
  0 export packets were dropped due to fragmentation failures
  0 export packets were dropped due to encapsulation fixup failures

+ “show ip flow interface”: displays NetFlow accounting configuration on interfaces

R2# show ip flow interface
FastEthernet0/0
  ip route-cache flow

+ show ip flow top-talkers: show which end devices on your network are taking up the most bandwidth

Router# show ip flow top-talkers

SrcIf	SrcIPaddress	DstIf	DstIPaddress	Pr  SrcP  DstP  Bytes
Et0/1	191.168.1.1	Local	192.168.1.254	01  0000  0000  4800
Et0/2	191.168.1.2	Local	192.168.1.254	01  0000  0000  4800
Et0/3	191.168.1.3	Local	192.168.1.254	01  0000  0000  3400

 

Pages: 1 2
Comments
  1. lucky
    December 16th, 2020

    lucky

  2. CCNP Wannabe
    February 18th, 2021

    Again, another fantastic explanation & example. Thank You

  3. Jose
    April 12th, 2021

    Hey, does ENCOR has LABs or only the testlets?

  4. Anonymous
    February 3rd, 2023

    interface FastEthernet0/0

    to enable flow need additional configuration as shown below:

    ip flow monitor Tut_Monitor input
    ip flow monitor Tut_Monitor output
    ip flow ingress
    ip flow egress
    ip flow-top-talker
    sort bytes
    top 5

  5. Anonymous
    February 3rd, 2023

    interface FastEthernet0/0

    !!! to enable flow need additional configuration as shown below:

    ip flow monitor Tut_Monitor input
    ip flow monitor Tut_Monitor output
    ip flow ingress
    ip flow egress
    ip flow-top-talker
    sort bytes
    top 5

    https://community.cisco.com/t5/switching/net-flow-quot-ip-flow-route-cache-flow-quot/td-p/1982382

  6. Newbie
    March 19th, 2023

    where to get latest VCE for 350-401?

  1. No trackbacks yet.