Monitoring the traffic pattern on a network are essential in today's network.  If network administrators do stay on top of the traffic patterns, they may make crucial mistakes in network provisioning or design.  With the Internet in a constant state of flux as new and hot applications emerge, this task becomes even more important.  Another usage for monitoring the traffic patterns is 'baselining' your network.  This helps in troubleshooting as you can help to understand what is 'normal' and what is 'abnormal'.  Lastly, let's say you are adding a new application in your provider or enterprise network and you want to know what traffic patterns are generated by the application.  These are just some of the use cases for Netflow.

What is Netflow?  

Netflow is a feature that was introduced on Cisco routers that give the ability to collect IP network traffic as it enters or exits an interface. By analyzing the data that is provided by Netflow a network administrator can determine things such as the source and destination of the traffic, class of service, and the cause of congestion. Netflow consists of three components: flow caching, Flow Collector, and Data Analyzer.

Netflow consists of several operations:

  • Monitor - the router is set up to collect the traffic information in or out of an interface.  It is temporariy cached on the router.
  • Exporter - this runs on the router and exports the temporarily cached information to a server or system for analysis.
  • Collector - this is the system, usually a server running software, that collects data from various routers for analysis.

Setting up Netflow

The first thing we need to do is set up an 'exporter' on the router where we want to monitor the traffic.

 

Cell_PE1(config)# flow exporter Flow1

Cell_PE1(config-flow-exporter)# destination 10.0.0.100

Cell_PE1(config-flow-exporter)# transport udp 8088

Cell_PE1(config-flow-exporter)# export-protocol netflow-v9

Cell_PE1(config-flow-exporter)# source gig 2/0

Cell_PE1(config-flow-exporter)# exit

The destination 10.0.0.100 is the IP address of the Collector server.  The transport command specifies the protocol and port number for the Netflow exporter to operate on.  The export-protocol is the version of Netflow you are running.  The source interface is the interface that we are going to be sending this information from - a source IP.

This means that we must have a collector at the IP address 10.0.0.100, listening on port 8088 in this case.  The choice of IP address and port is entirely up to the network administrator.  Click here is a list of some collectors.

 

To verify the exporter, use the following command:

Cell_PE1# show flow exporter Flow1

The next step is to create a monitor that will define exactly what traffic we are going to collect:

Cell_PE1(config)# flow monitor Monitor1

Cell_PE1(config-flow-monitor)# record netwflow ipv4 original-input

Cell_PE1(config-flow-monitor)# exporter Flow1

Cell_PE1(config-flow-monitor)# end

We have created a monitor called Monitor1, and configured it to collect IPv4 traffic.  There are many options in the record netflow command, so have fun creating different monitors.  Then we specify which exporter we are going to use.  In this case we specify the Flow1 expoter configured above.

To verify the configuration of the monitor, use:

Cell_PE1# show flow monitor name Monitor1

The last step is to apply the monitor to an interface on the router, much the same as one would apply an access list, and define the inbound or outbound traffic direction:

Cell_PE1(config)# interface gig 1/0

Cell_PE1(config-if)# ip flow monitor Monitor1 input

Cell_PE1(config-if)# end

We have applied the monitor we created to Gigabit Ethernet Interface 1/0 and we are monitoring the inbound traffic on that interface.

Is it working?  Remember what I said earlier.  The router will cache some of this information before it sends it to the exporter.  The way you can check the local cache is to enter:

Cell_PE1#show flow monitor name Monitor1 cache

This will show you the cache entries.  If you get none, then the monitor has yet to see traffic!  

Certainly, NETFLOW is not your only option to perform this function.  Many administrators use Wireshark for this statistical analysis as well.  That said, Netflow is in Cisco IOS and you can get the collector software for free.

I hope this helps understand the basics of Netflow.

Comments powered by CComment

Did you learn something?
Did I save you time? 

Buy me a coffeeBuy me a coffee!