Internetworks: What is NetFlow and Flexible NetFlow? How to configure NetFlow?

Sunday 21 May 2023

What is NetFlow and Flexible NetFlow? How to configure NetFlow?

NetFlow is a software feature set in Cisco IOS that is designed to provide network administrators information about what is happening in the network. NetFlow is a protocol that monitors and analyzes network traffic flow. NetFlow has been included in Cisco IOS for a long time and has evolved through several versions 1, 5, and 9 current version is 9. It's also called Cisco Flexible NetFlow.

Flexible NetFlow is an extension of Traditional NetFlow. it is advanced and next-generation NetFlow technology. This flexible NetFlow provides deep packet inspection with uses NBAR for 2 to 7 layers of data can be analyzed.

We have three types of flows in flexible NetFlow

Normal cache

Permanent cache

Immediate cache

Flexible NetFlow components are: -

Records: flow are a set of predefined and user-defined key fields such as source IP address, source port destination IP address, and so on).

Flow monitors: this component is used to monitor network traffic. this is applied to an interface, flow monitor includes records, cache, and optionally a flow exporter. this component (flow monitor) collects information about flows.

Flow exporters: flow exporters export the cached flow information to a server running a NetFlow collector.

Flow samplers: this component is used to reduce the load on NetFlow-enabled devices. Sampler allows specifying the sample size of traffic.

Let’s configure NetFlow components one by one

Topology:

Goal:

configure the topology as per the diagram
configure IP addresses as per the topology
configure routing between routers
configure Flow Record
configure Exporter flow
configure Monitor flow
verify with show commands

R1(config)#interface ethernet 3/0

R1(config-if)#ip address 10.1.1.1 255.0.0.0

R1(config-if)#no shutdown

R1(config-if)#exit

R1(config)#interface fastEthernet 1/1

R1(config-if)#ip address 192.168.1.1 255.255.255.0

R1(config-if)#no shutdown

R1(config-if)#exit

R1(config)#do show ip int br

Interface IP-Address OK? Method Status Protocol

FastEthernet1/1 192.168.1.1 YES manual up up

Ethernet3/0 10.1.1.1 YES manual up up

R2(config)#interface fastEthernet 1/1

R2(config-if)#ip address 192.168.1.2 255.255.255.0

R2(config-if)#no shutdown

R2(config-if)#exit

R2(config)#interface fastEthernet 0/0

R2(config-if)#ip address 20.1.1.1 255.0.0.0

R2(config-if)#no shutdown

R2(config-if)#exit

R2(config)#do show ip int br

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 20.1.1.1 YES manual up up

FastEthernet1/1 192.168.1.2 YES manual up up

(Assigning IP addresses on PCs)

PC1> show ip all

NAME IP/MASK GATEWAY MAC DNS

PC1 10.1.1.2/8 10.1.1.1 00:50:79:66:68:01

PC2> show ip all

NAME IP/MASK GATEWAY MAC DNS

PC2 10.1.1.3/8 10.1.1.1 00:50:79:66:68:00

PC3> show ip all

NAME IP/MASK GATEWAY MAC DNS

PC3 10.1.1.4/8 10.1.1.1 00:50:79:66:68:03

PC4> show ip all

NAME IP/MASK GATEWAY MAC DNS

PC4 10.1.1.5/8 10.1.1.1 00:50:79:66:68:02

PC5> show ip all

NAME IP/MASK GATEWAY MAC DNS

PC5 10.1.1.6/8 10.1.1.1 00:50:79:66:68:04

PC6> show ip all

NAME IP/MASK GATEWAY MAC DNS

PC6 10.1.1.7/8 10.1.1.1 00:50:79:66:68:05

PC7> show ip all

NAME IP/MASK GATEWAY MAC DNS

PC7 10.1.1.8/8 10.1.1.1 00:50:79:66:68:06

PC8> show ip all

NAME IP/MASK GATEWAY MAC DNS

PC8 10.1.1.9/8 10.1.1.1 00:50:79:66:68:07

PC9> show ip all

NAME IP/MASK GATEWAY MAC DNS

PC9 20.1.1.2/8 20.1.1.1 00:50:79:66:68:08

R1(config)#router eigrp 100

R1(config-router)#network 192.168.1.0

R1(config-router)#network 10.0.0.0

R1(config-router)#no auto-summary

R1(config-router)#exit

R2(config)#router eigrp 100

R2(config-router)#network 20.0.0.0

R2(config-router)#network 192.168.1.0

R2(config-router)#no auto-summary

R2(config-router)#exit

R1(config)#flow record netflow-record

R1(config-flow-record)#match ipv4 tos

R1(config-flow-record)#match ipv4 protocol

R1(config-flow-record)#match ipv4 source address

R1(config-flow-record)#match ipv4 destination address

R1(config-flow-record)#match transport source-port

R1(config-flow-record)#match transport destination-port

R1(config-flow-record)#match interface input

R1(config-flow-record)#collect interface output

R1(config-flow-record)#collect counter bytes

R1(config-flow-record)#collect counter packet

R1(config-flow-record)#exit

R1#show flow record netflow-record

flow record netflow-record:

Description: User defined

No. of users: 0

Total field space: 30 bytes

Fields:

match ipv4 tos

match ipv4 protocol

match ipv4 source address

match ipv4 destination address

match transport source-port

match transport destination-port

match interface input

collect interface output

collect counter bytes

collect counter packets

R1(config)#flow exporter netflow-exporter

R1(config-flow-exporter)#destination 192.168.1.2

R1(config-flow-exporter)#export-protocol netflow-v9

R1(config-flow-exporter)#transport udp 9999

R1(config-flow-exporter)#exit

R1(config)#end

R1#show flow exporter netflow-exporter

Flow Exporter netflow-exporter:

Description: User defined

Export protocol: NetFlow Version 9

Transport Configuration:

Destination IP address: 192.168.1.2

Source IP address: 192.168.1.1

Transport Protocol: UDP

Destination Port: 9999

Source Port: 62882

DSCP: 0x0

TTL: 255

Output Features: Not Used

(Generate traffic flow using ping from PCs)

R1#show ip cache flow

IP packet size distribution (356 total packets):

1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480

.050 .050 .898 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000

512 544 576 1024 1536 2048 2560 3072 3584 4096 4608

.000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000

IP Flow Switching Cache, 4456704 bytes

10 active, 65526 inactive, 85 added

1554 ager polls, 0 flow alloc failures

Active flows timeout in 30 minutes

Inactive flows timeout in 15 seconds

IP Sub Flow Cache, 533256 bytes

0 active, 16384 inactive, 0 added, 0 added to flow

0 alloc failures, 0 force free

1 chunk, 1 chunk added

last clearing of statistics never

Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)

-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow

UDP-other 18 0.0 1 28 0.0 0.0 15.5

ICMP 57 0.0 5 82 0.0 4.2 15.4

Total: 75 0.0 4 79 0.0 3.2 15.4

SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts

Fa1/1 20.1.1.2 Et3/0* 10.1.1.5 01 0000 0800 5

Et3/0 10.1.1.9 Fa1/1 20.1.1.2 01 0000 0800 5

Et3/0 10.1.1.7 Fa1/1 20.1.1.1 01 0000 0800 5

Et3/0 10.1.1.6 Fa1/1 20.1.1.2 01 0000 0800 5

Et3/0 10.1.1.8 Fa1/1 20.1.1.1 01 0000 0800 5

Et3/0 10.1.1.5 Fa1/1 20.1.1.2 01 0000 0000 5

Fa1/1 20.1.1.2 Et3/0* 10.1.1.9 01 0000 0000 5

Fa1/1 20.1.1.1 Et3/0* 10.1.1.7 01 0000 0000 5

Fa1/1 20.1.1.2 Et3/0* 10.1.1.6 01 0000 0000 5

Fa1/1 20.1.1.1 Et3/0* 10.1.1.8 01 0000 0000 5

R1(config)#flow monitor netflow-monitor

R1(config-flow-monitor)#record netflow ipv4 original-input

R1(config-flow-monitor)#cache timeout active 30

R1(config-flow-monitor)#exporter netflow-exporter

R1(config-flow-monitor)#exit

R1(config)#end

R1#show flow monitor

Flow Monitor netflow-monitor:

Description: User defined

Flow Record: netflow ipv4 original-input

Flow Exporter: netflow-exporter (inactive)

Cache:

Type: normal

Status: not allocated

Size: 4096 entries / 0 bytes

Inactive Timeout: 15 secs

Active Timeout: 30 secs

Update Timeout: 1800 secs

R1(config)#interface ethernet 3/0

R1(config-if)#ip flow monitor netflow-monitor input

R1(config-if)#ip flow monitor netflow-monitor output

R1(config-if)#exit

R1#show flow monitor netflow-monitor statistics

Cache type: Normal

Cache size: 4096

Current entries: 0

High Watermark: 18

Flows added: 22

Flows aged: 22

- Active timeout ( 30 secs) 0

- Inactive timeout ( 15 secs) 22

- Event aged 0

- Watermark aged 0

- Emergency aged 0

(Generate traffic flow using ping from PCs)

R1#show flow monitor netflow-monitor cache

Cache type: Normal

Cache size: 4096

Current entries: 0

High Watermark: 18

Flows added: 22

Flows aged: 22

- Active timeout ( 30 secs) 0

- Inactive timeout ( 15 secs) 22

- Event aged 0

- Watermark aged 0

- Emergency aged 0

There are no cache entries to display.

R1#show flow monitor netflow-monitor cache

Cache type: Normal

Cache size: 4096

Current entries: 4

High Watermark: 18

Flows added: 26

Flows aged: 22

- Active timeout ( 30 secs) 0

- Inactive timeout ( 15 secs) 22

- Event aged 0

- Watermark aged 0

- Emergency aged 0

IPV4 SOURCE ADDRESS: 192.168.1.2

IPV4 DESTINATION ADDRESS: 10.1.1.4

TRNS SOURCE PORT: 49206

TRNS DESTINATION PORT: 33437

INTERFACE INPUT: Fa1/1

FLOW SAMPLER ID: 0

IP TOS: 0x00

IP PROTOCOL: 17

ip source as: 0

ip destination as: 0

ipv4 next hop address: 10.1.1.4

ipv4 source mask: /24

ipv4 destination mask: /8

tcp flags: 0x00

interface output: Et3/0

counter bytes: 28

counter packets: 1

timestamp first: 18:25:30.319

timestamp last: 18:25:30.319

IPV4 SOURCE ADDRESS: 10.1.1.4

IPV4 DESTINATION ADDRESS: 192.168.1.2

TRNS SOURCE PORT: 0

TRNS DESTINATION PORT: 771

INTERFACE INPUT: Et3/0

FLOW SAMPLER ID: 0

IP TOS: 0x00

IP PROTOCOL: 1

ip source as: 0

ip destination as: 0

ipv4 next hop address: 192.168.1.2

ipv4 source mask: /8

ipv4 destination mask: /24

Thank you so much for visiting. please click the YouTube channel link https://youtu.be/D0t29ZdO09I and subscribe.

Internetworks

Pages

Sunday 21 May 2023

What is NetFlow and Flexible NetFlow? How to configure NetFlow?

No comments:

What is Virtual Router Redundancy Protocol (VRRP)? How to configure Virtual Router Redundancy Protocol (VRRP)?