Netflow

NetFlow is just a detailed phone bill. Netflow provides statistics on IP packets flowing through network devices.

Uses for NetFlow:
 * General network traffic accounting for baseline analysis
 * Usage-based network billing for consumers of network services
 * Network design, including redesigns to include new network devices and applications to meet the needs of growing infrastructures
 * General network security design
 * DoS and DDoS detection and prevention data
 * Ongoing network monitoring

NetFlow captures 'flows' based on unidirectional streams of packets between a specific source system and a specific destination system. Traditional NetFlow captures information about the following:
 * Source IP
 * Destination IP
 * Source port
 * Destination port
 * Layer 3 protocol type
 * ToS marking
 * Input logical interface

NetFlow Configuration
Since NetFlow is unidirectional, you'll have to specify traffic on the ingress and egress on a particular interface if you want to capture data coming in and out. These are the only commands on the interface level. int fa 0/0 ip flow ingress ip flow egress The global config is where you define the parameters of the capturing. You'll need the NetFlow collector info, version and sources. ip flow-export destination 10.1.10.100 99 ip flow-export version 9 ip flow-export source loopback 0 The above config names the IP and UDP port number of the NetFlow collector. The latest version 9 is also called Flexible NetFlow for its feature set. show ip cache flow

NetFlow Verification
This shows the output of the flow statistics: R1#show ip cache flow IP packet size distribution (0 total packets): 1-32  64   96  128  160  192  224  256  288  320  352  384  416  448  480    .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000     512  544  576 1024 1536 2048 2560 3072 3584 4096 4608    .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 IP Flow Switching Cache, 278544 bytes 0 active, 4096 inactive, 0 added 0 ager polls, 0 flow alloc failures Active flows timeout in 30 minutes Inactive flows timeout in 15 seconds IP Sub Flow Cache, 21640 bytes 0 active, 1024 inactive, 0 added, 0 added to flow 0 alloc failures, 0 force free 1 chunk, 1 chunk added last clearing of statistics never Protocol        Total    Flows   Packets Bytes  Packets Active(Sec) Idle(Sec) Flows    /Sec     /Flow  /Pkt     /Sec     /Flow     /Flow SrcIf        SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP  Pkts

R1#show ip flow interface FastEthernet0/0 ip flow ingress ip flow egress

R1#show ip flow export Flow export v9 is enabled for main cache Exporting flows to 10.1.10.100 (99) Exporting using source interface Loopback0 Version 9 flow records 0 flows exported in 0 udp datagrams 0 flows failed due to lack of export packet 0 export packets were sent up to process level 0 export packets were dropped due to no fib 0 export packets were dropped due to adjacency issues 0 export packets were dropped due to fragmentation failures 0 export packets were dropped due to encapsulation fixup failures