What is Netflow:
NetFlow is a Cisco feature that provides the capability to collect statistics and information on IP traffic as it enters or exits an interface. NetFlow provides operators with network and security monitoring, network planning, traffic analysis, and IP accounting capabilities.
Cisco NX-OS supports both traditional NetFlow (Version 5) and Flexible NetFlow (Version 9) export formats, but using flexible NetFlow is recommended on Nexus platforms. With traditional NetFlow, all the keys and fields exported are fixed and it supports only IPv4 flows. By default, a flow is defined by seven unique keys:
- Source IP address
- Destination IP address
- Source port
- Destination port
- Layer 3 protocol type
- TOS byte (DSCP markings)
- Input logical interface (ifindex)
The NetFlow version is template based, so users can specify what data has to be exported.
NetFlow Configuration Steps:
Step 1. Enable the NetFlow feature:
First Step is to Enable Netflow feature on Nexus devices:
Step 2. Define a flow record by specifying key and nonkey fields of interest:
A user has the flexibility to select the collect parameters that can be used in either Version 5 or Version 9, except for IPv6 parameters, which can be used only with Version 9
* Flow record for L2 traffic:
! Flow record for Layer 2 Traffic flow record Bil2 match datalink mac source-address match datalink mac destination-address match datalink vlan match datalink ethertype collect counter packets collect flow sampler id
* Flow record for L3 traffic:
! Flow Record for Layer 3 Traffic flow record Bil3 match ipv4 source address match ipv4 destination address match ip protocol match ip tos collect timestamp sys-uptime last collect flow sampler id collect ip version
Step3: Define a Flow Exporter:
NetFlow data is exported to a remote collector using UDP frames. The data is exported periodically upon the expiration of a flow timeout that is configurable by the user. The default flow timeout value is 30 minutes.
NetFlow standard (RFC 3954) does not specify a specific NetFlow listening port. The standard or most common UDP port used by NetFlow is UDP port 2055, but other ports, such as 9555, 9995, 9025, and 9026, can also be used.
Under the flow export, the following fields are defined:
- Collector IPv4/IPv6 address
- Source interface
- Virtual Routing and Forwarding (VRF)
- UDP port number
flow exporter Bil_Flow_Exp destination 192.168.4.1 use-vrf management transport udp 2055 source mgmt0 version 9
Step 4: Define and Apply the Flow Monitor to an interface:
Bind the flow record and the flow exporter to a flow monitor. When the flow monitor is defined, the flow monitor can be attached to an interface for collecting NetFlow statistics.
flow monitor FL_MON record Bil3 exporter Bil_Flow_Exp ! interface Eth3/31-32 ip flow monitor FL_MON input ip flow monitor FL_MON output
#show run netflow
#show hardware flow ip