Flexible NetFlow

General information on “Flexible NetFlow”:

• Extension of the original Netflow v9 that provides even richer and more detailed information
• Allows to gain visibility into Layer 2 (MAC addresses, VLAN IDs), Layer 3/4 and 5-7 through DPI
• Combined with Cisco NBAR it provides DPI for application identification
• Uses UDP as transport protocol

Components of “Flexible NetFlow”:

• Flow Records:
  • Used to analyze traffic data
  • Based on the principle of key fields (match statement) and non-key fields (collect statement)
  • Key fields:
    • Used to characterize the flow
    • For each key fields combination a single entry is created in the Flow Cache
    • Everything that is matched is also collected
  • Non-key fields:
    • Provides additional information that is added to the flow
    • Not used to characterize the flow but to provide additional information
  • Flow Records are assigned to Flow Monitors
• Flow Monitors:
  • Used to “glue” a Flow Record and a Flow Exporter together
  • Applied to an interface to perform network traffic monitoring
  • Can be applied inbound and/or outbound on an interface
• Flow Exporters:
  • Used to export data to a defined NetFlow collector (= server to analyze traffic)
• Flow Samplers:
  • A Flow Sampler limits the number of packets to be captured/exported
  • Instead of all packets, only 1 out of x packets is captured/exported

“Flexible NetFlow” CLI configuration commands:

## Flow Record configuration
Router(config)# flow record [NAME]
Router(config-flow-record)# description <text>
Router(config-flow-record)# match [argument]
Router(config-flow-record)# collect [argument]

## Flow Exporter configuration
Router(config)# flow exporter [NAME]
Router(config-flow-exporter)# description <text>
Router(config-flow-exporter)# destination <ip>

## Flow Monitor configuration
Router(config)# flow monitor [NAME]
Router(config-flow-monitor)# description <text>
Router(config-flow-monitor)# exporter [EXPORTER NAME]
Router(config-flow-monitor)# record [RECORD NAME]

## Flow Sampler configuration
Router(config)# sampler [NAME]
Router(config-sampler)# description <text>
Router(config-sampler)# mode [random | deterministic] 1 out-of <value>

## Applying Flow Monitor to an interface
Router(config)# interface <if>
Router(config-if)# ip flow monitor [MONITOR NAME] sampler [SAMPLER NAME] [input | output | unicast | multicast]