NetFlow is a network protocol developed by Cisco that is used for network traffic monitoring and analysis. It allows network administrators to collect and view information about the traffic flowing through their network devices, such as routers and switches. A NetFlow server, sometimes referred to as a NetFlow collector or analyzer, is a system or software application that receives and processes NetFlow data from various network devices.
Here’s how NetFlow works:
- Data Export: Network devices like routers and switches generate NetFlow records, which contain information about the traffic passing through them. These records include details like source and destination IP addresses, ports, protocol, and more.
- Data Collection: The NetFlow server is configured to listen for and collect these NetFlow records. This server can be a dedicated hardware appliance or software running on a standard server.
- Data Analysis: Once the NetFlow data is collected, the NetFlow server processes it to create reports and statistics about network traffic. These reports can provide insights into bandwidth utilization, traffic patterns, sources of congestion, and potential security threats.
- Visualization and Reporting: NetFlow servers often have user-friendly interfaces or integrate with network management tools that allow administrators to visualize the data in the form of charts, graphs, and tables. This makes it easier to understand network behavior and make informed decisions.
NetFlow is valuable for various purposes, including network optimization, capacity planning, security monitoring, and troubleshooting. Cisco’s NetFlow protocol has evolved over the years, and there are different versions with varying levels of detail and capabilities, such as NetFlow v5, v9, and IPFIX (which is similar to NetFlow v10).
In this example, we will use one L3 switch, 1 router, 1 server and 3 clients. All three clients will be on different VLANs and we will reach to NetFlow server through a router. Before we proceed to detailed action, you can basically give static IP address as required to all clients and servers. And do not forget to enable NetFlow section on the server. After creating VLANs on the L3 switch, do the necessary routings and then hit some traffic via visiting NetFlow servers HTTP server via IP address etc. Then all the NetFlow data will be collected on the server for visualization.
CONFIGURATION ON L3 CISCO SWITCH
Switch#sh run Building configuration... Current configuration : 1901 bytes ! version 16.3.2 no service timestamps log datetime msec no service timestamps debug datetime msec no service password-encryption ! hostname Switch ! ! ip cef ip routing ! no ipv6 cef ! ! spanning-tree mode pvst ! ! ! interface GigabitEthernet1/0/1 no switchport ip address 192.168.1.1 255.255.255.0 duplex auto speed auto ! interface GigabitEthernet1/0/2 switchport access vlan 10 switchport mode access ! interface GigabitEthernet1/0/3 switchport access vlan 20 switchport mode access ! interface GigabitEthernet1/0/4 switchport access vlan 30 switchport mode access ! interface GigabitEthernet1/0/5 ! interface GigabitEthernet1/0/6 ! interface GigabitEthernet1/0/7 ! interface GigabitEthernet1/0/8 ! interface GigabitEthernet1/0/9 ! interface GigabitEthernet1/0/10 ! interface GigabitEthernet1/0/11 ! interface GigabitEthernet1/0/12 ! interface GigabitEthernet1/0/13 ! interface GigabitEthernet1/0/14 ! interface GigabitEthernet1/0/15 ! interface GigabitEthernet1/0/16 ! interface GigabitEthernet1/0/17 ! interface GigabitEthernet1/0/18 ! interface GigabitEthernet1/0/19 ! interface GigabitEthernet1/0/20 ! interface GigabitEthernet1/0/21 ! interface GigabitEthernet1/0/22 ! interface GigabitEthernet1/0/23 ! interface GigabitEthernet1/0/24 ! interface GigabitEthernet1/1/1 ! interface GigabitEthernet1/1/2 ! interface GigabitEthernet1/1/3 ! interface GigabitEthernet1/1/4 ! interface Vlan1 no ip address ! interface Vlan10 mac-address 0003.e4c5.0b01 ip address 192.168.10.1 255.255.255.0 ! interface Vlan20 mac-address 0003.e4c5.0b02 ip address 192.168.20.1 255.255.255.0 ! interface Vlan30 mac-address 0003.e4c5.0b04 ip address 192.168.30.1 255.255.255.0 ! ip default-gateway 192.168.1.2 ip classless ip route 0.0.0.0 0.0.0.0 192.168.1.2 ! ip flow-export version 9 ! ! ! ! ! ! ! line con 0 ! line aux 0 ! line vty 0 4 login ! ! ! ! end
CONFIGURATION ON CISCO ROUTER
Router(config)#do sh run Building configuration... Current configuration : 688 bytes ! version 15.4 no service timestamps log datetime msec no service timestamps debug datetime msec no service password-encryption ! hostname Router ! ! ! ip cef no ipv6 cef ! ! ! ! spanning-tree mode pvst ! ! ! ! ! ! interface GigabitEthernet0/0/0 ip flow ingress ip address 192.168.1.2 255.255.255.0 duplex auto speed auto ! interface GigabitEthernet0/0/1 ip address 192.168.2.1 255.255.255.0 duplex auto speed auto ! interface Vlan1 no ip address shutdown ! ip classless ip route 0.0.0.0 0.0.0.0 192.168.1.1 ! ip flow-export destination 192.168.2.100 9996 ip flow-export version 9 ! ! ! line con 0 ! line aux 0 ! line vty 0 4 login ! ! ! end Router(config)#
VERIFIYING NETFLOW PROGRESS
Router#show ip cache flow
IP packet size distribution (90 total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.000 .978 .000 .022 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000
512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000
IP Flow Switching Cache, 278544 bytes
0 active, 4096 inactive, 15 added
2 ager polls, 0 flow alloc failures
Active flows timeout in 30 minutes
Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 34056 bytes
0 active, 1024 inactive, 0 added, 0 added to flow
0 alloc failures, 0 force free
1 chunk, 1 chunk added
last clearing of statistics never
Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)
-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow
ICMP 1 0.0 2 128 0.0 1.0 7857.0
TCP-HTTP 14 0.0 6 40 0.0 0.0 7857.0
Total: 15 0.0 6 42 0.0 0.1 7857.0
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
Router#
NETFLOW MONITOR
Please feel free to contact me if you need any assistance.
Happy networking ๐
