Introduction to Cisco NetFlow

ReneMolenaar · June 15, 2016, 8:52pm

Hi Mr M Y,

The NetFlow cache in a router is limited. By default, active flows are removed from the cache after 30 minutes.

You might like the information from this Cisco article:

After you enable NetFlow on an interface, NetFlow reserves memory to accommodate a number of entries in the NetFlow cache. Normally, the size of the NetFlow cache meets the needs of your NetFlow traffic rates. The cache default size is 64K flow cache entries. Each cache entry requires 64 bytes of storage. About 4 MB of DRAM are required for a cache with the default number of entries. You can increase or decrease the number of entries maintained in the cache, if required. For environments with a large amount of flow traffic (such as an Internet core router), Cisco recommends a larger value such as 131072 (128K). To obtain information on your flow traffic, use the show ip cache flow command.

A NetFlow cache can be resized depending on the platform and the amount of DRAM on a line card. For example, the NetFlow cache size is configurable for software-based platforms such as Cisco 75xx and 72xx series routers. The amount of memory on a Cisco 12000 line card determines how many flows are possible in the cache.

Using the ip flow-cache entries command, configure the size of your NetFlow cache from 1024 entries to 524,288 entries. Use the cache entries command (after you configure NetFlow aggregation) to configure the size of the NetFlow aggregation cache from 1024 entries to 524,288 entries.

About the NTOP tutorial…it’s best to stick to the “official” tutorials for this. I could create one but it’s probably outdated in a few months when they introduce a newer version.

Rene

adave1103 · August 10, 2016, 6:51am

Thanks for a crisp explanation.
However i wanted to understand further usage of Netflow. Can it only be use to monitor traffic pattern or it can be used to increase network performance also.

any example that you can share , will be great.

thanks

adave1103 · August 10, 2016, 3:28pm

Hello Rene,

I was reading an article about Netflow specific to IOS XE. I read a few terms called :

Netflow Monitor
Flow record
netflow exporter

can you please help in understanding how they are separate from each other ?

Thanks
Abhishek

andrew · August 11, 2016, 8:35pm

Abhishek,
Netflow is used just for information gathering. It does not take action on its own. To do that, you can use a feature called Performance Routing (PfR). PfR actually does use Netflow in something called PfR passive mode to help it make decisions about how to optimize your environment.

If you are interested in learning more about PfR, here is a good introduction

adave1103 · August 12, 2016, 8:04am

Many Thanks Andrew. It clears the doubt.

sims · September 22, 2016, 8:49am

Hi,
Can you post enabling netflow on asa

maher1 · October 1, 2016, 10:25pm

Hi sims,

I will forward your request to Rene.

I would advise that you can put your ideas for the new lessons here: https://networklessons.com/member-ideas/
In this way, there will be votes so Rene can prepare topics that are more requested than others.

ethel_13mx · November 8, 2016, 5:40pm

Hello Rene!!

Can you show us how to use the NTOP server?

ReneMolenaar · November 22, 2016, 3:16pm

Hi Diana,

It’s best to check the NTOP website for this. I used NTOP since it’s open source and available to everyone.

If I would write about NTOP, the information is probably outdated in a few months.

Rene

shantel · December 29, 2016, 8:00pm

19 posts were merged into an existing topic: Introduction to Cisco NetFlow

mrleeiian · March 9, 2017, 1:02am

Hi Gents,

Can netflow be configured on a dialer interface?

lagapidis · March 9, 2017, 6:37am

Hello Ian

Yes, it is possible to configure netflow on a dialer interface. Just keep in mind that whenever you do so, you must also configure netflow on the associated virtual interface as well. This is because the dialer interface will send ONLY outbound traffic to the netflow server while the virtual interface will send ONLY inbound traffic. This is because of the nature of the relationship between dialer and virtual interfaces. According to Cisco:

This is the expected behaviour. Traffic leaves the router via the Dialer interface, as dictated by the IP routing table. Traffic enters the router via the Virtual-Access interface.

This is just the way Cisco has implemented routing via dialer interfaces.

I hope this has been helpful!

Laz

wilder7bc · April 30, 2018, 1:07pm

I think a typo here see below you say “Can`t” I think you mean “can”??

One of the things we can’t do with those tools is tracking all flows in our network. A flow is a stream of packets that share the same characteristics like source/destination port, source/destination address, protocol, type, service marking, etc.

NM you was talking about SNMP and NBAR not Netflow I see now. my bad.

chrisnewnham17 · July 12, 2018, 2:45pm

The commands to change this are here if anyone is interested: https://www.cisco.com/c/en/us/td/docs/ios/fnetflow/command/reference/fnf_book/fnf_01.html

Also wondering where flow exporters come into this?

E.g. configuring an exporter, then a monitor, then applying that to an interface.

nspaul86 · July 18, 2018, 9:10am

Can we use hostname for netflow configuration on cisco instead of IP.

lagapidis · July 18, 2018, 2:35pm

Hello Sandeep

Looking at several of the Cisco commands for Netflow, it does look like you can use the hostname instead of the IP address. Take a look at this command reference documentation for Netflow on Cisco which includes either IP address or hostname for most commands.

I hope this has been helpful!

Laz

lagapidis · July 19, 2018, 2:57pm

Hello Chris

Flow exporters are used to export Flexible NetFlow data to remote systems such as a UNIX server running NetFlow collector. You can find out more about them at this Cisco documentation which includes prerequisites, restrictions and additional information.

I hope this has been helpful!

Laz

chrisnewnham17 · July 23, 2018, 8:28am

Hi Laz,

Just wondering in which circumstances you would use an exporter and which one to use this lesson’s methods.

Both appear to do the same thing - export data to an external server.

You can also configure Flow Records, Flow Monitors (link record to the monitor), and then apply the flow monitors to the interface.

ReneMolenaar · July 24, 2018, 9:56am

Hi Chris,

The commands I used in this lesson are a quick way to get netflow up and running and export everything. The exporter is better to use in production.

You can create a different exporter for different traffic types and use different settings per exporter.

Rene

wilder7bc · September 19, 2018, 1:37am

I see you have PC is it suppose to reach the internet? I setup this lab in GNS3 then added NAT and had to change one interface to ip address dhcp. then my router could get to the internet but the PC could not. In order for my inside network to reach the internet I would need to setup NAT on my R1 router as well. in order for this lab to work do we need to have that internet access or was the other items just kind of for looks but really didn’t need to reach internet?

This does not seem to be working for me hmm I added an application called ntopng which I thought was the same app. Here is my topology:

I then ran the commands but didnt seem to get all the information as you did.

basically my config is below though I need to change something as my firefox browser is not getting to the internet and I cannot poing 8.8.8.8 for the linux command prompt… I had not really focused on that as I was messing with the netflow.

hostname R1
!
interface FastEthernet0/0
 ip address 192.168.1.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface FastEthernet0/1
 ip address dhcp
 ip flow ingress
 ip nat outside
!
ip flow-export source FastEthernet0/0
ip flow-export version 9
ip flow-export destination 192.18.1.1 2055
!
ip nat inside source list 1 interface FastEthernet0/0 overload
!
access-list 1 permit any
!
end

when I looked at the ntopping website it said no traffic… :*(