Introduction to Cisco NetFlow

(Rene Molenaar) #41

Hi Brian,

I used an Internet connection here just to have some interesting traffic to look at.

In this lesson, I used ntop in the screenshots but nowadays you can try ntopng.

Installing ntopng and making it work with netflow can be a pain. There’s a docker image where someone pre-configured ntopng to accept netflow traffic on UDP 2055. I haven’t tested it (yet) but it’s probably much easier than starting from scratch.



(Samer A) #42


When I’m reading Netflow there is a little bit different steps for configuration in other devices…like

1- Create Flow Record
2- Create Flow Exporter
3- Create Flow Monitoring
4- Lastly apply the flow monitor to the interface

Do you think this is based on which cisco devices? I would like to know which devices using which configuration? can you help me?

Samer Abbas


(Rene Molenaar) #43

Hello Samer,

That order is correct. I also have a picture that has these steps. You can find it in the performance monitor lesson.

They calls this newer “style” of configuration with the flow record, exporter, and monitor “Flexible” netflow so that’s what you should look for.

They call the older CLI commands “traditional netflow”.


1 Like

(Trust_the P) #44

Hello @lagapides,

How would you differentiate Netflow and SPAN aka port mirroring?


(Lazaros Agapides) #45

Hello sales2161

These are two different techniques and technologies that are used for monitoring. They do two different things, but both can be helpful in keeping an eye on the traffic of your network.

SPAN is used to collect copies of packets that are sent and received on particular ports of a network device. You configure SPAN by specifying source ports, that is, the ports that carry the traffic you want to analyze. You also configure a destination port. SPAN essentially reads all packets “seen” on the source ports and dumps them out of the destination port. You must physically connect a PC or other monitoring device on that destination port to receive those packets and store them in an appropriate format. There are various monitoring suites that can be used for this purpose, some providing more general network monitoring such as wireshark, or some others that are more specialized for particular applications such as VoIP. In general, you need a physical connection to one of the switches on your network to do this. SPAN cannot be configured to run remotely over a WAN or over the Internet.

Netflow on the other hand is an application framework that collects what is known as metadata about traffic flows. Unlike SPAN, it doesn’t actually look at the payload of individual packets. Metadata involves information such as top talkers by percentage of traffic, percentage of traffic by protocol, class of service, and the cause of congestion. As its name suggests, it identifies and analyzes flows of traffic rather than collecting individual packets. These flows are analyzed as a whole to come to specific conclusions.

You can find out more about SPAN and its variations at the following lesson:

I hope this has been helpful!



(Lazaros Agapides) split this topic #46

A post was merged into an existing topic: CCNP Route exam