Home > Articles > Networking

This chapter is from the book

This chapter is from the book

NetFlow

Enabling NetFlow on routers provides network administrators with access to packet flow information from their network. Exported NetFlow data can be used for a variety of purposes, including security monitoring, network management, capacity planning (as in Figure 2-1), customer billing, and Internet traffic flow analysis.

Figure 5Figure 2-1 Netflow in Its Capacity-Planning Role

NetFlow is available on all router platforms from the 2600 series upward from the 12.0 software release onward. It was first introduced in 11.1CC on the 7200 and 7500 platforms. It can be enabled on a per-interface basis on the routers, as in the following example:

interface serial 5/0
 ip route-cache flow
!

If CEF is not configured on the router, this turns off the existing switching path on the router and enables NetFlow switching (basically modified optimum switching). If CEF is configured on the router, NetFlow simply becomes a "flow information gatherer" and feature accelerator—CEF remains operational as the underlying switching process.

NetFlow Feature Acceleration

NetFlow feature acceleration works for a limited set of features that can take advantage of flow process short cuts. NFFA reserves space in the flow cache for state information belonging to features converted to use the flow acceleration. The features can then attach per-flow state to the cache entry, using NetFlow as a quick way to access information that is flow-based. For example, NetFlow policy routing (NPR) uses flow acceleration to eliminate route-map checks on a per-packet basis. NetFlow feature acceleration is turned on with the following command:

ip flow-cache feature-accelerate

As of 12.0(11)S, the following features have been converted to work with NetFlow feature acceleration:

  • Numbered access lists
  • Named access lists
  • IP accounting
  • Crypto decrypt
  • Crypto encrypt
  • Policy routing
  • WCCP redirection

NetFlow Statistics—Basics

To view NetFlow information on the router, simply enter the command show ip cache flow. This displays the current flow cache on the terminal screen (see Example 2-1).

Example 2-1 Sample Output from Displaying Flow Information on a NetFlow-Enabled Router

gw>sh ip cache flow
IP packet size distribution (410772243 total packets):
  1-32  64  96 128 160 192 224 256 288 320 352 384 416 448 480
  .000 .168 .384 .102 .160 .107 .019 .005 .003 .001 .001 .000 .000 .000
.003
 
  512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
  .001 .000 .035 .000 .003 .000 .000 .000 .000 .000 .000
 
IP Flow Switching Cache, 4456704 bytes
 15074 active, 50462 inactive, 125120769 added
 369493980 ager polls, 0 flow alloc failures
 last clearing of statistics 4d05h
Protocol     Total  Flows  Packets Bytes Packets Active(Sec) Idle(Sec)
--------     Flows   /Sec    /Flow  /Pkt    /Sec     /Flow     /Flow
TCP-Telnet     605    0.0       44    52     0.0       8.1       9.1
TCP-FTP       3494    0.0       22    64     0.2       9.4      12.9
TCP-FTPD      4104    0.0      757   376     8.4      34.9       5.7
TCP-WWW     845158    2.3       16   281    39.1       4.5       6.8
TCP-SMTP     87119    0.2       10   201     2.5       4.2      13.1
TCP-X           59    0.0        2    68     0.0       0.4      12.0
TCP-BGP      62074    0.1        5   255     0.9       9.6      18.5
TCP-NNTP         5    0.0        3    48     0.0       8.8      19.6
TCP-Frag         2    0.0        2    40     0.0       0.1      21.2
TCP-other 11879955   32.3        5   141   174.2       2.5       7.5
UDP-DNS   70078211  191.0        3    90   586.3       4.8      19.1
UDP-NTP      31804    0.0        1    72     0.0       0.0      19.0
UDP-TFTP       327    0.0        3   153     0.0       4.8      19.2
UDP-Frag         9    0.0        4   311     0.0      22.5      18.2
UDP-other 41601240  113.4        2   157   301.3       4.1      19.1
ICMP        498404    1.3        4   170     5.7      10.7      19.0
IGMP             2    0.0      113   551     0.0       6.8      19.8
IP-other     20236    0.0        4   299     0.2      12.7      18.7
Total:   125112808  341.1        3   126  1119.2       4.4      17.9
 
SrcIf     SrcIPaddress    DstIf     DstIPaddress    Pr SrcP DstP  Pkts
Se2/0     207.69.200.110  Fa1/0     203.37.255.121  11 2245 0035     1
Fa1/0     203.37.255.121  Se2/0     207.69.200.110  11 0035 2245     1
Fa1/0     203.37.255.97   Se2/0     169.229.128.130 11 0035 0C1C     1
Se2/0     169.229.128.130 Fa1/0     203.37.255.97   11 0C1C 0035     1
Se2/0     195.28.226.121  Fa1/0     203.37.255.97   11 0408 0035     1
Fa1/0     203.37.255.97   Se2/0     195.28.226.121  11 0035 0408     1
Fa1/0     203.37.255.97   Se2/0     163.21.134.2    11 0035 0035     2
Se2/0     202.103.229.40  Fa1/0     203.37.255.97   11 0A6B 0035   248
Se2/0     163.21.134.7    Fa1/0     203.37.255.97   11 0035 0035     4
Fa1/0     203.37.255.97   Se2/0     163.21.134.7    11 0035 0035     4
Fa1/0     203.37.255.97   Se2/0     202.103.229.40  11 0035 0A6B   248
Se2/0     163.21.134.2    Fa1/0     203.37.255.97   11 0035 0035     2
Se2/0     63.87.170.77    Fa1/0     203.37.255.97   11 B034 0035     2
Fa1/0     203.37.255.97   Se2/0     63.87.170.77    11 0035 B034     2

The first part of the output displays the packet size distribution of the traffic flowing into the interfaces that NetFlow is configured on. The next portion of the output displays the flows, packet size, activity, and so on for the flows per well-known protocol. The final section displays the source and destination interfaces/addresses/ports for the currently active traffic flows.

It is also possible to export this collected data to a system that will collect the data, allowing the ISP to carry out further analysis. Public-domain software is available (cflowd from Caida and NetFlowMet from the University of Auckland, for example), as well as fully featured and supported commercial products, such as Cisco's NetFlow Collector and Analyzer packages.

NetFlow Data Export

The greatest benefits of NetFlow are found when its data is exported to collection systems and then are analyzed and processed. Cisco has adopted a broad approach to facilitate this activity. These include donations for freeware collection/analysis software, Cisco's own commercial software, tools for others to create their own software, and partnerships with companies that make commercial-grade billing systems based on NetFlow export.

To export the data, the following configuration commands are required:

ip flow-export version 5 [origin-as|peer-as]
ip flow-export destination x.x.x.x udp-port
ip flow-export source Loopback0

The first command line sets the export version to 5 (basically this includes BGP information such as AS number) and has options to include origin-as or peer-as in the exported records. Most ISPs use the origin-as option because that will record the origin AS of the prefix originating the flow. This has become a frequently asked question on the CAIDA cflowd list, with ISPs forgetting the origin-as option and then not understanding why so many of their exported records have an origin of AS 0.

The second command line configures the IP address of the destination system, the NetFlow collector system, and the UDP port that the collector is listening on. Most ISPs use high UDP ports, such as 9999 or in the 60,000s. Note that because the flow records use UDP, it is important to design the infrastructure so that the flow collector is not too far away from the originating router. Some ISPs that use NetFlow for billing purposes build a separate management network simply to support this function.

The third command line originates all the flow traffic using the IP address of the loopback interface. This makes the cflowd configuration file easier to construct for several routers because most ISPs number their router loopbacks out of one contiguous block.

To determine the status of the flow export, it is possible to check on the router to see what has been sent. Obviously the collector system should be checked as well—cflowd, for example, has extensive instructions on how to debug any flow export problems. An example of the usage of the IOS Software command follows:

gw>sh ip flow export

Flow export is enabled

Exporting flows to 220.19.51.35 (9998)

Exporting using source interface Loopback0

Version 5 flow records, origin-as

264038749 flows exported in 8801292 udp datagrams

0 flows failed due to lack of export packet

6079835 export packets were sent up to process level

0 export packets were punted to the RP

0 export packets were dropped due to no fib

0 export packets were dropped due to adjacency issues

0 export packets were dropped due to fragmentation failures

0 export packets were dropped due to encapsulation fixup failures


A new feature as of Cisco IOS Software release 12.0(5)S is NetFlow aggregation, in which summarization/aggregation of the flow records is carried out on the router before the data is exported to the collecting system. The aim is to reduce the amount of data going across the network from router to flow collector, thereby improving the reliability of the collecting system. Flow aggregation is enabled by the following commands:

ip flow-aggregation cache as|destination-prefix|prefix|protocol-port|source-prefix

enabled

export destination x.x.x.x UDP-port


Subcommands required include enabled, which switches on the flow aggregation, and export destination, which lists the host that will gather the aggregated records. The collector host needs to support NetFlow Type 8 records to be capable of reading the aggregated information.

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020