NetFlow Part 3

NetFlow version 9 CLI Options

In the previous post, we looked at the NetFlow top-talkers feature, which is probably the quickest way to get traffic-level details about what's happening on a router in real time. There have been a couple of comments from people wanting to know more about NetFlow versions, and other NetFlow commands. I want to stay focused on stuff that the average mid-level engineer can do without purchasing additional tools, so to close out our NetFlow series of posts we'll take a look at some of the CLI features related to NetFlow version 9.

As you'll recall from my introductory NetFlow post, version 9 (aka Flexible NetFlow) introduced an extensible framework for flow collection and export. The three major configuration components for NetFlow v9 are flow records, flow exporters, and flow monitors. A flow record defines the attributes of a flow that the router will track. A flow exporter defines attributes related to exporting flow statistics to an external collector, such as the collector's IP address, the source interface used for export, etc. A flow monitor is the IOS configuration object that gets attached to an interface, and which ties together a flow record and a flow exporter. These three independent configuration objects allow you to define different collection and export parameters for various purposes: for example, a security-oriented NetFlow collector might need information about TCP flags, DSCP, and TTL, whereas a billing-oriented NetFlow collector might only need source address, destination address, and packet size.

Here's an example of how you can configure a top-talkers-like CLI interface to NetFlow v9 that contains more information than the standard version 5 command set. Note that this was taken from a router running 12.4(22)T5; command syntax may differ slightly depending on your IOS version.

First, we define a flow record, telling the router what information to collect and which key fields to match. "Key fields" are the characteristics that the router uses to distinguish unique flows; different situations (such as flow collection for security versus billing) might require that flows be distinguished differently.

test#sh run | section flow record
flow record NF9_RECORD
 match ipv4 protocol
 match ipv4 source address
 match ipv4 destination address
 match transport source-port
 match transport destination-port
 collect ipv4 dscp
 collect ipv4 ttl
 collect transport tcp flags
 collect counter bytes
 collect counter packets

Next, we tie the flow record to a flow monitor. Since I'm confining the discussion to CLI tools, we're not going to create a flow exporter.

test#sh run | s flow monitor
flow monitor NF9_MONITOR
 record NF9_RECORD
 statistics packet protocol
 statistics packet size
 
Finally, we apply the flow monitor to an interface:

test#sh run int f0/1 | i interface|flow
interface FastEthernet0/1
 ip flow monitor NF9_MONITOR input

At this point, the router will begin to collect flows based on the packet characteristics defined in the flow record. We can use the impressively versatile "show ip flow monitor" command to interrogate the NetFlow cache from the CLI:

test#sh flow monitor NF9_MONITOR cache sort highest counter bytes top 5 format table
Processed 58 flows
Aggregated to 58 flows
Showing the top 5 flows

IPV4 SRC ADDR    IPV4 DST ADDR    TRNS SRC PORT  TRNS DST PORT  IP PROT  tcp flags       bytes        pkts  ip dscp  ip ttl
===============  ===============  =============  =============  =======  =========  ==========  ==========  =======  ======
10.234.4.9      10.213.10.146       554           4805        6  0x18          3484434        2910  0x00      111
10.23.105.160   10.213.10.146      2189           1121        6  0x18           430880         824  0x00      112
10.93.106.16    10.213.10.146      1007           1188        6  0x18           337005         778  0x00      110
10.15.7.112      10.213.10.146       443           3208        6  0x1B           207337         190  0x00       45
10.2.108.55     10.213.10.146        443           3262        6  0x1A           106330         116  0x00       44

Unfortunately the column width restrictions in the Network World blogging software make this hard to read, but I trust you can figure it out. Basically, we have all the same information we had before with "show ip flow top-talkers", but we now have the DSCP, TTL, and TCP flags as well. Also note that the transport layer port numbers are shown in base 10, which is nice. By building your own flow records, you can collect information on any part of the layer 3 or layer 4 header and format or sort them in a variety of ways. In addition to the table format, there's a CSV format option. You could use this to build your own scripts that fetch customized NetFlow information from a router on demand.

I encourage to explore these features on your own with the help of the ? and the IOS Flexible NetFlow configuration guide:

http://www.cisco.com/en/US/docs/ios/fnetflow/configuration/guide/12_4t/f...

• Cisco