Home > NetFlow Tutorial

NetFlow Tutorial

May 13th, 2016 Go to comments

Note: NetFlow is no longer a topic in CCNAv3 200-125 exam.

One of the most important tasks of a network administrator is to monitor the health of our networks, learn how our bandwidth is being used, what applications are consuming it, when it needs upgrade… Although monitoring protocols like SNMP and SPAN (port mirroring) can help us answer some questions but they are not enough to give us an insightful view of our networks. Luckily we have another amazing tool: NetFlow!

NetFlow is a networking analysis protocol that gives the ability to collect detailed information about network traffic as it flows through a router interface. NetFlow helps network administrators answers the questions of who (users), what (application), when (time of day), where (source and destination IP addresses) and how network traffic is flowing.

Let’s take an example! In the topology below, when traffic from Network 1, 2, 3… passes through the interfaces of a NetFlow enabled device, relevant information is captured and stored in the NetFlow cache. NetFlow collects IP traffic information as records and sends them to a NetFlow collector for traffic flow analysis.

NetFlow_example.jpg

NetFlow components

+ NetFlow Monitor: a component applied to an interface and collects information about flows. Flow monitors consist of a record and a cache. You add the record to the flow monitor after the flow monitor is created. In the topology above, we can apply the NetFlow Monitors to the s0/0, Fa0/0 and Fa0/1 interfaces of the router to collect traffic information of these interfaces
+ NetFlow Exporter: aggregates packets into flows, stores IP flow information in its NetFlow cache and exports them in the form of flow records to the NetFlow collector
+ NetFlow Collector: collects flow records sent from the NetFlow exporters, parsing and storing the flows. Usually a collector is a separate software running on a network server. NetFlow records are exported to a NetFlow collector using User Datagram Protocol (UDP)
+ NetFlow Sampler: used to reduce the number of packets that are selected for analysis. It is applied to a NetFlow Monitor to reduce the overhead load because the number of packets that the flow monitor must analyze is reduced. But notice that the accuracy of the information stored in the flow monitor’s cache is also reduced correspondingly.

Note: The term “flows” here should be understood as “unidirectional streams of related packets”

The most important component of NetFlow is the NetFlow Exporter (and its NetFlow cache) so we will discuss more about it.

How NetFlow Exporter works

When packets arrive at the NetFlow Exporter, each of them is inspected for one or many IP packet attributes. These attributes are used to determine if the packet is unique or similar to other packets. If it is similar then it is classified as in the same flow.

NetFlow_Exporter.jpg

There are seven key IP packet attributes that can be used by NetFlow to classify packets into separate flows:
+ IP source address
+ IP destination address
+ Source port
+ Destination port
+ Layer 3 protocol type
+ Class of Service (or Type of Service – ToS) Byte
+ Input (Router or switch) interface

Other attributes can be also used and they are called non-key attributes such as timestamps, packet and byte counters, TCP flag information…

After inspecting these attributes, the NetFlow Exporter condenses them into flow records and save in a database called the NetFlow cache. These flow records can also be exported to a NetFlow Collector.

How to view NetFlow data

There are two main methods to view NetFlow data:

+ Command Line Interface (CLI): Because the NetFlow cache is a part of the NetFlow Exporter so we can view this cache directly via the Command-Line-Interface (CLI), which is very useful for troubleshooting, with the “show ip cache flow” command. An example output of this command is shown below:

show_ip_cache_flow.jpg

+ A NetFlow reporting tool: there are many tools that can collect NetFlow packets sent to the NetFlow Collector and display a comprehensive view. Below is an example of what SolarWinds NetFlow Traffic Analyzer can analyze:

NetFlow_Reporting_tool.jpg

NetFlow versions

Version 1: the original format supported in the initial NetFlow releases.
Versions 2, 3 and 4 were not released.
Version 5: an enhancement that adds Border Gateway Protocol (BGP) autonomous system information, flow sequence numbers and a few additional fields. This is the standard and most common NetFlow version. Only support IPv4.
Version 6: similar to version 7
Version 7: Cisco-specific version for Catalyst 5000 series switches but not compatible with Cisco routers
Version 8: choice of aggregation schemes in order to reduce resource usage
Version 9: support flow-record format and it is known as Flexible NetFlow technology. NetFlow version 9 includes a template to describe what is being exported. It supports extensible file export format to enable easier support. It also supports additional fields & technologies such as MPLS, IPv6, IPSec, NBAR protocols, Multicast, VLAN ID…

In general, the two most important NetFlow versions are Version 5 and Version 9 which we will learn how to configure them.

Note: NetFlow version 5 only supports monitoring inbound statistics using the “ip flow ingress” command while NetFlow v9 allows to monitor traffic leaving each interface via “ip flow egress” command.

In the next part we will learn how to configure NetFlow version 5 & 9.

Comments (50) Comments
Comment pages
  1. Anonymous
    August 3rd, 2016

    Hi All, I am taking CCNA exams within 2 weeks. If you have a ccna latest dumps please can you forward to my email:{email not allowed}

  2. Anonymous
    August 4th, 2016

    Hey, taking my ccna in a few wks. can anyone pls email me the latest dump, thx?

    briccboi at yahoo dot com

  3. the_dude
    August 4th, 2016

    hello. can someone please send me file for watson 364q. I would greatly appreciate it. Thank you! my email is mikebradley278 @ aol . com

  4. Anonymous
    August 4th, 2016

    Latest dumps to tcarosone at gmail would be appreciated

    Thanks in advance

  5. caesar
    August 6th, 2016

    can smbdy plz send me the dumps lala1444 at live dot com

  6. caesar
    August 6th, 2016

    i have my exam on 11 august

  7. Pemi
    August 7th, 2016

    Hello guys, I have my exams on 15 August please kindly suggest what to revise and i need also dumps for d exam 200-120 …@ this email {email not allowed}

  8. hello
    August 9th, 2016

    i have my exam on 15 august please share the last dump with me i’m {email not allowed}

  9. hello
    August 9th, 2016

    sen me de last dump please i have my exam this week georginarodriguez @ g m a i l . com

  10. hello
    August 9th, 2016

    i have my exam on 15 august please share the last dump with me i’m georginarodriguez1120 @ g m a i l . c o m

  11. Ben
    August 9th, 2016

    Hello guys, please am sitting for ccna on the 11th can i have the recent dumps. much thanks

  12. Ben
    August 9th, 2016

    emm25allatgmail.com

  13. de_groot
    August 10th, 2016

    please share the latest dumps at eliastsegaye20 @ g m a i l . c o m

  14. Padong
    August 10th, 2016

    Yeeeehaaaa!! Just passed the ccna exam today and I got 1000/1000 :)
    Watsons are still valid. 9tut’s sims made me feel comfortable in getting those lab sims.
    Below are some of the questions that I got.
    Eigrp sims – k values.
    Ospf
    Acl
    Lots of Ip v6 questions.
    Switching and troubleshooting questions.
    And of course, you have to know the basics.
    The good old subnettings.

    Hope you make it before aug 20 as that will be the
    end of this current ccna version and will be replaced
    with a tougher ccna exam modules. sdn – software defined networking:)

    Ccnp is my next target. :) good luck to everyone!

  15. Anonymous
    August 10th, 2016

    I cant believe I found this just now for Clash of Clans: http://maxclashgems.com Now you will know why some clans are so strong! (78SMs)

  16. Anonymous
    August 11th, 2016

    Hi Guys,

    I am writing my exams on the 17 August , please send me the latest dumps for 100 – 101. my email kcmndex at hotmail dot com.

    thanks

  17. lonewolf premium member
    August 11th, 2016

    sitting the exams soon ,could you please send me the latest dumps 200-101 thanks

  18. peet
    August 12th, 2016

    please send me the ccna dump manocha.preet@yahoo .com

  19. Kasbi
    August 12th, 2016

    Hi friends,
    Please send me CCNA dumps in kasbi.stha@gmail. … thank you

  20. MrT
    August 13th, 2016

    Hi All , I am also taking the exam on 19th , where to find these Dumps and watson 364q, if anyone can help pls send it to thanuja dot mendis73atgmail.com,

    much appreciated

  21. Chamin
    August 13th, 2016

    pl help me on 5th and last try on CCNA on 2oth August; send some dump to chamin.sam at google mail (gmail) or chamin.sam at gmail.com or {email not allowed}

  22. finesser
    August 13th, 2016

    help me with all dumps my mail is {email not allowed}.

  23. finesser
    August 13th, 2016

    ibett302 @ GMAI.L

  24. Ali tt
    August 14th, 2016

    I have the last dump but i havn’t vce to learn it . I can send it to u , here is my Address: alinotala Yahoo dot fr.

  25. Anonymous
    August 14th, 2016

    Please for Latest dump …Taking test Next Monday ….. mackmdbrown @ a o l . com

  26. MDB
    August 14th, 2016

    If any has latest CCNP routing dump please …mackmdbrown

  27. Padong
    August 14th, 2016

    Someone told me that the ccna version 3 that will be released will add 3-4 new topics on top of
    The current ccna ver3.

    Guys, don’t wait for version 3 because it will be much harder to practice and pass that exam.

    I encourage you guys to take the version 2 exam before it expires.

    Good luck to everyone. ????????

  28. Wilmer
    August 14th, 2016

    Yep I agree. Take the version 2 exam before it expires on August 20.

    :|

  29. Antoine
    August 14th, 2016

    Lot of questions added to ccna exam.

    Latest dumps are not all 100%

    My friend used the latest dumps and still didn’t passed.

    Some of the NEW QUESTIONS ADDED ARE;

    Static routing with extended ACLs
    Dual stack routing on ipv6
    Ssh, access-class on vty
    Netflow and ipflow troubleshooting
    Netflow sims.
    Ospf version 3.

  30. Dn4gg
    August 15th, 2016

    Pls, share latest dumps at {email not allowed}. Thank you very much

  31. Andrea
    August 15th, 2016

    Hi, i just passed my 200-101 exam in just first attempt, i would like to thanks http://pdfdumps.us/exam/200-101.html for best exam material, 90 % questions from these dumps

  32. Anonymous
    August 15th, 2016

    @andrea
    kindly tell me the name of labs?

  33. Dante
    August 17th, 2016

    Who can send me the CCNA 200-125 dump? please have it send to rosete_danalfred_rosete @ yahoo.com

  34. ccna_4Keeps
    August 19th, 2016

    Can someone please send 200-125 dump to jroy @ remotehand dot com TIA

  35. Ray13
    August 19th, 2016

    Can someone send me the latest dump for 200-120 & 200-125 thanks
    I failed by only 12 points due to studying an older dump and didnt realize I was missing some information.
    raymonddouglas88 @ gmail.com

  36. Anonymous
    August 21st, 2016

    I need latest dumps-200-125

  37. LickityBlitz
    August 22nd, 2016

    Can I get the latest dumps for 200-125 lickity blitz @ gmail .com

  38. simz
    August 23rd, 2016

    am also looking for the latest dumps for 200-125 {email not allowed}

  39. simz
    August 23rd, 2016

    raysimz2014@ gmail. com

  40. Anonymous
    August 28th, 2016

    What are some of the new questions you observed as compare to the old dumps.

  41. Anonymous
    September 1st, 2016

    for the configuration of netflows, will this be an important part on the exam? This is really cisco standard, and for sure many companies have their own tool to monitor, using snmp mipb, traps etc, with rrd, netcool etc.
    this will be waste of time to remember how to configure and troubleshoot netflow :-(

  42. jack
    September 12th, 2016

    please can anyone send me as soon as possible how to allocate certain bandwidth to particular IP address on Cisco router IOS from 1 MB Internet link

  43. pomson
    September 16th, 2016

    Can I get the latest dumps for 200-125 {email not allowed} thx

  44. Anonymous
    September 26th, 2016

    CCNA ( Routing & Switching )
    CCNA Routing and Switching provides comprehensive coverage of network topics from fundamental to advanced applications and services, with opportunities for hands on practical experience and career skills development.
    Prerequisite :
    Basic Knowledge of Computer/ Network
    Further details we can discuss on call or whatsapp
    00966592832164

  45. Help-Me
    September 27th, 2016

    Can I get the latest dumps for 200-125 and 200-120 kappadid at gmail com thx

  46. natraj
    September 29th, 2016

    thanks useful this chapter.. hi i take ccna v3.0 200-125 exams sent any latest dumps my email id {email not allowed} thank you…

  47. pomson
    October 11th, 2016

    Can I get the latest dumps for 200-125 pomobs12012 @ yahoo dot fr

  48. Blues
    October 13th, 2016

    i cant see the questions……what may be the problem?

  49. Mia
    November 16th, 2016

    I recommended http://www.testmayor.com/200-125-test.html ! I passed my exam yesterday with the score 98%. You can try the demo before you pay for the order. 100% money back guarantee. You will lose nothing.

  50. halfmoon
    November 26th, 2016

    this still in 200-125

Comment pages