Back to Dashboard
Module 48
NetFlow and IPFIX
โ Previous Module
Next Module โ
# ๐ CCNA 200-301 - Video 48: NetFlow and IPFIX ## Deep Study Notes --- ## ๐ Learning Objectives By the end of this video, you should understand: - What NetFlow is and why it's used - NetFlow architecture and components - NetFlow versions (v5, v9, IPFIX) - NetFlow configuration on Cisco devices - Flow record, exporter, and monitor configuration - NetFlow verification and troubleshooting - IPFIX (IP Flow Information Export) concepts --- ## ๐ง Core Concepts ### 1. What is NetFlow? **Definition:** NetFlow is a Cisco-developed protocol that collects and monitors IP traffic flows, providing visibility into network traffic patterns, top talkers, and application usage. **Analogy:** Think of NetFlow like a traffic camera system on a highway. Instead of watching every individual car (packet), it captures metadata about traffic flows: how many cars passed (packets), their speed (bandwidth), where they came from and where they're going (source/destination), and what type of vehicles (protocol/ports). ``` โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ NETFLOW CONCEPT โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค โ โ โ Traffic Flow Definition: โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ A flow is defined by the 7-tuple: โ โ โ โ โ โ โ โ 1. Source IP address โ โ โ โ 2. Destination IP address โ โ โ โ 3. Source port โ โ โ โ 4. Destination port โ โ โ โ 5. Layer 3 protocol (TCP, UDP, ICMP) โ โ โ โ 6. Type of Service (ToS) โ โ โ โ 7. Input interface โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โ Flow Example: โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โ โ โ โ PC (10.1.1.10) โโโบ Server (8.8.8.8) โ โ โ โ Port: 54321 Port: 80 (HTTP) โ โ โ โ Protocol: TCP โ โ โ โ โ โ โ โ Flow Record: โ โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โ โ Src IP: 10.1.1.10, Dst IP: 8.8.8.8 โ โ โ โ โ โ Src Port: 54321, Dst Port: 80 โ โ โ โ โ โ Protocol: TCP โ โ โ โ โ โ Packets: 1234, Bytes: 123456 โ โ โ โ โ โ Duration: 45 seconds โ โ โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โ โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ ``` --- ### 2. NetFlow Architecture ``` โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ NETFLOW ARCHITECTURE โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค โ โ โ Network Devices (Exporters) โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โ โ โ โ โโโโโโโโโโโ โโโโโโโโโโโ โ โ โ โ โ Router โ โ Switch โ โ โ โ โ โ โ โ โ โ โ โ โ โ NetFlow โ โ NetFlow โ โ โ โ โ โ Cache โ โ Cache โ โ โ โ โ โ โ โ โ โ โ โ โ โ[Flow 1] โ โ[Flow 1] โ โ โ โ โ โ[Flow 2] โ โ[Flow 2] โ โ โ โ โ โ[Flow 3] โ โ[Flow 3] โ โ โ โ โ โโโโโโฌโโโโโ โโโโโโฌโโโโโ โ โ โ โ โ โ โ โ โ โ โ NetFlow Export (UDP 2055) โ NetFlow Export (UDP 2055) โ โ โ โ โ โ โ โ โ โโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โ โ โ โโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโ โ โ โ โ โ โผ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ NetFlow Collector โ โ โ โ (e.g., SolarWinds, PRTG, nfdump) โ โ โ โ โ โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โ โ โข Receives flow records โ โ โ โ โ โ โข Stores in database โ โ โ โ โ โ โข Provides analysis and reporting โ โ โ โ โ โ โข Identifies top talkers, applications, etc. โ โ โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ ``` --- ### 3. NetFlow Components | Component | Description | |-----------|-------------| | **NetFlow Exporter** | Device that generates and exports flow records | | **NetFlow Cache** | Stores active flow information before export | | **Flow Record** | Defines which fields to collect | | **Flow Exporter** | Defines destination for flow exports | | **Flow Monitor** | Combines record and exporter, applies to interface | | **NetFlow Collector** | Receives, stores, and analyzes flow data | ``` โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ NETFLOW COMPONENTS โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค โ โ โ NetFlow Configuration Flow: โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โ โ โ โ 1. Create Flow Record โ โ โ โ โโโ Defines what fields to collect (src IP, dst IP, ports) โ โ โ โ โ โ โ โ 2. Create Flow Exporter โ โ โ โ โโโ Defines where to send flows (collector IP, port) โ โ โ โ โ โ โ โ 3. Create Flow Monitor โ โ โ โ โโโ Binds Record + Exporter โ โ โ โ โ โ โ โ 4. Apply Flow Monitor to Interface โ โ โ โ โโโ ip flow monitor [name] [input|output] โ โ โ โ โ โ โ โ 5. Device Exports Flows to Collector โ โ โ โ โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ ``` --- ### 4. NetFlow Versions | Version | Description | Features | |---------|-------------|----------| | **v5** | Most common, fixed format | 30 flow fields, fixed structure | | **v9** | Flexible, template-based | Custom fields, supports more data | | **IPFIX** | IETF standard (v10) | Based on v9, open standard | ``` โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ NETFLOW VERSIONS โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค โ โ โ NetFlow v5 (Fixed Format): โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โข 30 fixed fields โ โ โ โ โข Always includes: src IP, dst IP, src port, dst port, protocol โ โ โ โ โข Always includes: packets, bytes, start time, end time โ โ โ โ โข Simple, widely supported โ โ โ โ โข Cannot add custom fields โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โ NetFlow v9 (Flexible): โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โข Template-based format โ โ โ โ โข Can include custom fields (MAC addresses, MPLS labels, etc.) โ โ โ โ โข Variable field order โ โ โ โ โข Supports IPv6 โ โ โ โ โข More efficient for variable data โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โ IPFIX (v10 - IETF Standard): โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โข Based on NetFlow v9 โ โ โ โ โข Open standard (RFC 7011) โ โ โ โ โข Vendor-neutral โ โ โ โ โข Supports enterprise-specific fields โ โ โ โ โข Common in multi-vendor environments โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ ``` --- ### 5. NetFlow Configuration **Basic NetFlow Configuration (v5):** ```cisco ! Configure NetFlow on interface (traditional method) interface GigabitEthernet0/0 ip flow ingress ip flow egress ! Configure NetFlow export ip flow-export destination 192.168.1.100 2055 ip flow-export version 5 ! Verify show ip flow export show ip cache flow ``` **Advanced NetFlow Configuration (v9 - Flexible NetFlow):** ```cisco ! Step 1: Create flow record flow record NETFLOW-RECORD description "Standard flow record for traffic analysis" match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port match ipv4 protocol collect counter bytes collect counter packets collect timestamp sys-uptime first collect timestamp sys-uptime last collect transport tcp flags ! Step 2: Create flow exporter flow exporter NETFLOW-EXPORTER description "Export to collector" destination 192.168.1.100 transport udp 2055 source GigabitEthernet0/0 export-protocol netflow-v9 option interface-table option sampler-table ! Step 3: Create flow monitor flow monitor NETFLOW-MONITOR description "Monitor for all traffic" record NETFLOW-RECORD exporter NETFLOW-EXPORTER cache timeout active 60 cache timeout inactive 15 ! Step 4: Apply to interface interface GigabitEthernet0/0 ip flow monitor NETFLOW-MONITOR input ip flow monitor NETFLOW-MONITOR output ! Step 5: Verify show flow monitor NETFLOW-MONITOR cache show flow exporter NETFLOW-EXPORTER statistics ``` --- ### 6. Flexible NetFlow Parameters **Flow Record Match Fields:** | Field | Description | |-------|-------------| | `match ipv4 source address` | Source IPv4 address | | `match ipv4 destination address` | Destination IPv4 address | | `match transport source-port` | TCP/UDP source port | | `match transport destination-port` | TCP/UDP destination port | | `match ipv4 protocol` | IP protocol (TCP, UDP, ICMP) | | `match ipv4 tos` | Type of Service (DSCP) | | `match ipv6 source address` | Source IPv6 address | | `match ipv6 destination address` | Destination IPv6 address | | `match interface input` | Input interface | | `match interface output` | Output interface | **Flow Record Collect Fields:** | Field | Description | |-------|-------------| | `collect counter bytes` | Total bytes in flow | | `collect counter packets` | Total packets in flow | | `collect timestamp sys-uptime first` | Flow start time | | `collect timestamp sys-uptime last` | Flow end time | | `collect transport tcp flags` | TCP flags (SYN, ACK, etc.) | | `collect ipv4 dscp` | DSCP value | | `collect application name` | Application name (NBAR) | --- ### 7. NetFlow Export Parameters **Cache Parameters:** | Parameter | Default | Description | |-----------|---------|-------------| | `cache timeout active` | 60 sec | Active flow timeout (exports after this time) | | `cache timeout inactive` | 15 sec | Inactive flow timeout (exports when no new packets) | | `cache entries` | 4096 | Maximum number of flows in cache | | `cache timeout rate-limit` | 0 | Rate limit for flow creation | ```cisco ! Configure cache parameters flow monitor NETFLOW-MONITOR cache timeout active 60 cache timeout inactive 15 cache entries 10000 ``` --- ### 8. NetFlow Verification Commands | Command | Purpose | |---------|---------| | `show flow monitor [name] cache` | Display active flows in cache | | `show flow monitor [name] cache format csv` | Display flows in CSV format | | `show flow exporter [name] statistics` | Display exporter statistics | | `show flow record` | Display configured flow records | | `show ip flow export` | Display export statistics (v5) | | `show ip cache flow` | Display flow cache (v5) | **Example Outputs:** ```cisco Router# show flow monitor NETFLOW-MONITOR cache Cache type: Normal Cache size: 4096 Current entries: 124 High Watermark: 256 Flows added: 5678 Flows aged: 5554 - Active timeout (60 sec): 1234 - Inactive timeout (15 sec): 4320 - TCP FIN flag: 0 - TCP RST flag: 0 - Emergency aged: 0 IPV4 SOURCE ADDRESS IPV4 DESTINATION ADDRESS TRNS SRC PORT TRNS DST PORT PROT ==================== ======================== ============= ============= ==== 10.1.1.10 8.8.8.8 54321 80 06 10.1.1.20 8.8.8.8 54322 443 06 10.1.1.30 192.168.2.10 12345 53 17 ``` ```cisco Router# show flow exporter NETFLOW-EXPORTER statistics Flow Exporter NETFLOW-EXPORTER: Packet send statistics (last cleared 00:01:23 ago): Successfully sent: 1234 packets Bytes sent: 123456 First packet sent: 00:01:23 ago Client statistics: Client: Flow Monitor NETFLOW-MONITOR Records added: 5678 Bytes added: 567890 Exported records: 5554 ``` --- ### 9. IPFIX (IP Flow Information Export) **Definition:** IPFIX is the IETF standard (RFC 7011) based on NetFlow v9, providing vendor-neutral flow export. **IPFIX vs. NetFlow v9:** | Feature | NetFlow v9 | IPFIX | |---------|------------|-------| | **Standard** | Cisco proprietary | IETF standard | | **Template Format** | Cisco-specific | Standardized | | **Enterprise Fields** | Cisco enterprise | Standardized | | **Transport** | UDP | UDP, SCTP, TCP | | **Vendor Support** | Cisco | Multi-vendor | **IPFIX Configuration:** ```cisco ! IPFIX configuration is similar to NetFlow v9 flow exporter IPFIX-EXPORTER destination 192.168.1.100 transport udp 2055 export-protocol ipfix ! Use IPFIX protocol source loopback 0 flow monitor IPFIX-MONITOR record NETFLOW-RECORD exporter IPFIX-EXPORTER cache timeout active 60 ``` --- ### 10. NetFlow Use Cases ``` โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ NETFLOW USE CASES โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค โ โ โ 1. TRAFFIC ANALYSIS โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โข Identify top talkers (who is using bandwidth) โ โ โ โ โข Understand application usage โ โ โ โ โข Detect bandwidth hogs โ โ โ โ โข Capacity planning โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โ 2. SECURITY โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โข Detect DoS/DDoS attacks โ โ โ โ โข Identify anomalous traffic patterns โ โ โ โ โข Detect data exfiltration โ โ โ โ โข Forensic analysis โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โ 3. TROUBLESHOOTING โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โข Identify why link is congested โ โ โ โ โข Find slow application root cause โ โ โ โ โข Analyze traffic patterns โ โ โ โ โข Verify QoS effectiveness โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โ 4. BILLING / ACCOUNTING โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โข Usage-based billing โ โ โ โ โข Department chargeback โ โ โ โ โข Customer usage reporting โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ ``` --- ### 11. NetFlow Troubleshooting | Problem | Symptom | Solution | |---------|---------|----------| | **No Flows Exported** | Collector receives no data | Verify flow monitor applied, exporter configured | | **Flows Not Matching** | Missing expected flows | Check flow record fields, ensure traffic passes | | **Exporter Errors** | `show flow exporter` shows errors | Verify collector reachability, UDP port | | **Cache Full** | High watermark reached | Increase cache size, adjust timeouts | | **High CPU** | Router CPU high | Reduce flow sampling, adjust cache parameters | **Troubleshooting Commands:** ```cisco ! Verify flow monitor application Router# show flow monitor NETFLOW-MONITOR statistics ! Verify exporter reachability Router# ping 192.168.1.100 ! Debug NetFlow Router# debug flow monitor NETFLOW-MONITOR ! Clear flow cache Router# clear flow monitor NETFLOW-MONITOR cache ! Check interface counters Router# show interfaces GigabitEthernet0/0 | include input|output ``` --- ### 12. NetFlow Sampling **Purpose:** Reduce CPU/memory usage by sampling only a subset of packets. ```cisco ! Create sampler sampler NETFLOW-SAMPLER mode random one-out-of 100 ! Sample 1 of every 100 packets ! ! Apply sampler to flow monitor flow monitor NETFLOW-MONITOR record NETFLOW-RECORD exporter NETFLOW-EXPORTER cache timeout active 60 sampler NETFLOW-SAMPLER ! Or apply directly to interface interface GigabitEthernet0/0 ip flow monitor NETFLOW-MONITOR sampler NETFLOW-SAMPLER input ``` --- ## ๐ง Complete Configuration Examples ### Lab 1: Traditional NetFlow v5 ```cisco ! Enable NetFlow on interfaces interface GigabitEthernet0/0 ip flow ingress ip flow egress interface GigabitEthernet0/1 ip flow ingress ip flow egress ! Configure export ip flow-export destination 192.168.1.100 2055 ip flow-export version 5 ip flow-export source loopback 0 ! Optional: Set active timeout ip flow-cache timeout active 60 ! Verify show ip flow export show ip cache flow ``` --- ### Lab 2: Flexible NetFlow v9 ```cisco ! Create flow record flow record FNF-RECORD description "Standard flow record" match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port match ipv4 protocol collect counter bytes collect counter packets collect timestamp sys-uptime first collect timestamp sys-uptime last ! Create flow exporter flow exporter FNF-EXPORTER description "Export to collector" destination 192.168.1.100 transport udp 2055 source loopback 0 export-protocol netflow-v9 option interface-table ! Create flow monitor flow monitor FNF-MONITOR description "Monitor for all traffic" record FNF-RECORD exporter FNF-EXPORTER cache timeout active 60 cache timeout inactive 15 ! Apply to interfaces interface GigabitEthernet0/0 ip flow monitor FNF-MONITOR input ip flow monitor FNF-MONITOR output ! Verify show flow monitor FNF-MONITOR cache show flow exporter FNF-EXPORTER statistics ``` --- ### Lab 3: NetFlow with Sampling ```cisco ! Create sampler (1:1000 sampling) sampler NETFLOW-SAMPLER mode random one-out-of 1000 ! Create flow monitor with sampling flow monitor FNF-MONITOR-SAMPLE record FNF-RECORD exporter FNF-EXPORTER cache timeout active 60 sampler NETFLOW-SAMPLER ! Apply to high-speed interface interface GigabitEthernet0/0 ip flow monitor FNF-MONITOR-SAMPLE input ip flow monitor FNF-MONITOR-SAMPLE output ! Verify show flow monitor FNF-MONITOR-SAMPLE cache ``` --- ### Lab 4: IPFIX Configuration ```cisco ! Create flow record for IPFIX flow record IPFIX-RECORD match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port match ipv4 protocol collect counter bytes collect counter packets collect timestamp sys-uptime first collect timestamp sys-uptime last ! Create IPFIX exporter flow exporter IPFIX-EXPORTER destination 192.168.1.100 transport udp 2055 source loopback 0 export-protocol ipfix option interface-table ! Create IPFIX monitor flow monitor IPFIX-MONITOR record IPFIX-RECORD exporter IPFIX-EXPORTER cache timeout active 60 ! Apply to interfaces interface GigabitEthernet0/0 ip flow monitor IPFIX-MONITOR input ip flow monitor IPFIX-MONITOR output ! Verify show flow monitor IPFIX-MONITOR cache ``` --- ### Lab 5: NetFlow with NBAR (Application Recognition) ```cisco ! Enable NBAR ip nbar protocol-discovery ! Create flow record with application flow record APP-RECORD match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port match ipv4 protocol match application name ! NBAR application recognition collect counter bytes collect counter packets ! Create flow monitor flow monitor APP-MONITOR record APP-RECORD exporter FNF-EXPORTER ! Apply to interface interface GigabitEthernet0/0 ip flow monitor APP-MONITOR input ! Verify applications show flow monitor APP-MONITOR cache | include facebook|youtube|netflix ``` --- ## โ Exam Tips (For CCNA 200-301) | Topic | What Cisco Tests | |-------|------------------| | **NetFlow Purpose** | Traffic flow monitoring, analysis, security | | **Flow Definition** | 7-tuple (src/dst IP, src/dst port, protocol, ToS, interface) | | **NetFlow Versions** | v5 (fixed), v9 (flexible), IPFIX (IETF standard) | | **Flexible NetFlow** | Flow record, exporter, monitor, interface application | | **Export Protocol** | UDP 2055 (typical) | | **Sampling** | Reduces CPU load on high-speed interfaces | ### Common Exam Scenarios: **Scenario 1:** "A network administrator needs to identify which applications are consuming bandwidth. Which NetFlow feature should be used?" - **Answer:** NBAR (Network Based Application Recognition) with NetFlow **Scenario 2:** "What is the difference between NetFlow v5 and v9?" - **Answer:** v5 has fixed fields; v9 is flexible/template-based and supports custom fields **Scenario 3:** "What is the purpose of NetFlow sampling?" - **Answer:** Reduces CPU/memory usage by sampling a subset of packets ### Mnemonics: **NetFlow Components:** **"R.E.M." - Record, Exporter, Monitor** - **R**ecord: Defines what to collect - **E**xporter: Defines where to send - **M**onitor: Binds record and exporter **NetFlow Versions:** **"5 Fixed, 9 Flexible, 10 International"** - v5: Fixed format - v9: Flexible format - IPFIX (v10): International standard --- ## ๐ Summary (1-Minute Revision) ``` NETFLOW: DEFINITION: โโโ Collects IP traffic flow metadata โโโ Provides visibility into network usage โโโ Used for analysis, security, troubleshooting FLOW DEFINITION (7-tuple): โโโ Source IP โโโ Destination IP โโโ Source Port โโโ Destination Port โโโ Layer 3 Protocol โโโ Type of Service (ToS) โโโ Input Interface VERSIONS: โโโ v5: Fixed format, 30 fields โโโ v9: Flexible, template-based โโโ IPFIX (v10): IETF standard, vendor-neutral FLEXIBLE NETFLOW: โโโ Flow Record: Defines fields to collect โโโ Flow Exporter: Defines destination โโโ Flow Monitor: Binds record + exporter โโโ Apply to interface: ip flow monitor [name] [input|output] CONFIGURATION: โโโ flow record [name] โโโ flow exporter [name] โโโ flow monitor [name] โโโ ip flow monitor [name] [input|output] โโโ show flow monitor [name] cache SAMPLING: โโโ sampler [name] mode random one-out-of [value] โโโ Reduces CPU load VERIFICATION: โโโ show flow monitor [name] cache โโโ show flow exporter [name] statistics โโโ show flow monitor [name] statistics IPFIX: โโโ IETF standard (RFC 7011) โโโ Based on NetFlow v9 โโโ Multi-vendor support โโโ export-protocol ipfix ``` --- ## ๐งช Practice Questions **1. What is the primary purpose of NetFlow?** - A) Encrypt network traffic - B) Collect IP traffic flow metadata - C) Route packets between networks - D) Provide DHCP services <details> <summary>Answer</summary> <b>B) Collect IP traffic flow metadata</b> - NetFlow provides visibility into traffic patterns and usage. </details> **2. Which NetFlow version uses a fixed format with 30 fields?** - A) v5 - B) v9 - C) IPFIX - D) v8 <details> <summary>Answer</summary> <b>A) v5</b> - NetFlow v5 has a fixed format with 30 fields. </details> **3. What is the default UDP port for NetFlow export?** - A) UDP 161 - B) UDP 162 - C) UDP 2055 - D) UDP 514 <details> <summary>Answer</summary> <b>C) UDP 2055</b> - NetFlow exports are typically sent to UDP port 2055. </details> **4. Which command displays active flows in the NetFlow cache?** - A) `show ip flow` - B) `show flow monitor [name] cache` - C) `show netflow cache` - D) `show flow export` <details> <summary>Answer</summary> <b>B) `show flow monitor [name] cache`</b> - Displays active flows in the cache. </details> **5. What defines the fields collected by Flexible NetFlow?** - A) Flow Exporter - B) Flow Monitor - C) Flow Record - D) Flow Cache <details> <summary>Answer</summary> <b>C) Flow Record</b> - The flow record defines which fields to collect. </details> **6. Which IETF standard is based on NetFlow v9?** - A) SNMP - B) IPFIX - C) NetFlow v5 - D) sFlow <details> <summary>Answer</summary> <b>B) IPFIX</b> - IPFIX (v10) is the IETF standard based on NetFlow v9. </details> **7. What is the purpose of NetFlow sampling?** - A) Increase accuracy - B) Reduce CPU/memory usage - C) Add more fields - D) Encrypt flow data <details> <summary>Answer</summary> <b>B) Reduce CPU/memory usage</b> - Sampling reduces the processing load on high-speed interfaces. </details> **8. Which component defines where to send flow records?** - A) Flow Record - B) Flow Monitor - C) Flow Exporter - D) Flow Cache <details> <summary>Answer</summary> <b>C) Flow Exporter</b> - The flow exporter defines the destination for flow records. </details> **9. What is the flow timeout for inactive flows?** - A) 5 seconds - B) 15 seconds - C) 60 seconds - D) 120 seconds <details> <summary>Answer</summary> <b>B) 15 seconds</b> - Inactive flow timeout default is 15 seconds. </details> **10. Which command applies a flow monitor to an interface?** - A) `ip flow monitor [name]` - B) `ip flow monitor [name] input|output` - C) `ip netflow monitor [name]` - D) `ip flow export [name]` <details> <summary>Answer</summary> <b>B) `ip flow monitor [name] input|output`</b> - Applies the flow monitor to the interface direction. </details> **11. What does NBAR provide for NetFlow?** - A) Encryption - B) Application recognition - C) Higher sampling rates - D) IPv6 support <details> <summary>Answer</summary> <b>B) Application recognition</b> - NBAR identifies applications like YouTube, Facebook, etc. </details> **12. Which NetFlow version is vendor-neutral?** - A) v5 - B) v9 - C) IPFIX - D) v8 <details> <summary>Answer</summary> <b>C) IPFIX</b> - IPFIX is the IETF standard, vendor-neutral. </details> --- ## ๐ Next Steps After completing Video 48, you should be ready for: - **Video 49:** SPAN, RSPAN, and ERSPAN - **Video 50:** Cisco DNA Center and SD-Access **Lab Practice:** 1. Configure traditional NetFlow v5 2. Configure Flexible NetFlow v9 3. Verify with `show flow monitor cache` 4. Configure IPFIX export 5. Configure sampling for high-speed interfaces 6. Test with traffic generator --- **Ready for Video 49?** Share the link or say "next" and I'll continue with SPAN, RSPAN, and ERSPAN. I'll continue with **Video 49: SPAN, RSPAN, and ERSPAN** based on the standard CCNA 200-301 curriculum. ---