Netflow is a great tool to use in order to gain a better understanding of what’s going through your network. Netflow captures the flows of traffic going through a device and provides some basic analysis. In addition, the netflow data can be offloaded (exported) to a third party collector for further analysis. Let’s jump right in so you can see what I’m talking about.
The first step in configuring NetFlow is to define what interfaces you want to capture the data on. There are two commands that can be used to do this. The interface subcommand ‘ip route-cache flow’ and the interface subcommand ‘ip flow ingress’ or ‘ip flow egress’. The commands do sort of the same thing, but have some minor differences. The ‘ip route-cache flow’ command came along first and enables ingress netflow on the specific interface. See, in netflow version 5, you only looked at ingress traffic. However, you have to make sure that you had the ‘ip route-cache flow’ command enabled on every interface that traffic could pass through on the router. In this way, it was acceptable to only look at inbound traffic. If you looked at inbound traffic from every interface, you can easily tell what’s going out of every other interface. (See this site for more info).
The ‘ip flow ingress/egress’ commands came along later and allowed you to configure netflow in either (or both) direction of an interface. Additionally, these two commands can be applied to sub interfaces and only affect the sub interface it is configured on. The ‘ip route-cache flow’ command can only be applied on the physical interface and affects every sub interface attached to the physical. Capturing egress traffic is supported in netflow version 9.
Now that I’ve explained that let’s take a look at the configuration on a router. I’ll only be using the ‘ip flow’ version of the interface commands. Recall that ‘ip route-cache flow’ and ‘ip flow ingress’ are practically the same thing. To verify what netflow is capturing on the router, we can use the ‘show ip cache flow’ command. Let’s look at a quick example…
We start with no netflow commands configured. Then we add the ‘ip flow egress’ command to the outside interface of this router. Taking a look at the output of the ‘show ip cache flow’ command we see that netflow sees the traffic flow sourcing from the inside interface (fa0/1) from IP address 126.96.36.199 going to IP address 188.8.131.52 out the outside interface (fa0/0). Now if we enable ‘ip flow ingress’ on the interface, and check again, we now see both directions of the conversation. This could also be accomplished by setting the ‘ip flow ingress’ command on both interface fa0/0 and fa0/1…
So as you can see, you have quite a lot of flexibility in regards to how you configure netflow on your interfaces. The key is just making sure you see both sides of the conversation. This is either done by configuring egress and ingress on the same interface, or ingress on all of the interfaces of the router.
Besides actually seeing the flows in this output, we get quite a bit more information about the different protocols being used, as well as the flow cache itself. Another interesting configuration is the top talkers configuration. Say you are troubleshooting a issue where someone on the LAN is taking up a great deal of bandwidth. Easy, configure the netflow top talkers feature and figure out who it is…
Enter configuration commands, one per line. End with CNTL/Z.
Router(config-flow-top-talkers)# top 10
Router(config-flow-top-talkers)# sort-by bytes
Now we can take a look at the top talkers with the ‘show ip flow top-talkers’ command…
Not much to see here since I’m just running ICMP tests but you get the point. A flow export destination can be configured with the…
ip flow-export destination <IP address> <port number>
command. You can also set the source interface with the…
ip flow-export source <Interface>
command. That’s it for now, but I’m sure there will be more to come on this topic soon. I’m actually in the middle of doing a netflow deployment at work so I’ll be sure to post back on how that goes.