IP Flow Switching Cache, bytes 550 active, inactive, added ager polls, 0 flow alloc failures Active flows timeout in 30 minutes Inactive flows timeout in 15 seconds Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec) Flows /Sec /Flow /Pkt /Sec /Flow /Flow TCP-WWW TCP-SMTP ……. Shows Netflow statistics show cache flow aggregation shows netflow statistics for the configured aggregation scheme show ip flow export shows export statistics clear ip cache flow clears netflow statistics clear ip flow stats clears export statisticsġ6 Show ip cache flow IP packet size distribution (2175M total packets): The default varies dependent on platform.ġ5 Netflow Show Commands show ip cache flow 30 minutes is default ip flow-cache entries sets the maximum number of flow entries in the cache. 15 seconds is default ip flow-cache timeout active sets the minutes an active flow will remain in the cache bvefore expiration.
ip flow-aggregation cache select the aggregation cache ip flow-cache timeout inactive sets the seconds an inactive flow will remain in the cache before expiration. Recommendation: configure loopback interface. ip flow-export destination ip flow export source default is interface with best route to collector. ip flow-export version 5 ip flow-export destination e.g. Prefix Mask Routing and Peering Type of Service TCP Flags Protocol QoS Blue – Key Field (7) Red - Lookup Field (5) Black- Value Field (6) Usage Packet Count Byte Count Source IP Address Destination IP Address From/to Time of Day Start sysUpTime End sysUpTime Source TCP/UDP Port Destination TCP/UDP Port Application Input ifIndex Output ifIndex Next Hop Address Source AS Number Dest. Unidirectional flow Accounts for both transit traffic and traffic destined for the router Works with Cisco Express Forwarding (CEF) or fast switching Almost supported on all interfaces and Cisco IOS Software platforms Provides the sub-interface information in the flow records 6500/7600 enables Netflow on all interfaces by default Pre- Processing Features And Services Post Processing Packet Sampling Filtering IP Multicast MPLS IPv6 Aggregation schemes Non-key fields lookup ExportĮnable NetFlow Traffic Core Network (IP, MPLS) PE Export Packets Approximately 1500 bytes Typically contain flow records Sent more frequently if traffic increases on NetFlow-enabled interfaces UDP NetFlow Export Packets Application: Performance Billing Security Collector (Solaris, HP-UX, or Linux)ġ0 NetFlow Principles Inbound traffic only (with some exceptions) Protocol-Port Aggregation Scheme becomes step4 Non-Aggregated Flows – export Version 5 or 9 Aggregated Flows – export Version 8 or 9 step5 Export Packet Payload (flows) Header Step1 Inactive timer expired (15 sec is default) Active timer expired (30 min (1800 sec) is default) NetFlow cache is full (oldest flows are expired) RST or FIN TCP Flag step2 step3 No Yes e.g. Network Monitoring Network planning Security Analysis Application Monitoring User Monitoring Traffic Engineering Peering Agreement Usage-base Billing Destination sensitive billingĥ What is a flow? A Flow is Unidirectional!ĭefined by seven unique keys: Source IP address Destination IP address Source port Destination port Layer 3 protocol TOS byte (DSCP) Input interface (ifIndex) Exported Data A Flow is Unidirectional!Ħ NetFlow Sequence Create and update flows in NetFlow Cache ExpirationĪggregation? Export Version Transport Protocol
1 Netflow Overview Developed by Cisco Systems in 1996 The value of information in the cache was a secondary discovery Initially designed as a switching path NetFlow is now the primary network accounting technology in the industry Answers questions regarding IP traffic: who, what, where, when, and how NetFlow version 9 an IETF standardĢ Traffic Analysis What we needs ‘debug ip packet’ in router?Īpplication performance application-based accounting network security Network behavior, application recognition ‘debug ip packet’ in router? IP Sniffing in shared LAN (or using switch to do so) Port Span in switch (how about port span in router?) Circuit Sniffing Netflow What we prefer in backbone: Embeded Fixed length partial packet export Real-time filtered packet export