Enabling NetFlow
Typically, enabling NetFlow on software-based platforms consists of one or two steps:
- Enabling NetFlow on the relevant physical and logical interfaces
- (Optional) Enabling the device (NDE) to export the flow information from the device to an external monitoring system
When you configure NetFlow, you must decide between ingress or egress NetFlow for each device. This decision depends on the use and the topology. You can also enable NetFlow for both ingress and egress.
Note: Egress NetFlow is dependent on the version of Cisco IOS you are running. For more information, go to http://www.cisco.com/go/fn.
The following example shows how you can enable ingress NetFlow on a particular interface (GigabitEthernet0/0 in this case):
myrouter#configure terminal myrouter(config)#interface GigabitEthernet0/0 myrouter(config-if)#ip flow ingress
To enable egress NetFlow, use the ip flow egress interface subcommand as follows:
myrouter(config)#interface GigabitEthernet0/0 myrouter(config-if)#ip flow egress
Note: Ingress NetFlow is the most commonly used method. Egress NetFlow is more commonly used with MPLS VPN. The MPLS Egress NetFlow Accounting feature allows you to capture IP flow information for packets undergoing MPLS label disposition. In other words, it captures packets that arrive on a router as MPLS packets and are transmitted as IP packets. Egress NetFlow accounting might adversely affect network performance because of the additional accounting-related computations that occur in the traffic-forwarding path of the router.
The following example shows how to configure the NetFlow-enabled device to export the flow data to a monitoring system:
myrouter(config)#ip flow-export version 5 myrouter(config)#ip flow-export source loopback 0 myrouter(config)#ip flow-export destination 172.18.85.190 2055
In this example, NDE Version 5 is used. All NetFlow export packets are sourced from a loopback interface configured in the router (loopback 0). The destination is a Cisco Secure Monitoring and Response System (CS-MARS) box with the IP address 172.18.85.190 and the destination UDP port 2055.
It is recommended that you alter the setting of the active flow timeout parameter from its default of 30 minutes to the minimum value of one minute. This helps you achieve an environment that is closer to real time. You can do this with the ip flow-cache timeout active command, as shown here:
myrouter(config)#ip flow-cache timeout active 1
Note: The default value for the number of minutes that an active flow remains in the cache before it times out is 30.
The default value for the number of seconds that an inactive flow remains in the cache before it times out is 15.
Collecting NetFlow Statistics from the CLI
To view the basic NetFlow information from the CLI, you can use the show ip cache flow command, as shown in Example 1:
myrouter#show ip cache flow IP packet size distribution (9257M total packets): 1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480 .088 .314 .011 .011 .027 .001 .007 .001 .013 .016 .002 .002 .000 .001 .000 512 544 576 1024 1536 2048 2560 3072 3584 4096 4608 .000 .001 .002 .043 .452 .000 .000 .000 .000 .000 .000 IP Flow Switching Cache, 4456704 bytes 43 active, 65493 inactive, 884110623 added 3341579080 ager polls, 0 flow alloc failures Active flows timeout in 30 minutes Inactive flows timeout in 15 seconds last clearing of statistics never Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec) -------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow TCP-Telnet 1072696 0.2 17 578 4.4 9.8 15.3 TCP-FTP 33386 0.0 2392 57 18.6 697.2 7.6 TCP-FTPD 2967 0.0 2869 1049 1.9 4.3 15.2 TCP-WWW 9091735 2.1 222 904 470.3 6.0 5.6 TCP-SMTP 538619 0.1 1 59 0.2 6.9 15.9 TCP-X 3246 0.0 44 909 0.0 0.1 13.4 TCP-BGP 280550 0.0 2 44 0.1 7.2 15.8 TCP-NNTP 2306 0.0 1 46 0.0 0.0 18.1 TCP-Frag 7 0.0 19 152 0.0 8.8 15.4 TCP-other 48037166 11.1 115 887 1289.2 4.5 6.2 UDP-DNS 1043579 0.2 2 74 0.4 3.9 15.9 UDP-NTP 891663 0.2 1 79 0.2 0.0 15.5 UDP-TFTP 138376 0.0 7 55 0.2 21.2 15.5 UDP-Frag 9736 0.0 182 1366 0.4 22.1 15.4 UDP-other 816395802 190.0 1 109 316.9 0.1 18.8 ICMP 6533952 1.5 13 95 20.5 8.3 15.5 GRE 239 0.0 41 97 0.0 66.9 15.2 IP-other 34558 0.0 3907 156 31.4 66.1 15.0 Total: 884110583 205.8 10 750 2155.4 0.5 17.9 SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts Fa1/1 14.38.1.9 Null 255.255.255.255 11 0044 0043 1 Fa1/1 0.0.0.0 Null 255.255.255.255 11 0044 0043 209 Fa0/0 172.18.173.68 Fa1/0 14.36.1.208 06 05BC 01BB 452 Fa0/0 172.18.173.68 Fa1/0 14.36.1.186 06 0631 01BB 388 Fa1/0 14.36.1.120 Null 14.36.255.255 11 008A 008A 3 Fa0/0 14.36.1.120 Null 14.36.255.255 11 008A 008A 3 Fa0/0 172.18.124.223 Fa1/0 14.36.197.213 06 8107 2323 1547 Fa0/0 172.18.124.66 Null 14.36.1.184 06 EC83 01BB 1 Fa1/0 14.36.8.48 Fa0/0 172.18.124.154 06 15FE 0FA5 1 Fa1/0 14.36.8.48 Fa0/0 172.18.124.154 06 15FF 0FA5 1 Fa1/0 14.36.8.48 Fa0/0 172.18.124.154 06 15FD 0FA5 1 Fa1/0 14.36.1.3 Fa0/0 172.18.123.69 01 0000 0303 3 Fa1/0 14.36.8.36 Fa0/0 172.18.124.66 11 0202 0202 4 Fa1/0 14.36.99.77 Fa0/0 172.18.124.225 06 01BB 137C 85 Fa1/0 14.36.197.213 Fa0/0 172.18.124.223 06 2323 8107 780 Fa0/0 172.18.124.223 Fa1/0 14.36.1.203 06 8105 2323 19992167 Fa0/0 172.18.85.169 Local 14.36.1.1 06 8E5E 0017 97 Fa0/0 172.18.124.225 Fa1/0 14.36.99.77 06 137C 01BB 85 Fa0/0 172.18.124.128 Fa1/0 14.36.1.128 06 916E 2323 138 Fa0/0 172.18.124.128 Fa1/0 14.36.1.128 06 916D 2323 54 Fa1/0 14.36.1.208 Fa0/0 172.18.173.68 06 01BB 05BC 678
In the highlighted line, you can see that a host (172.18.124.223 is sending 19,992,167 packets to 14.36.1.203. This may be abnormal behavior or an infected machine. The protocol is 06 (TCP), the source port is 33029 (Hex 8105), and the destination port is 8995 (Hex 2323).
You can also obtain export flow information using the show ip flow export command, as shown in Example 2:
myrouter#show ip flow export Flow export v5 is enabled for main cache Exporting flows to 172.18.85.190 (2055) Exporting using source IP address 172.18.124.47 Version 5 flow records 884111088 flows exported in 31352026 udp datagrams 0 flows failed due to lack of export packet 4 export packets were sent up to process level 0 export packets were dropped due to no fib 0 export packets were dropped due to adjacency issues 0 export packets were dropped due to fragmentation failures 0 export packets were dropped due to encapsulation fixup failures
In Example 2, you can see that the router is exporting the NetFlow information to the 172.18.85.190 device (a CS-MARS in this case) over UDP port 2055. The source IP address is 172.18.124.47. A total of 884,111,088 flows have been exported in 31,352,026 UDP datagrams. Please note that all protocol numbers, source ports, and TCP/UDP destination ports are shown in hexadecimal. ICMP packets are represented with the source port field set to 0000, the first two bytes of the destination field set to the ICMP type, and the second two bytes to the ICMP code. If you are using features such as policy-based routing (PBR), Web Cache Communications Protocol (WCCP), Network Address Translation (NAT), or Unicast Reverse Path Forwarding (uRPF) ACLs, you will see a (DstIf) value of Null. To see packet drops caused by ACLs, uRPF, PBR, or null routes, use the show ip cache flow with the include Null option, as shown in Example 3:
myrouter#show ip cache flow | include Null Fa1/0 14.36.1.8 Null 255.255.255.255 11 0044 0043 1 Fa1/1 0.0.0.0 Null 255.255.255.255 11 0044 0043 891 Fa0/0 172.18.124.66 Null 14.36.1.184 06 80AC 01BB 3 Fa0/0 14.1.17.111 Null 14.38.201.1 06 51CD 00B3 2 Fa1/0 172.18.124.11 Null 172.18.124.255 11 0089 0089 18 Fa1/0 172.18.124.153 Null 172.18.124.255 11 008A 008A 3
To see flows that contain thousands or millions of packets, you can use show ip cache flow | include K or show ip cache flow | include M commands, respectively. The Cisco Catalyst 6500 switches and Cisco 7600 router obtain NetFlow information via the Multilayer Switching (MLS) cache. In addition, the amount and type of data recorded in the table must be selected. The mls flow ip interface-full command provides the most useful information and can be configured as follows:
'CAT6k(config)# mls flow ip interface-full CAT6k(config)# mls nde interface