Version 4.1 - 6.3 Netflow Part 2
This is another good NetFlow Configuration Guide.
NetFlow identifies packet flows for both ingress and egress IP packets. It does not involve any connection-setup protocol, either between routers or to any other networking device or end station.
NetFlow captures a rich set of traffic statistics. These traffic statistics include user, protocol, port, and type of service (ToS) information that can be used for a wide variety of purposes such as network application and user monitoring, network analysis and planning, security analysis, accounting and billing, traffic engineering, and NetFlow data warehousing and data mining.
This document contains information about and instructions for detecting and analyzing network threats such as denial of service attacks (DoS) through the use of NetFlow features.
Note: Network Engineers should be familiar with this. The same things that you use to identify "Top Talkers" for a DoS attack also apply to finding "Top Talkers" to troubleshoot performance issues.
NetFlow version 9 Flow-Record Format
The distinguishing feature of the NetFlow Version 9 format is that it is template based. Templates provide an extensible design to the record format, a feature that should allow future enhancements to NetFlow services without requiring concurrent changes to the basic flow-record format.
Another good White Paper is Introduction to Cisco IOS NetFlow.
In response to new requirements and pressures, network operators are finding it critical to understand how the network is behaving including:
• Application and network usage
• Network productivity and utilization of network resources
• The impact of changes to the network
• Network anomaly and security vulnerabilities
• Long term compliance issues
Of special importance on that page are the tables:
Table 2. Commercial NetFlow Reporting Products
Table 3. Freeware NetFlow Reporting Products
And the screen shot of Figure 4. Example of traffic analysis reporting utilizing a NetFlow data.
And this Cisco doc Migrating from Traditional to Flexible NetFlow should also be on your reading list.
Traditional NetFlow used a fixed seven tupple of IP information to identify a flow most of the time. A big advantage of the new Flexible NetFlow concept is that the flow can be user defined. The benefits of Flexible NetFlow include:
+ Flexible NetFlow will integrate with NBAR to provide application visibility rather than just flow visibility.
+ Because only interesting flows with selected key-fields will be analyzed, Flexible NetFlow generally offers better performance, scalability, and aggregation of flow information.
+ Enhanced flow infrastructure for security monitoring and distributed DoS detection and identification.
+ New information from packets to adapt flow information to a particular service or operation in the network.
+ Extensive use of Cisco's flexible and extensible NetFlow Version 9 export format.
+ A comprehensive IP accounting feature that can be used to replace many accounting features, such as IP accounting, BGP Policy Accounting, and persistent caches.
+ New high-end platforms such as Cisco Catalyst' 6000 with EARL8, Cisco Catalyst 4000 with K10, next generation of Cisco Catalyst 3000, and so on will exclusively support Flexible NetFlow.
Flexible NetFlow configuration:
flow exporter FlowExporter1
destination 192.168.9.101
transport udp 9996
export-protocol netflow-v5
source FastEthernet 0/1
flow monitor FlowMonitor1
record netflow ipv4 original-input
exporter FlowExporter1
cache timeout active 1
cache timeout inactive 15
interface FastEthernet 0/1
ip flow monitor FlowMonitor1 [input|output]
Note that most of the Flexible NetFlow materials are for version 9 - which is not compatible with version 5. So here is a document for Flexible NetFlow NetFlow V5 Export Protocol
The NetFlow Version 5 export protocol that was first shipped in Cisco IOS Release12.4(22)T is supported for flow monitors that use only the following Flexible NetFlow predefined records: netflow-original, original input, and original output.