Skip to main content

What is Netflow and how it works

Image
By

 Netflow is the collection of flow of networks. It is a Cisco proprietary protocol used to collect the source and destination IP along with the bytes it consumes, totally it is a collection of flow of packets and export to the Netflow collector. Netflow collector is the server where the application is running ex Solarwinds, Logic Monitor etc.. It is a one way traffic, the routers or switches configured with Netflow would send the  traffic to the collector as per the threshold timers set in the devices. There was no trap like feature which is available in snmp where the traffic has been initiated from the server end.


Netflow configuration has been divided into three parts - Flow record, Flow Exporter and Flow Monitor. As the name itself Flow record is the collection of information where it collects the flow. It defines the information that NetFlow gathers, such as packets in the flow and the types of counters gathered per flow. Flow record is the combination of the  “match” and “collect” commands that tell the router which fields to include in the outgoing NetFlow PDU.  Flow exporter is used to send the information to the server, both the collector and exporter parameters are to be called in the flow monitor. Finally it should be applied on the Interface where you are interested to monitor the traffic .Given below are the examples of Netflow configuration in Cisco 3850 catalyst switch.


sw3850(config)# flow record RECORD
sw3850(config-flow-record)# description NetFlow record format to send to StealthWatch
sw3850(config-flow-record)# match ipv4 ttl 
sw3850(config-flow-record)# match ipv4 tos 
sw3850(config-flow-record)# match ipv4 protocol 
sw3850(config-flow-record)# match ipv4 source address
sw3850(config-flow-record)# match ipv4 destination address
sw3850(config-flow-record)# match transport source-port 
sw3850(config-flow-record)# match transport destination-port 
sw3850(config-flow-record)# match interface input
sw3850(config-flow-record)# collect interface output 
sw3850(config-flow-record)# collect counter bytes long
sw3850(config-flow-record)# collect counter packets long 
sw3850(config-flow-record)# collect timestamp absolute first 
sw3850(config-flow-record)# collect timestamp absolute last 


2. Create a Flow Exporter (specify where/how NetFlow is to be sent)

sw3850(config)#flow exporter EXPORTER
sw3850(config-flow-exporter)#description Export NetFlow to StealthWatch
sw3850(config-flow-exporter)#destination <fc_collector_IP_address>
sw3850(config-flow-exporter)#source <interface> → (e.g. use a Loopback)
sw3850(config-flow-exporter)#transport udp 2055

3. Create a Flow Monitor (tie the Flow Record to the Flow Exporter)
sw3850(config)#flow monitor MONITOR
sw3850(config-flow-monitor)#record RECORD
sw3850(config-flow-monitor)#exporter EXPORTER
sw3850(config-flow-monitor)#cache timeout active 60

4. Assign Flow Monitor to selected interfaces
Repeat this step on every interface you are interested in monitoring traffic for.
sw3850(config)#interface <interface> → (e.g. VLAN1 or g2/1)
sw3850(config-if)#ip flow monitor MONITOR input

Validate configuration:
show flow record RECORD
show flow monitor MONITOR statistics
show flow monitor MONITOR cache
Labels:

Popular posts from this blog

UPGRADING EOS in the ARISTA Switches

By
UPGRADING EOS in the ARISTA Switches: EOS is the Firmware for Arista Switches whereas IOS for Cisco. This blog post shows the detailed procedures to follow and to upgrade the EOS in the Arista Switches. This Post was supports for any platform or the Version you are going to upgrade in the Arista Switches. This Post was divided into three parts : Pre-Upgrade Process Upgrade Process Post-Upgrade Process PRE-UPGRADING-PROCESS: 1       1)        Check the Upgrade Path tool by clicking the below link. https://www.arista.com/en/support/mlag-portal/mlaglist and confirm it is in mlag issu compatible 2)       Check if the  STP agent is restartable by giving the command switch-1# show spanning-tree bridge detail | grep agent Stp agent restartable                      :            True NOTE :    A switch can continue supporting MLAG when its peer is offline if the STP agent is restartable. When one peer is offline, data traffic flows from the devices through the
Read more

DIFFERENCE BETWEEN THE LAN AND WAN (local area network ,wide area network

By
Improve The other difference between LAN and WAN, is the speed of the network . The maximum speed of a LAN can be 1000 megabits per second, while the speed of a WAN can go up to 150 megabits per second. This means the speed of a WAN, is one-tenth of the speed of a LAN. A WAN is usually slower because it has lower bandwidth. Computers in a LAN can share a printer, if they are all in the same LAN. On the other hand, a WAN cannot share a printer, so a computer in one country cannot use a printer in another country. A LAN does not need a dedicated computer to direct traffic to and from the Internet, unlike a WAN that needs a special-purpose computer, whose only purpose is to send and receive data from the Internet. Another LAN vs. WAN comparison is the cost of the network. A WAN is more expensive than a LAN. It is easier to expand a LAN than a WAN. The equipment needed for a LAN is a network interface card (NIC), a switch and a hub. On the other hand, the equipment needed to connec
Read more

FORTIGATE ACTIVE PASSIVE UPGRADE

By
FORTIGATE ACTIVE PASSIVE UPGRADE : This blog post shows the detailed procedures to follow and to upgrade the firmware in the Fortigate Firewall. This Post was supports for any platform or the Version you are going to upgrade in the Fortigate Firewall This Post was divided into three parts : Pre-Upgrade Process Upgrade Process Post-Upgrade Process PRE UPGRADE STEPS: 1   1)     Go to the below website and check the Upgrade Path https://docs.fortinet.com/upgrade-tool 2)        Next Login to the Fortigate Console and check the HA Status ( it is to be In sync and higher Priority enabled for the required primary device) 3)        Login to the Console and give the command Config global – get sys ha status Also check session pickup is in enable to avoid session interruptions in failover. 4)        Download all the Firmware’s and the md5 files in the list and check with the software MD5sum.exe to avoid the download errors. NOTE : Must and should configuration backup have t
Read more