Cisco NetFlow Collection Engine

Table Of Contents

NetFlow Services Solutions Guide

Introduction

NetFlow Definitions and Benefits

What Is A Flow?

NetFlow Cache Management and Data Export

Building a NetFlow Cache

NetFlow IOS Packaging Information

NetFlow Export Version Formats

NetFlow Export Packet Header Format

Cisco IOS NetFlow Flow Record and Export Format Content Information

Aging NetFlow Cache Entries on a Routing Device

Cisco IOS Router-Based NetFlow Aggregation

Selecting a NetFlow Aggregation Cache Scheme

Catalyst 65k Flow Mask information

Export Version Information for Cisco Platforms

NetFlow Performance Information

NetFlow Memory Allocation Information:

Sampled NetFlow Details and Platform Support

Supported Interfaces, Encapsulations and Protocols

NetFlow and Quality of Service (QoS)

NetFlow Activation and Deployment Information

NetFlow Management Applications

NetFlow Collectors

NetFlow MIB

NetFlow IOS Configuration

Enabling NetFlow on a Router Interface

Configuring MLS of NetFlow Data Export (NDE) on Catalyst Switches 65k and the 7600

Configuring MLS of NDE Using the Version 8 Format on Catalyst Switches

Related Information

The Catalyst 65k and 7600

NetFlow on the Cisco 12000

NetFlow on the Cisco Catalyst 4500

Summary

Appendix 1: Details Of NetFlow Export Packet Header Format For Each Export Version

Version 9

Version 8

Version 7

Version 1

Appendix 2: Details for NetFlow Export Formats

Catalyst 65k NDE Versions

Populating Additional NDE Fields

Appendix 3: Router Based Aggregation Schemes And Detailed NetFlow Export Formats

Selecting a NetFlow Aggregation Cache Scheme

NetFlow Services Solutions Guide

---

Version History

Version Number	Date	Notes
1	5/9/2001	This document was created.
2	7/16/2001	Incorporated editorial comments.
3	10/23/2004	Updated all sections.
4	01/22/2007	Updated information on types of flow switching engines.

The NetFlow Services Solutions Guide contains the following sections:

•Introduction

•NetFlow Definitions and Benefits

•What Is A Flow?

•NetFlow Cache Management and Data Export

•NetFlow IOS Packaging Information

•NetFlow Export Version Formats

•Cisco IOS Router-Based NetFlow Aggregation

•Export Version Information for Cisco Platforms

•NetFlow Performance Information

•Sampled NetFlow Details and Platform Support

•Supported Interfaces, Encapsulations and Protocols

•NetFlow and Quality of Service (QoS)

•NetFlow Activation and Deployment Information

•NetFlow Management Applications

•NetFlow IOS Configuration

•Related Information

•Summary

•Appendix 1: Details Of NetFlow Export Packet Header Format For Each Export Version

•Appendix 2: Details for NetFlow Export Formats

•Appendix 3: Router Based Aggregation Schemes And Detailed NetFlow Export Formats

Introduction

Rapid growth of IP networks has created interest in new business applications and services. These new services have resulted in increases in demand for network bandwidth, performance, and predictable quality of service as well as VoIP, multimedia and security oriented network services. Simultaneously, the need has emerged for measurement technology to support this growth by efficiently providing the information required to record network and application resource utilization. Cisco's IOS NetFlow provides solutions for each of these challenges.

This white paper is an overview of NetFlow benefits and includes technical overview of features, details about the NetFlow cache, export formats and NetFlow operation.

NetFlow Definitions and Benefits

NetFlow traditionally enables several key customer applications including:

•Network Monitoring—NetFlow data enables extensive near real time network monitoring capabilities. Flow-based analysis techniques may be utilized to visualize traffic patterns associated with individual routers and switches as well as on a network-wide basis (providing aggregate traffic or application based views) to provide proactive problem detection, efficient troubleshooting, and rapid problem resolution.

•Application Monitoring and Profiling—NetFlow data enables network managers to gain a detailed, time-based, view of application usage over the network. This information is used to plan, understand new services, and allocate network and application resources (e.g. Web server sizing and VoIP deployment) to responsively meet customer demands.

•User Monitoring and Profiling—NetFlow data enables network engineers to gain detailed understanding of customer/user utilization of network and application resources. This information may then be utilized to efficiently plan and allocate access, backbone and application resources as well as to detect and resolve potential security and policy violations.

•Network Planning—NetFlow can be used to capture data over a long period of time producing the opportunity to track and anticipate network growth and plan upgrades to increase the number of routing devices, ports, or higher- bandwidth interfaces. NetFlow services data optimizes network planning including peering, backbone upgrade planning, and routing policy planning. NetFlow helps to minimize the total cost of network operations while maximizing network performance, capacity, and reliability. NetFlow detects unwanted WAN traffic, validates bandwidth and Quality of Service (QOS) and allows the analysis of new network applications. NetFlow will give you valuable information to reduce the cost of operating your network.

•Security Analysis—NetFlow identifies and classifies DDOS attacks, viruses and worms in real-time. Changes in network behavior indicate anomalies that are clearly demonstrated in NetFlow data. The data is also a valuable forensic tool to understand and replay the history of security incidents.

•Accounting/Billing—NetFlow data provides fine-grained metering (e.g. flow data includes details such as IP addresses, packet and byte counts, timestamps, type-of-service and application ports, etc.) for highly flexible and detailed resource utilization accounting. Service providers may utilize the information for billing based on time-of-day, bandwidth usage, application usage, quality of service, etc. Enterprise customers may utilize the information for departmental charge-back or cost allocation for resource utilization.

•NetFlow Data Warehousing and Data Mining—NetFlow data (or derived information) can be warehoused for later retrieval and analysis in support of proactive marketing and customer service programs (e.g. figure out which applications and services are being utilized by internal and external users and target them for improved service, advertising, etc.). In addition, NetFlow data gives Market Researchers access to the "who", "what", "where", and "how long" information relevant to enterprises and service providers.

NetFlow has two key components: (1) the NetFlow cache or data source which stores IP Flow information and (2) the NetFlow export or transport mechanism that sends NetFlow data to a network management collector for data reporting. The Cisco IOS Flexible and extensible export format, NetFlow version 9, is now on the IETF standards track in the IP Information export (IPFIX) working group. The new generic data transport capability within Cisco routers, IPFIX export, can be used to transport any performance information from a router or switch. The main NetFlow focus has always been IP Flow information but this is now changing with Cisco implementation of a generic export transport format that is an innovative IETF standard. New information is being exported using the NetFlow version 9 export format including Layer 2 information, new security detection and identification information, IPv6, Multicast, MPLS, BGP information, and more.

What Is A Flow?

A flow is identified as a unidirectional stream of packets between a given source and destination—both defined by a network-layer IP address and transport-layer source and destination port numbers. Specifically, a flow is identified as the combination of the following seven key fields:

•Source IP address

•Destination IP address

•Source port number

•Destination port number

•Layer 3 protocol type

•ToS byte

•Input logical interface (ifIndex)

These seven key fields define a unique flow. If a flow has one different field than another flow, then it is considered a new flow. A flow contains other accounting fields (such as the AS number in the NetFlow export Version 5 flow format) that depend on the version record format that you configure for export. Flows are processed in a NetFlow cache.

NetFlow Cache Management and Data Export

Building a NetFlow Cache

NetFlow operates by creating a NetFlow cache entry that contains the information for all active flows. The NetFlow cache is built by processing the first packet of a flow through the standard switching path. A Flow record is maintained within the NetFlow cache for all active flows. Each flow record in the NetFlow cache contains key fields that can be later used for exporting data to a collection device. Each flow record is created by identifying packets with similar flow characteristics and counting or tracking the packets and bytes per flow. The flow details or cache information is exported to a flow collector server periodically based upon flow timers. The collector contains a history of flow information that was switched within Cisco device. NetFlow is very efficient, the amount of export data being about 1.5% of the switched traffic in the router. NetFlow accounts for every packet (non-sampled mode) and provides a highly condensed and detailed view of all network traffic that entered the router or switch.

The key to NetFlow-enabled switching scalability and performance is highly intelligent flow cache management, especially for densely populated and busy edge routers handling large numbers of concurrent, short duration flows. The NetFlow cache management software contains a highly sophisticated set of algorithms for efficiently determining if a packet is part of an existing flow or should generate a new flow cache entry. The algorithms are also capable of dynamically updating per-flow accounting measurements residing in the NetFlow cache, and cache aging/flow expiration determination.

Rules for expiring NetFlow cache entries include:

•Flows which have been idle for a specified time are expired and removed from the cache

•Long lived flows are expired and removed from the cache (flows are not allowed to live more than 30 minutes by default, the underlying packet conversation remains undisturbed)

•As the cache becomes full a number of heuristics are applied to aggressively age groups of flows simultaneously

•TCP connections which have reached the end of byte stream (FIN) or which have been reset (RST) will be expired.

Expired flows are grouped together into "NetFlow Export" datagrams for export from the NetFlow- enabled device. NetFlow Export datagrams may consist of up to 30 flow records for version 5 or 9 flow export. NetFlow functionality is configured on a per-interface basis. To configure NetFlow Export capabilities, the user simply needs to specify the IP address and application port number of the Cisco NetFlow or third-party FlowCollector. The FlowCollector is a device that provides NetFlow Export data filtering and aggregation capabilities. Figure 1 shows an example of the NetFlow cache, aggregation cache and timers.

Figure 1 Example of a NetFlow Cache

NetFlow IOS Packaging Information

Cisco 7200/7500/7400/MGX/AS5800—Although NetFlow functionality is physically included in all software images for these platforms, customers must purchase a separate NetFlow Feature License in order to be licensed for its use. NetFlow licenses are sold on a per-node basis.

Other routers—NetFlow functionality is supported only in Plus images for these platforms. Customers are required to purchase an appropriate Plus image in order to utilize NetFlow functionality on these platforms. There is no feature license for most Cisco platforms except the following require a software license Cisco 7200/7500/7400/MGX/AS5800.

Reformation IOS Packages—NetFlow is currently available in IP Base package and above.

NetFlow Export Version Formats

The NetFlow Export datagram consists of a header and a sequence of flow records. The header contains information such as sequence number, record count and sysuptime. The flow record contains flow information, for example IP addresses, ports, and routing information. Figure 2 is a typical datagram used for NetFlow fixed format export versions 1, 5, 7 and 8.

Figure 2 Typical NetFlow Export Datagram Format for Versions 1, 5, 7, 8

The Version 1 export format was the original format supported in the initial Cisco IOS software releases containing NetFlow functionality and is rarely used today. The Version 5 format is a later enhancement that adds Border Gateway Protocol (BGP) autonomous system information and flow sequence numbers. The Version 7 format is an enhancement that adds NetFlow support for Cisco Catalyst series switches using hybrid or native mode. If you are wondering what happened to Versions 2 through 4 and Version 6 they were either not released or are not supported. Version 8 is the NetFlow export format used when the Router-Based NetFlow Aggregation feature is enabled on Cisco IOS router platforms and is discussed later. The most recent evolution of the NetFlow flow-record format is known as Version 9. The distinguishing feature of the NetFlow Version 9 format is that it is template based. Templates provide an extensible design to the record format, a feature that should allow future enhancements to NetFlow services without requiring concurrent changes to the basic flow-record format. NetFlow Version 9 is now the protocol of choice for the IETF IP Information Export (IPFIX) WG and the IETF Pack Sampling WG (PSAMP).

Using templates with NetFlow Version 9 provides several key benefits:

•Almost any information can be exported from a router or switch including layer 2 through 7 information, routing information, IPv6, IPv4, multicast and MPLS information. This new information will allow new applications for flow data and new views of network behavior.

•Third-party business partners who produce applications that provide collector or display services for NetFlow will not be required to recompile their applications each time a new NetFlow export field is added. Instead, they may be able to use an external data file that documents the known template formats.

•New features can be added to NetFlow more quickly, without breaking current implementations.

•NetFlow is "future-proofed" against new or developing protocols, because the Version 9 format can be adapted to provide support for them and other non-Flow based data measurements.

NetFlow Export Packet Header Format

In all five versions, the datagram consists of a header and one or more flow records. The first field of the header contains the version number of the export datagram. Typically, a receiving application that accepts any of the format versions allocates a buffer large enough for the largest possible datagram from any of the format versions and then uses the header to determine how to interpret the datagram. The second field in the header contains the number of records in the datagram (indicating the number of expired flows represented by this datagram) and is used to index through the records. Datagram headers for NetFlow Export versions 5, 7, 8 and 9 also include a "sequence number" field used by NetFlow data consuming applications to check for lost datagrams.

The NetFlow Version 9 export header format is shown below in Figure 3. For additional information see Appendix 1: Details Of NetFlow Export Packet Header Format For Each Export Version.

Figure 3 NetFlow Version 9 Header Format

Table 1 shows the field names and values for the Version 9 header format

Table 1 Version 9 Header Format

Field Name	Value
Version	The version of NetFlow records exported in this packet; for Version 9, this value is 0x0009.
Count	Number of FlowSet records (both template and data) contained within this packet.
System Uptime	Time in milliseconds since this device was first booted.
UNIX Seconds	Seconds since 0000 Coordinated Universal Time (UTC) 1970.
Sequence Number	Incremental sequence counter of all export packets sent by this export device; this value is cumulative, and it can be used to identify whether any export packets have been missed. This is a change from the NetFlow Version 5 and Version 8 headers, where this number represented "total flows."
Source ID	The Source ID field is a 32-bit value that is used to guarantee uniqueness for all flows exported from a particular device. (The Source ID field is the equivalent of the engine type and engine ID fields found in the NetFlow Version 5 and Version 8 headers. The format of this field is vendor specific. In Cisco's implementation, the first two bytes are reserved for future expansion, and will always be zero. Byte 3 provides uniqueness with respect to the routing engine on the exporting device. Byte 4 provides uniqueness with respect to the particular line card or Versatile Interface Processor on the exporting device. Collector devices should use the combination of the source IP address plus the Source ID field to associate an incoming NetFlow export packet with a unique instance of NetFlow on a particular device.

Cisco IOS NetFlow Flow Record and Export Format Content Information

The section outlines details about the Cisco export format flow record. Table 2 is an example of typical export format fields available for version 5, 7, and 9.

Table 2 Shows the NetFlow flow record contents

Field	Version 5	*Version 5 Catalyst 65k	Version 9	*Version 7 Catalyst 65k
source IP address	Y	Y	Y	Y
destination IP address	Y	Y	Y	Y
source TCP/UDP application port	Y	Y	Y	Y
destination TCP/UDP application port	Y	Y	Y	Y
next hop router IP address	Y	Y 12.1(13)E	Y	Y
input physical interface index	Y	Y	Y	Y
output physical interface index	Y	Y 12.1(13)E	Y	Y
packet count for this flow	Y	Y	Y	Y
byte count for this flow	Y	Y	Y	Y
start of flow timestamp	Y	Y	Y	Y
end of flow timestamp	Y	Y	Y	Y
IP Protocol (for example, TCP=6; UDP=17)	Y	Y	Y	Y
Type of Service (ToS) byte	Y	***PFC3b Only	Y	***PFC3b Only
TCP Flags (cumulative OR of TCP flags)	Y	N	Y	N
source AS number	Y	Y 12.1(13)E	Y	Y 12.1(13)E
destination AS number	Y	Y 12.1(13)E	Y	Y 12.1(13)E
source subnet mask	Y	N	Y	N
destination subnet mask	Y	N	Y	N
flags (indicates, among other things, which flows are invalid)	Y	Y	Y	Y
shortcut router IP address3	N	N	N	Y
**Other flow fields	N	N	Y	N

*Assumes use of the full interface flow mask configuration. For more information on fields and flow masks available on the Catalyst 65k see Appendix 2: Details for NetFlow Export Formats.

** For a complete list of other flow fields available in version 9 see NetFlow Version 9 Export Packet Example.

*** TOS is based on first packet in the flow

3 IP address of the router that is shortcutted by the Catalyst series switch.

Figure 4 is an example of the NetFlow version 5 record format including the contents and description of byte locations.

Figure 4 Exporting the Version 5 Record Format

Table 3 Shows the field names and values for the version 5 header format

Table 3 Field Names and Values for the Version 5 Header Format.

Content	Bytes	Description
srcaddr	0-3	Source IP address
dstaddr	4-7	Destination IP address
nexthop	8-11	Next hop router's IP address
input	12-13	Ingress interface SNMP ifIndex
output	14-15	Egress interface SNMP ifIndex
dPkts	16-19	Packets in the flow
dOctets	20-23	Octets (bytes) in the flow
first	24-27	SysUptime at start of the flow
last	28-31	SysUptime at the time the last packet of the flow was received
srcport	32-33	Layer 4 source port number or equivalent
dstport	34-35	Layer 4 destination port number or equivalent
pad1	36	Unused (zero) byte
tcp_flags	37	Cumulative OR of TCP flags
prot	38	Layer 4 protocol (for example, 6=TCP, 17=UDP)
tos	39	IP type-of-service byte
src_as	40-41	Autonomous system number of the source, either origin or peer
dst_as	42-43	Autonomous system number of the destination, either origin or peer
src_mask	44	Source address prefix mask bits
dst_mask	45	Destination address prefix mask bits
pad2	46-47	Pad 2 is unused (zero) bytes

Figure 5 is a typical flow record for the version 9 export format. As you can see NetFlow version 9 is different from the traditional NetFlow fixed format export record. In NetFlow version 9 a template describes the NetFlow data and the flow set contains the actual data. This allows for flexible export. Detailed information about the fields currently available in version 9 and export format architecture are available in the NetFlow Version 9 Flow-Record Format document.

Figure 5 NetFlow Version 9 Export Packet Example

NetFlow data export packets are sent to a user-specified destination, such as the workstation running FlowCollector, either when the number of recently expired flows reaches a predetermined maximum, or every second—whichever occurs first. For a Version 1 datagram, up to 24 flows can be sent in a single UDP datagram of approximately 1200 bytes; for a Version 5 datagram, up to 30 flows can be sent in a single UDP datagram of approximately 1500 bytes; and for a Version 7 datagram, up to 28 flows can be sent in a single UDP datagram of approximately 1500 bytes.

Detailed information on the flow record formats, data types, and export data fields for version 1, 7, and 9 and platform specific information when applicable is shown in Appendix 2: Details for NetFlow Export Formats.

Aging NetFlow Cache Entries on a Routing Device

The routing device checks the NetFlow cache once per second and expires the flow in the following instances:

•Transport is completed (TCP FIN or RST).

•The flow cache has become full.

•The inactive timer has expired after 15 seconds of traffic inactivity.

•The active timer has expired after 30 minutes of traffic activity.

Setting NetFlow Active and Inactive Timers on a Routing Device

On a Cisco routing device, the following are default values of active and inactive timers:

•The inactive timer exports a packet with a default setting of 15 seconds of traffic inactivity. You can configure your own time interval for the inactive timer between 10 and 600 seconds.

•The active timer exports a packet after a default setting of 30 minutes of traffic activity. You can configure your own time interval for the active timer between 1 and 60 minutes.

Figure 6 illustrates how flow AT1 expires because the active timer for the flow exceeds the default value of 30 minutes. AT2 is the second flow which expires because the inactive timer exceeds the default value of 15 seconds.

Figure 6 Active and Inactive timers

Catalyst 65k/7600 Flow Aging Timers

Catalyst switches use flow aging timers configured in a Multi-layer switching (MLS) cache, not the NetFlow cache used on routing devices. On a Catalyst switch, the following are default values of flow aging:

•Aging time: 256 seconds

•Fast aging time: disabled

•Long aging timer: 1,920 seconds

When flows expire from the NetFlow cache on a Catalyst switch, the flows are not exported. Catalyst switches export only when the export packet is full with 27 flows. Its default is 1920 seconds. Normal aging of a flow occurs when no more packets are switched for that flow for a predefined amount of time. The normal aging table entries are purged when flow information has not been active for a user-configurable age time. Some users tune default timers if the cache is becoming full. Fast Aging can be used to reduce the Netflow table for short-duration connections that are already torn down and that therefore represent old information in the cache. For example, as an initial setting, the fast aging time might be configured to 128 seconds. That would ensure that short-lived flows or very slow flows would get aggressively purged. This type of change can help in reducing the growth of the Netflow table utilization when the number of flows is still well below the recommended upper bound and its trend of growth is low. A much more aggressive aging must instead be used when the Netflow table utilization gets closer and closer to its limit. You can use minimum fast aging time as the most aggressive way of purging active entries to make space for new flows. However, this drastic but sometimes necessary approach has the downside of increasing CPU utilization.

Cisco IOS Router-Based NetFlow Aggregation

Customers can expect a large volume of export data from NetFlow when it is enabled on many interfaces on high-end routers that switch many flows per unit time (such as the Cisco 12000 and Cisco 7500 Series). Designed to significantly reduce NetFlow Export data volume and improve NetFlow scalability, router-based NetFlow aggregation is a Cisco IOS software feature enhancement that enables router-based aggregation of NetFlow Export data. The eleven router-based NetFlow aggregation schemes enable the user to summarize NetFlow export data on the router before the data is exported to a NetFlow data collection device. With this feature enabled, aggregated NetFlow Export data is exported to a Collection device, resulting in lower bandwidth requirements for NetFlow Export data and reduced platform requirements for NetFlow data collection devices. Router based aggregation can be used with NetFlow Export Version 8 (v8) and Version 9 (v9).

The Router-based NetFlow Aggregation feature enables on-board aggregation by maintaining one or more extra NetFlow caches with different combinations of fields that determine which traditional flows are grouped together. These extra caches are called aggregation caches. As flows expire from the main flow cache, they are added to each enabled aggregation cache. The normal flow ager process runs on each active aggregation cache the just as it runs on the main cache. On demand aging is also supported. Figure 7 shows and example of how the main NetFlow cache can be aggregated into multiple aggregation caches based upon user configured aggregation schemes.

Figure 7 Building a NetFlow Aggregation Cache

Cisco IOS Router-Based Aggregation with NetFlow v8 is available on all Cisco router platforms that support NetFlow beginning in releases 12.0(3)T and 12.0(3)S. NetFlow version 9 is available in IOS releases 12.3(1), 12.0(24)S, 12.2(18)S.

The default size for each secondary NetFlow aggregation cache (exported with v8 NetFlow Export datagrams) is 4096 entries on all platforms that support Cisco IOS NetFlow.

Use of Router-Based NetFlow Aggregation does not preclude the use of traditional NetFlow Services utilizing NetFlow Export v5 or v9. Router-Based NetFlow Aggregation (utilizing v8/v9 NetFlow Export datagrams) and traditional NetFlow Services (utilizing v9/v5 NetFlow Export datagrams) may be enabled simultaneously.

Selecting a NetFlow Aggregation Cache Scheme

You can configure each aggregation cache scheme with its individual cache size, cache ager timeout parameter, export destination IP address, and export destination UDP port. As data flows expire in the main cache (depending on the aggregation scheme configured), relevant information is extracted from the expired flow and the corresponding flow entry in the aggregation cache is updated. Each aggregation cache contains different field combinations that determine which data flows are grouped. The default aggregation cache size is 4096. The following are the 5 non-TOS based aggregation schemes:

•AS Aggregation Scheme

•Destination-Prefix Aggregation Scheme

•Prefix Aggregation Scheme

•Protocol-Port Aggregation Scheme

•Source Prefix Aggregation Scheme

The NetFlow ToS-Based Router Aggregation feature introduces support for six aggregation cache schemes that include the ToS byte as a field. The NetFlow ToS-Based Router Aggregation feature provides the ability to enable limited router-based ToS aggregation of NetFlow data, which results in summarized NetFlow data to be exported to a collection device. The following are the 6 TOS based aggregation schemes:

•AS-ToS Aggregation Scheme

•Destination-Prefix-ToS Aggregation Scheme

•Prefix-ToS Aggregation Scheme

•Protocol-Port-ToS Aggregation Scheme

•Source Prefix-ToS Aggregation Scheme

•Prefix-Port Aggregation Scheme

Tables 4 and 5 outline the router based aggregation Flow Record contents information.

Table 4 shows the Flow fields used in the non-TOS based aggregation schemes.

Table 4 Fields Used in the Non-TOS Based Aggregation Schemes

Field	AS	Protocol Port	Source Prefix	Destination Prefix	Prefix
Source Prefix			X		X
Source Prefix Mask			X		X
Destination Prefix				X	X
Destination Prefix Mask				X	X
Source App Port		X
Destination App Port		X
Input Interface	X		X		X
Output Interface	X			X	X
IP Protocol		X
Source AS	X		X		X
Destination AS	X			X	X
First Timestamp	X	X	X	X	X
Last Timestamp	X	X	X	X	X
Number of Flows	X	X	X	X	X
Number of Packets	X	X	X	X	X
Number of Bytes	X	X	X	X	X

Table 5 shows the Flow fields used in the TOS based aggregation schemes.

Table 5 Flow fields used in the TOS based aggregation schemes

Field	AS-TOS	Protocol Port-TOS	Source Prefix-TOS	Destination Prefix-TOS	Prefix-TOS	Prefix-Port
Source Prefix			X		X	X
Source Prefix Mask			X		X	X
Destination Prefix				X	X	X
Destination Prefix Mask				X	X	X
Source App Port		X				X
Destination App Port		X				X
Input Interface	X	X	X		X	X
Output Interface	X	X		X	X	X
IP Protocol		X				X
Source AS	X		X		X
Destination AS	X			X	X
TOS	X	X	X	X	X	X
First Timestamp	X	X	X	X		X
Last Timestamp	X	X	X	X		X
Number of Flows	X	X	X	X		X
Number of Packets	X	X	X	X		X
Number of Bytes	X	X	X	X		X

Table 6 lists the number of flows in a UDP datagram packet and the packet length (in bytes) for the various export version formats.

Table 6 Flows and Packet Lengths for all NetFlow Export Versions

NetFlow Export Version Format	Number of Flows in a Packet	Packet Length (bytes)
V1	24	Approx. 1,200
V5	30	Approx. 1,500
V7	27	Approx. 1,500
V8 AsMatrix	51	1456
V8 Protocol-PortMatrix	51	1456
V8 Source-PrefixMatrix	44	1436
V8 Destination-PrefixMatrix	44	1436
V8 PrefixMatrix	35	1428
V8 As-ToSMatrix	44	1436
V8 Protocol-Port-ToSMatrix	44	1436
V8 Source-Prefix-ToSMatrix	44	1436
V8 Destination-PrefixMatrix	44	1436
V8 Prefix-ToSMatrix	35	1428
V8 Prefix-PortMatrix	35	1428

For more information on router based aggregation see Appendix 3: Router Based Aggregation Schemes And Detailed NetFlow Export Formats for detailed export formats details. Also the IOS documentation NetFlow Aggregation and NetFlow ToS-Based Router Aggregation Feature Overview has more information

Catalyst 65k Flow Mask information

Flow keys are a set of values that determine how a flow is identified. Typically on most Cisco devices the flow keys are a fixed 7 tuple of information. The Catalyst 65k has the capability to define a Flow Mask, which is a predefined set of flow key values that is configured by the user. The Flow Masks will perform automatic aggregation of data in the NetFlow cache. So for example, if the user is interested in accounting for packets from the same source IP address going to the same destination IP address and aggregating this traffic into one flow then they can use the destination-source Flow mask (see Figure 8 below). This concept of flow mask is different than an aggregation scheme in which aggregation of the data takes place after the complete set of 7 flow keys is used to create the flow information. With a flow mask the flow information is aggregated directly into the main MLS (NetFlow) cache on the 65k. The main reason to use the Flow Mask feature is to enhance scalability by utilizing the NetFlow cache efficiently, aggregate flows and decrease the amount of flow export. While a flow mask does increase efficient use of the NetFlow cache the amount of detailed information is reduced with the aggregation of the data flows. Figure 8 shows the Catalyst 65k/7600 Flow Masks.

Figure 8

Catalyst 65k/7600 Flow Masks

Export Version Information for Cisco Platforms

Table 7 outlines the first releases for specific NetFlow export versions per platform. For specific feature information and release and platform support use Feature Navigator

Table 7 First Releases for NetFlow Export Versions by Platform

Cisco IOS Software Release Version	NetFlow Export Version(s)	Supported Cisco Hardware Platforms
11.1CA	v1, v5	Cisco 7200, 7500 were the first platforms in 11.1CA. v5 is now available for all IOS platforms.
12.3(1),12.0(24)S,12.2(18)S, 12.3(2)T	v9	Cisco 800, 1700, 2600, 3600,3700,6400,7200,7300,7500,12000
12.0(14)S	v5	Cisco 12000
12.0(6)S	v8	Cisco 12000
See Table 6	v5,v7,v8	Catalyst 65k
12.1(13)EW	v5	Catalyst 4k Supervisor 4
12.1(19)EW	v8	Catalyst 4k Supervisor 4
12.1(18)EW	v5,v8	Catalyst 4k Supervisor 5

Table 8 shows the Catalyst 65k/7600 NetFlow version Support

Table 8 Catalyst 65k/7600 NetFlow version Support

Supervisor	Hybrid	Native 12.1E	Native 12.2SX
MSFCx	v5	v5	v5, v8*
Sup1a	V7, v8	v7	N/A
Sup2	V7, v8	v5, v7	v5, v7, v8
Sup720	v5, v7, v8	v5, v7	v5, v7, v8

NetFlow Performance Information

A specific white paper has been written to give details of how NetFlow implicates performance on software based Cisco platforms. NetFlow performance impact comes mainly from the characterization of the flow information in the NetFlow cache and the formation of the NetFlow export packet and the export process. In general NetFlow is supported in hardware ASIC on many Cisco platforms including the Catalyst 4500, 6500, 7600, 10000 and 12000 routers. When NetFlow is utilized in hardware the main performance impact is due to export of the flow information but the characterization of the flows is done in hardware.

The export version does not affect performance numbers for NetFlow including v5, v8 or v9.

The additional CPU utilization on software platforms due to NetFlow varies based on the number of flows.

Table 9 shows the approximate CPU utilization for a number of active flows.

Table 9 Approximate CPU utilization for a number of active flows

Number of Active Flow in Cache	Additional CPU Utilization
10000	< 4%
45000	<12%
65000	<16%

Sampled Netflow will significantly decrease CPU utilization to the router. On average sampled NetFlow 1:1000 packets will reduce CPU by 82% and 1:100 sampling packets reduce CPU by 75% on software platforms. The conclusion is sampled NetFlow is a significant factor in reducing CPU utilization. See the section below in this document on sampled NetFlow for more information on sampling techniques used by Cisco devices.

In general dual export has no significant CPU impact on the router and this feature available in IOS 12.0(19)S, 12.2(2)T, 12.2(14)S for redundancy of the export.

Some significant factors in reducing CPU utilization from the NetFlow process include:

•Sampled NetFlow

•Optimize the aging timers to proper values for the amount of flows

•Leverage a distributed architecture

•Utilization of flow masks on Catalyst 65k/7600

Please see the NetFlow Performance Analysis white paper for more information.

NetFlow Memory Allocation Information:

The NetFlow cache size can vary from 1k to 512K and is configurable for software based platforms such as 75xx and 72xx. Each Cache entry consumes about 64 bytes of memory. The amount of memory on a Cisco 12K line card denotes how many flows are possible in the cache. For example, if an engine 3 line card has 256M bytes of memory, NetFlow allocates 256M/16/64=256k entries. If NetFlow aggregation (discussed later) is used then depending on user configuration, up to 512K entries are possible. The Cisco Catalyst 65k/7600 will have different effective hardware cache sizes based on the supervisor card and PFC.

Table 10 shows the Catalyst 65k Hardware Cache Effective Sizes.

Table 10 Catalyst 65k Hardware Cache Effective Sizes

Catalyst 65k/7600 PFC	Effective Number of NetFlow Cache Entries Available
PFC2/DFC	32K entries
PFC3A/DFC3A	64K entries
PFC3B/DFC3B	115K entries
PFC3BXL/DFC3BXL	230K entries

The number of cache entry changes per PRE on the Cisco 10000 router is shown in Table 11.

Table 11 Cisco 10000 NetFlow Cache Sizes

Cisco 10000	NetFlow Entries Available
PRE1	512K entries
PRE2	1M entries

Sampled NetFlow Details and Platform Support

Cisco was the first company to implement packet sampling for NetFlow on the Cisco 12000 router. On an interface, Sampled NetFlow allows you to collect NetFlow statistics for a subset of incoming (ingress) traffic. Sampled NetFlow significantly reduces CPU utilization on a router, reduces export volume but still allows a view of most IP flows switching in the device. Sampling is very useful for capacity planning or network planning when every flow may not be needed to understand the network behavior. There are 3 types of sampling used on Cisco platforms: deterministic sampling, time based sampling and random sampling. Deterministic sampling will select every Nth packets, with N specified by the user. Random sampling will randomly select one out of N packets with N specified by the user. Time based sampling will select a sampled packet every N milli-seconds. Random sampling is considered the best technique for packet sampling.

Figure 9 contrasts deterministic and random sampling.

Figure 9 Deterministic and Random Sampling

Table 12 describes when each type of sampling was first introduced per platform and the version of NetFlow export supported.

Table 12 Sampling by Type, Version of NetFlow Export Supported, and IOS Version

Platform Name	Sampling Type	NetFlow Export Version(s)	IOS Release
Software based platforms	Random Sampling	All	12.0(26)S, 12.2(18)S, 12.3(2)T
Cisco 12000	Deterministic Sampling	v5,v8,v9	See Table 13 Below
Catalyst 65k/7600	Random Sampling	v5,v8,v7	12.1(13)E
Catalyst 65k/7600	Time based Sampling	v5,v8,v7	12.1(13)E

On the Cisco 12000 platform the introduction of sampled NetFlow varies per line card.

Table 13 shows line card support for sampled and Full (non-sampled) NetFlow.

Table 13 Line card support for sampled and Full (non-sampled) NetFlow

Engine	"Full" NetFlow	Sampled NetFlow
0	Supported	Supported
1	Supported	Supported
2		Supported
3	Aggregated Only v8	Supported
4
4+		Supported

Table 14 Shows Cisco 12000 sampled NetFlow and Full NetFlow release information per IOS release.

Table 14 Cisco 12000 sampled NetFlow and Full NetFlow release information per IOS Release

Field	Full NetFlow		Sampled NetFlow
	Version 5	Version 8	Version 5	Version 8
Engine 0	12.0(14)S	12.0(6)S	12.0(14)S	12.0(11)S
Engine 2 POS	N/A	N/A	12.0(14)S	12.0(14)S
Engine 2 3xGE	N/A	N/A	12.0(16)S	12.0(16)S
Engine 3	N/A	12.0(21)S	12.0(21)S	12.0(21)S
Engine 4	N/A	N/A	N/A	N/A
Engine 4+ POS	N/A	N/A	12.0(21)S	12.0(21)S
Ashara	N/A	N/A	12.0(21)S	12.0(21)S
Tango	N/A	N/A	12.0(21)S	12.0(21)S

For more information on sample NetFlow see the IOS documentation on Random Sampled NetFlow.

Supported Interfaces, Encapsulations and Protocols

NetFlow supports IPv4 (and IPv4-encapsulated) routed traffic over a wide range of interface types and encapsulations. This includes Frame Relay, Asynchronous Transfer Mode, Inter-Switch Link, 802.1q, Multi-link Point to Point Protocol, General Routing Encapsulation, Layer 2 Tunneling Protocol, Multi-protocol Label Switching VPNs, and IP Sec Tunnels. For detailed information on encapsulation types supported and tested see the NetFlow on Logical Interfaces white paper.

To account for traffic entering a tunnel specify generic ingress NetFlow on the router. To account for tunnel and post tunnel flows NetFlow can be configured on the tunnel interface at the tunnel end point. A white paper has been written about NetFlow for GRE and IPSec tunnels.

NetFlow is supported per sub-interface. If NetFlow is configured on the major interface then all sub-interfaces will be accounted. Also available is NetFlow Subinterface feature to account for packets on specific sub-interfaces.

NetFlow support for multicast does exist on some Cisco platforms. For more information on Multicast NetFlow see the Cisco IOS Multicast NetFlow documentation.

NetFlow supports IPv6 environments in 12.3(7)T and above. For more information on IPv6 and netFlow see the Cisco IOS IPv6 NetFlow documentation.

NetFlow can be used effectively in an MPLS network for VPN accounting or capacity planning. Generic ingress NetFlow can be used to account for traffic from the customer site entering an MPLS network per VPN. The customer name can be correlated to the VRF associated with the particular customer site. Two other features specifically designed for an MPLS network include MPLS egress NetFlow and MPLS Aware NetFlow. These features are available on 3700, 3800, 7200, 7500 and Cisco 12000 series routers. Egress NetFlow Accounting will account for packets leaving an MPLS cloud and egress to a specific customer site. This feature is useful for VPN accounting. MPLS aware NetFlow is used on MPLS core routers to account for traffic and aggregate traffic per MPLS label. This feature effectively tells the user how much traffic is destined for a specific PE router in the network, allowing the user to calculate a traffic matrix between PE routers for the MPLS network.

NetFlow and Quality of Service (QoS)