Multi NetFlow Collector Installation and Configuration Guide
Overview
Download this chapter
OverviewOverview
give_us_feedback

Table Of Contents

Overview

What Are NetFlow Services?

NetFlow Services Device and IOS Release Support

NetFlow Data Export

How and When Flow Statistics Are Exported

NetFlow Data Export Formats

What Is Cisco NetFlow Collector?

What Is Cisco Multi NetFlow Collector?


Overview

This chapter describes the Cisco NetFlow Collector (NFC) and Multi NetFlow Collector (MNFC) applications, that are used with the NetFlow services data export feature on Cisco routers and Catalyst switches.

This chapter includes the following sections:

What Are NetFlow Services?

What Is Cisco NetFlow Collector?

What Is Cisco Multi NetFlow Collector?

What Are NetFlow Services?

NetFlow services consist of high-performance IP switching features that capture a rich set of traffic statistics exported from routers and switches while they perform their switching functions. The exported NetFlow data consists of traffic flows, which are unidirectional sequences of packets between a particular source device and destination device that share the same protocol and transport-layer information. The captured traffic statistics can be used for a wide variety of purposes, such as network analysis and planning, network management, accounting, billing, and data mining.

Because of their unidirectional nature, flows from a client to a server are differentiated from flows from the server to the client. Flows are also differentiated on the basis of protocol. For example, Hypertext Transfer Protocol (HTTP) Web packets from a particular source host to a particular destination host constitute a separate flow from File Transfer Protocol (FTP) file transfer packets between the same pair of hosts.

Routers and switches identify flows by looking for the following fields within IP packets:

Source IP address

Destination IP address

Source port number

Destination port number

Protocol type

Type of service (ToS)

Input interface

Catalyst 5000 series switches can identify flows by looking at a subset of these fields. For example, they can identify flows by source and destination address only.

Note For Catalyst 5000 series switches, the analog to NetFlow services is integrated Multilayer Switching (MLS) management. Included are products, utilities, and partner applications designed to gather flow statistics, export the statistics, and collect and perform data reduction on the exported statistics. MLS management then forwards them to consumer applications for traffic monitoring, planning, and accounting.

NetFlow Services Device and IOS Release Support

You can find the most up-to-date information available to help you determine the compatibility among different Cisco hardware platforms, Cisco IOS software releases, and supported NetFlow data export versions at the following URL:

http://tools.cisco.com/ITDIT/CFN/Dispatch?SearchText=Netflow&act=featSelect&rnFeatId=null&featStartsWith=&task=TextSearch&altrole=

Note Except for descriptions requiring references to specific router or switch platforms, the remainder of this chapter and the remaining chapters of this guide use the term export device instead of the terms router and switch.

NetFlow Data Export

NetFlow data export makes NetFlow traffic statistics available for purposes of network planning, billing, and so on. An export device configured for NetFlow data export maintains a flow cache used to capture flow-based traffic statistics. Traffic statistics for each active flow are maintained in the cache and are updated when packets within each flow are switched. Periodically, summary traffic statistics for all expired flows are exported from the export device by means of User Datagram Protocol (UDP) datagrams, which NetFlow Collector receives and processes.

How and When Flow Statistics Are Exported

NetFlow data exported from the export device contains NetFlow statistics for the flow cache entries that have expired since the last export. Flow cache entries expire and are flushed from the cache when one of the following conditions occurs:

The transport protocol indicates that the connection is completed (TCP FIN) plus a small delay to allow for the completion of the FIN acknowledgment handshaking.

Traffic inactivity exceeds 15 seconds.

For flows that remain continuously active, flow cache entries expire after a specified period of time, for example every 30 minutes, to ensure periodic reporting of active flows.

NetFlow data export packets are sent to a user-specified destination, such as the workstation running NetFlow Collector, either when the number of recently expired flows reaches a predetermined maximum, or every second-whichever occurs first. For:

Version 1 datagrams, up to 24 flows can be sent in a single UDP datagram of approximately 1200 bytes.

Version 5 datagrams, up to 30 flows can be sent in a single UDP datagram of approximately 1500 bytes.

Version 7 datagrams, up to 27 flows can be sent in a single UDP datagram of approximately 1500 bytes.

Version 8 datagrams, the number of flows sent in a single UDP datagram varies by aggregation scheme.

Version 9 datagrams, the number of flows is variable, and depends on the number and size of fields defined in one or more templates.

See Appendix B, "NetFlow Export Datagram Formats," in the Cisco NetFlow Collector User Guide for details on all versions of the NetFlow data export format.

NetFlow Data Export Formats

NetFlow exports flow information in UDP datagrams in one of five formats: Version 1 (V1), Version 5 (V5), Version 7 (V7), Version 8 (V8), or Version 9 (V9).

Version 1 is the original format supported in the initial NetFlow releases. Version 5 is an enhancement that adds Border Gateway Protocol (BGP) autonomous system information and flow sequence numbers. Version 7 is an enhancement that exclusively supports Cisco Catalyst 5000 series switches equipped with a NetFlow feature card (NFFC). V7 is not compatible with Cisco routers. Version 8 is an enhancement that adds router-based aggregation schemes. Version 9 is an enhancement to support different technologies such as Multicast, Internet Protocol Security (IPSec), and Multi Protocol Label Switching (MPLS). NetFlow Collector Release 5.0 can collect, filter, and aggregate Version 9 data in the same way it does for NetFlow Data Export Versions 1 through 8.

Versions 2, 3, 4, and 6 are not supported by NetFlow Collector. For more information on the distinctions among the NetFlow data export formats, see Appendix B, "NetFlow Export Datagram Formats," in the Cisco NetFlow Collector User Guide.

The following types of information are part of the detailed traffic statistics:

Source and destination IP addresses

Next hop address

Input and output interface numbers

Number of packets in the flow

Total bytes (octets) in the flow

First and last time stamps of packets that were switched as part of this flow

Source and destination port numbers

Protocol

Type of service (ToS)

Source and destination autonomous system (AS) numbers, either origin or peer (present in V5 and select V8 datagrams)

Source and destination prefix mask bits (present in V5, V7, and V8 datagrams)

Shortcut router IP address (present in V7 on Cisco Catalyst 5000 series switches only).

Caution Throughout this publication there are numerous examples of NetFlow Collector input commands and output results. Included are examples of IP addresses. Be aware that IP address examples are not usable IP addresses. The examples do not represent real-life configurations.

What Is Cisco NetFlow Collector?

The Cisco NetFlow Collector application provides fast, scalable, and economical data collection from multiple export devices exporting NetFlow data records. Figure 1-1 shows an example of a typical NetFlow data export scheme. In it, various export devices send export data to user-specified NetFlow Collector UDP and SCTP ports.

Figure 1-1 NetFlow Collector Overview

Each of the export devices in this example is configured for NetFlow data export. Part of the configuration information for each export device includes the IP address and the UDP or SCTP port number (a logical port designator) that identify NetFlow Collector as the receiver of flows from this export device. The port number is a user-configurable designator: you can configure NetFlow Collector to listen for flows on a number of different ports, and then configure your export devices so that each device exports flows to a dedicated port, or have a number of devices export flows to the same, shared port.

After you configure and start Cisco NetFlow Collector, it listens to the user-specified UDP and SCTP ports for exported flows from the export devices you have configured for NetFlow data export.

Cisco NetFlow Collector performs the following functions:

NetFlow data collection from multiple export devices

Reduction in data volume through filtering and aggregation

Hierarchical data storage (helps client applications retrieve data)

File system space management

Cisco NetFlow Collector collects and summarizes (aggregates) data into data files based on user-defined criteria specified in a NetFlow Collector aggregator. An aggregator is an aggregation task defined by a set of user-configurable attributes that specify how NetFlow Collector summarizes the traffic flows that are received. Two important aggregator attributes are:

Aggregation schemes - defines the subset of data of interest in a traffic flow, as well as which statistics are kept

Filter - criteria for accepting or rejecting flows that are aggregated or summarized

Cisco NetFlow Collector provides a set of predefined aggregation schemes to help you collect NetFlow export data and summarize the data (that is, aggregate the flows). You can choose one or more of these aggregation schemes to customize NetFlow Collector for your operating context. Moreover, starting in Release 5.0 you can modify any of the predefined aggregation schemes or define your own aggregation schemes based on them. You can also use filters with aggregation schemes to include or exclude certain types of NetFlow data.

For more information about threads, aggregation schemes, and filters, see Chapter 4, "Customizing the CNS NetFlow Collection Engine," in the Cisco NetFlow Collector User Guide.

What Is Cisco Multi NetFlow Collector?

The Cisco Multi NetFlow Collector is a the second-tier application of the NetFlow architecture. MNFC imports the data files resident in multiple NFCs and performs network-level correlation and provides a central view for all distributed Cisco NFC implementations in the network. Figure 1-2 shows an example of a typical NetFlow data export scheme. .

Figure 1-2 Multi NetFlow Collector Overview

Note Cisco MNFC supports only Cisco NFC Release 6. It does not support previous NFC releases. Cisco MNFC and NFC must run on separate servers.

Table 1-1describes for MNFC features.

Table 1-1 Cisco Multi NetFlow Collector Features

Feature
Benefit

NF-Egress Packets lost and site in-out traffic summary

Monitors packets lost from IP-IP flows. You can use this feature to monitor the point o failure of each link in the network.

PE-PE, PE-CE, CE-PE, and CE-CE data collection

Provides traffic statistics between two IP networks.

Correlation traffic summary for VPN/VRF and VPN/non-VPN

Provides a view of traffic statistics for each VPN based on each VRF. You can classify and report site-to-site and non-VPN/VPN traffic summaries.

Embedded data

Provides centralized storage of all data files from multiple distributed Cisco NFC implementations for the longer period of the trending report.

Report generator

Imports the data files resident in multiple Cisco NFCs to its server to perform network-level correlation, a central view of end-to-end traffic summaries, and classification information.