As networks become more complex and organizations enable more applications, traffic patterns become more diverse and unpredictable. Organizations require better visibility into network traffic in a manageable way. It is crucial for network operators to obtain information about where, why, when, how, and by whom specific applications are used and how the usage might affect the network. This information is vital to enhancing operational efficiency and optimizing operational costs. Cisco® NetFlow technology is one of the most scalable ways to provide this information throughout your network infrastructure. NetFlow-Lite introduces traffic visibility on the Cisco® Catalyst® 2960 Series Switches for the first time.
What Is NetFlow-Lite?
NetFlow-Lite on Cisco Catalyst 2960-X switches collects packets randomly, classifies them into flows, and measures flow statistics as they pass through the switch. It is a true flow-based traffic-monitoring mechanism that conserves valuable forwarding bandwidth when exporting flow-based data for analysis and reporting. This export data provides visibility into traffic that is switched through the Cisco Catalyst 2960X and Catalyst 2960XR Switches.
What Is NetFlow-Lite Used for?
NetFlow-Lite offers network administrators and engineers the following capabilities:
• Unprecedented visibility: NetFlow-Lite provides real-time information about traffic flows from endpoints such as PCs, phones, IP cameras, etc. You can use this information for traffic monitoring of Layer 2 and Layer 3 traffic as well as capacity planning.
• Network planning: You can use NetFlow-Lite to capture data over a long period of time so that customers can understand traffic patterns, top talkers, top applications, etc. This feature provides accurate data to track and anticipate network growth and plan upgrades.
• Simplified troubleshooting: You can use NetFlow-Lite flow-based analysis techniques to understand traffic patterns, which can help in proactively detecting problems, troubleshooting efficiently, and resolving problems quickly.
NetFlow-Lite provides a granular packet-sampling mechanism that is adjustable up to 1:32 and available for all interfaces. The implication is that a subset of all packets passing through the Cisco Catalyst 2960X or Catalyst 2960XR will be selected for reporting. Figure 2 shows some of the data gathered by Cisco NetFlow-Lite.
Figure 1. Output from Cisco NetFlow-Lite
NetFlow-Lite on the Cisco Catalyst 2960-X has the following capabilities:
• NetFlow-Lite is supported on all downlink and uplink ports.
• NetFlow-Lite is natively available with no additional hardware required.
• The sampling range is from 1:32 to 1:1022.
• The application measures 16,000 flows per switch.
• Physical ports and VLAN Interfaces (switched virtual interfaces [SVI]) are supported.
• NetFlow-Lite on the Cisco Catalyst 2960-X supports ingress flows only.
• Export using standards-based IP Information export (IPFIX) or Version 9 record format.
NetFlow-Lite Sampling Techniques
The sampling method of the traffic can be random or deterministic. Random sampling chooses one packet randomly out of a configured sample size, whereas deterministic sampling chooses the first packet out of a configured sample size. For example, for 1:32 sampling, deterministic mode would choose the 1st, 33rd, 65th, 97th, and so on packet coming into an interface, and random mode can choose the 5th, 39th, 72nd, 103rd, and so on packet coming into an interface. Random packet sampling is statistically more accurate than deterministic packet sampling.
Differences Between Flexible NetFlow-Lite, Flexible NetFlow, and sFlow
Table 1 illustrates the differences between NetFlow-Lite, Flexible NetFlow, and sFlow.
Table 1. Differences Between NetFlow-Lite, Flexible NetFlow, and sFlow
Sampling (1 in 32, configurable)
Every packet accounted for
Sampling (1 in hundreds to thousands*)
V9 and IPFIX
V5, V9 and IPFIX
Cisco Catalyst 2960-X and 4948E
Cisco Catalyst 3K, 4K, 6K
Cisco Routers Nexus 7K, 2K, 1KV
* Product support of sFlow may vary.
The following steps illustrate NetFlow-Lite configuration on the Cisco Catalyst 2960-X Switches:
Step 1. Configure a Flow Record, which defines the data collection. You can customize it for specific requirements. You can use the following example with most NetFlow collectors:
flow record v4
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
collect transport tcp flags
collect interface input
collect flow sampler
collect counter bytes long
collect counter packets long
collect timestamp sys-uptime first
collect timestamp sys-uptime last
Step 2. Configure a Flow Exporter, which defines where the collected data needs to be sent. Please refer to the NetFlow collector application user guides and manual for specific details such as port number, differentiated services code point (DSCP), and other options. The configuration follows:
flow exporter Replicator
description Exporter to Cisco Prime 2.0
template data timeout 60
Step 3. Configure a Flow Monitor, which binds the flow record and exporter along with options to configure the flow cache:
flow monitor v4
cache timeout active 30
Step 4. Configure a Flow Sampler. Define the sampling technique and sample size. The configuration follows:
mode random 1 out-of 32
Step 5. Attach the Flow Monitor and Sampler to the interface:
ip flow monitor v4 sampler v4 input
Cisco Prime and Partner NetFlow Collector Applications
Cisco Prime™ Infrastructure can collect flow data from all Cisco devices including NetFlow-Lite data from Cisco Catalyst 2960-X. It also uses an application visibility engine to determine well-known applications based on NetFlow collection (Figure 2).
Figure 2. NetFlow Capture on Cisco Prime
Partner collector applications such as ActionPacked LiveAction, Plixer Scrutinizer, and others have been tested with NetFlow-Lite, as illustrated in Figure 3.
Figure 3. NetFLow Capture with Partner Applications
NetFlow-Lite Partner Program
The Cisco Catalyst 2960-X has been tested with the leading NetFlow collector applications such as Cisco Prime, ActionPacked LiveAction, Plixer Scrutinizer, and many more. Customers can now order these applications with the $0 FnF SKUs on the Cisco Catalyst 2960-X price list.