Cisco Configuration Guide,Cisco SD-WAN Controllers Release 20.8.x Release 4.2

How NetFlow Works

Updated: September 24, 2008

Want to summarize with AI?

Overview

How NetFlow Works Short Desc

NetFlow serves as a network monitoring protocol that facilitates the logging of metadata for each flow that traverses the router, both entering or leaving it.This protocol provides Basic Networking - Expressway comprehensive insights into network flows, including details such as source and destination IP addresses, ports, and packet counts. It's commonly applied for traffic analysis, capacity planning, and network troubleshooting.

This is parent topic

Table 1. Basic Networking Ports for Expressway-E
Purpose	Src. IP	Src. Ports	Protocol	Dest. IP	Dest. Ports
Administrator SSH	Admin PCs	1024-65535	TCP	Expressway-E private IP	22
Administrator HTTP	Admin PCs	1024-65535	TCP	Expressway-E private IP	80
Administrator HTTPS	Admin PCs	1024-65535	TLS	Expressway-E private IP	443
Internal name resolution (DNS)*	Expressway-E private IP	30000-35999	UDP & TCP	Internal name server	53
External name resolution (DNS)	Expressway-E public IP	30000-35999	UDP & TCP	External name server	53
Internal time synchronization (NTP)*	Expressway-E private IP	123	UDP	Internal time server	123
External time synchronization (NTP)	Expressway-E public IP	123	UDP	External time server	123


Element ID	Field Name	Value
48	SamplerID	This ID is assigned to the sampler. It is used by the collector to retrieve information about the sampler for a data flow record.
49	SamplerMode	This field indicates the mode in which the sampling has been performed.
50	SamplerRandomInterval	This field indicates the rate at which the sampling is performed.
84	SamplerName	This field indicates the name of the sampler.

Recording of Packet Flows in NetFlow

The packet in NetFlow is recorded as follows:

In NetFlow, the focus is on recording and collecting full packet flows in the network traffic data. When NetFlow is configured on the router, the router collects flow data by extracting key field attributes from the packet streams, and generates a flow record. This record, along with accounting information, is stored in the database or NetFlow Cache. The extracted records, once sampled, are exported to one or more NetFlow collectors via the UDP transport layer protocol. This exported data has several purpose: enterprise accounting and ISP billing, and so on.

Here's how NetFlow handles the recording of packet flows:

Flow Creation: NetFlow creates flow records by monitoring network traffic passing through the router. As a packet stream traverses a router interface, the packets are collected and an internal header is appended. These packets are dispatched to the line card's CPU, which generate a flow record. The router extracts pertinent header details from the packets and creates cache entries. The packets are subject to a policer, which helps protect the internal control plane. With each subsequent arrival of a packet from the same flow, the cache entry is updated. Flow records persist within the line card's cache until they age out due to timer expiration.

When the expiry of the set timer occurs, the NetFlow is generated. There are timers (two of them) running for flow aging.
- The active timer signifies the maximum allowable duration for a particular cache entry's existence, even if matched by received sampled packets.
- The inactive timer represents the duration without receipt of a sampled packet corresponding to a specific cache entry.
Datagram Generation: The NetFlow agent generates NetFlow datagrams that contain information about the packets. These datagrams include details such as source and destination IP addresses, port numbers, protocol information, and various flow statistics.
Data Export: The NetFlow datagrams are periodically exported from the NetFlow agent to a designated NetFlow collector or analyzer. The export can be done using protocols like UDP or TCP, and the datagrams are typically sent in a structured format like IPFIX or JSON.

A flow record is sent to the NetFlow collector in the following scenarios:
- The flow has been inactive or active for an extended period.
- The user triggers the export of the flow.
- The flow concludes, which is particularly relevant when TCP connections are terminated.
Analysis and Reporting: Upon receiving the NetFlow data, the NetFlow collector or analyzer processes and analyzes the information. It aggregates the sampled data to provide statistical insights into network traffic, including top talkers, protocol distribution, traffic patterns, and other metrics.

Need help?

Open a support case

(Requires a Cisco Service Contract)

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.