Information About NetFlow
NetFlow allows you to evaluate IP and Ethernet traffic and understand how and where it flows. NetFlow gives you visibility into traffic that transits the virtual switch by characterizing traffic based on its source, destination, timing, and application information. You can use this information to assess network availability and performance, assist in meeting regulatory requirements (compliance), and help with troubleshooting. NetFlow gathers data that you can use for accounting, network monitoring, and network planning.
What is a Flow
A flow is a one-directional stream of packets that arrives on a source interface (or subinterface), matching a set of criteria. Typically, packets with the same source/destination IP address, source/destination ports, protocol, interface, and class of service are grouped into a flow and then packets and bytes are tallied. However, a new default record only matches the input interface, output interface, and direction. The large amount of network information is condensed into a database called the NetFlow cache.
You create a flow using a flow record to define the criteria for your flow. All criteria must match for the packet to count in the given flow. Flows are stored in the NetFlow cache. Flow information tells you the following:
-
Source address tells you who is originating the traffic.
-
Destination address tells who is receiving the traffic
-
Ports characterize the application that uses the traffic
-
Class of service examines the priority of the traffic
-
The device interface tells how traffic is being used by the network device
-
Tallied packets and bytes show the amount of traffic
Flow Record Definition
A flow record defines the information that NetFlow gathers, such as the packets in the flow and the types of counters gathered per flow. You can define new flow records or use the predefined Cisco Nexus 1000V flow record.
Predefined flow records use 32-bit counters and are not recommended for data rates above 1 Gbps. For data rates that are higher than 1 Gbps, Cisco recommends that you manually configure the records to use 64-bit counters.
The following table describes the criteria defined in a flow record.
Flow Record Criteria | Description | ||
---|---|---|---|
Match |
Defines the information that is matched for collection in the flow record.
|
||
Collect |
Defines how the flow record collects information.
|
Predefined Flow Records
Cisco Nexus 1000V Predefined Flow Record: Netflow-Original
switch# show flow record netflow-original
Flow record netflow-original:
Description: Traditional IPv4 input NetFlow with origin ASs
No. of users: 0
Template ID: 0
Fields:
match ipv4 source address
match ipv4 destination address
match ip protocol
match ip tos
match transport source-port
match transport destination-port
match interface input
match interface output
match flow direction
collect routing source as
collect routing destination as
collect routing next-hop address ipv4
collect transport tcp flags
collect counter bytes
collect counter packets
collect timestamp sys-uptime first
collect timestamp sys-uptime last
switch#
Note |
Although the following lines appear in the output of the show flow record command, the commands they are based on are not currently supported in Cisco Nexus 1000V. The use of these commands has no affect on the configuration.
|
Cisco Nexus 1000V Predefined Flow Record: Netflow IPv4 Original-Input
switch# show flow record netflow ipv4 original-input
Flow record ipv4 original-input:
Description: Traditional IPv4 input NetFlow
No. of users: 0
Template ID: 0
Fields:
match ipv4 source address
match ipv4 destination address
match ip protocol
match ip tos
match transport source-port
match transport destination-port
match interface input
match interface output
match flow direction
collect routing source as
collect routing destination as
collect routing next-hop address ipv4
collect transport tcp flags
collect counter bytes
collect counter packets
collect timestamp sys-uptime first
collect timestamp sys-uptime last
switch#
Cisco Nexus 1000V Predefined Flow Record: Netflow IPv4 Original-Output
switch# show flow record netflow ipv4 original-output
Flow record ipv4 original-output:
Description: Traditional IPv4 output NetFlow
No. of users: 0
Template ID: 0
Fields:
match ipv4 source address
match ipv4 destination address
match ip protocol
match ip tos
match transport source-port
match transport destination-port
match interface input
match interface output
match flow direction
collect routing source as
collect routing destination as
collect routing next-hop address ipv4
collect transport tcp flags
collect counter bytes
collect counter packets
collect timestamp sys-uptime first
collect timestamp sys-uptime last
switch#
Cisco Nexus 1000V Predefined Flow Record: Netflow Protocol-Port
switch# show flow record netflow protocol-port
Flow record ipv4 protocol-port:
Description: Protocol and Ports aggregation scheme
No. of users: 0
Template ID: 0
Fields:
match ip protocol
match transport source-port
match transport destination-port
match interface input
match interface output
match flow direction
collect counter bytes
collect counter packets
collect timestamp sys-uptime first
collect timestamp sys-uptime last
switch#
Accessing NetFlow Data
You can use two methods to access NetFlow data:
-
Command-line interface (CLI)
-
NetFlow collector (a separate product from the Cisco Nexus 1000V for KVM)
Command-line Interface for NetFlow
You can use the CLI to access NetFlow data and to view what is happening in your network now.
The CLI uses a flow monitor and a flow exporter to capture and export flow records to the Netflow collector. Cisco Nexus 1000V supports the NetFlow Version 9 export format.
Note |
The Cisco Nexus 1000V supports UDP as the transport protocol for exporting data to up to two exporters per monitor. |
Flow Monitor
A flow monitor creates an association between the following NetFlow components:
-
Flow record—Consists of matching and collection criteria
-
Flow exporter—Consists of the export criteria
This flow monitor enables a set, which consists of a record and an exporter. You can define this set once and reuse it multiple times. You can create multiple flow monitors for different needs. A flow monitor is applied to a specific interface or port profile in a specific direction.
Flow Exporter
Use the flow exporter to define where the flow records are sent from the cache to the reporting server, which is called the NetFlow collector. An exporter definition includes the following.
-
Destination IP address
-
Source IP address to spoof
-
UDP port number (where the collector is listening)
-
Export format
Note |
NetFlow export packets use the source IP address assigned to the exporter. If the exporter does not have a source IP address assigned to it, the exporter will be inactive. |
NetFlow Collector
The NetFlow data reporting process is as follows:
-
You configure NetFlow records to define the information that NetFlow gathers.
-
You configure Netflow monitor to capture flow records to the NetFlow cache.
-
You configure NetFlow export to send flows to the collector.
-
The Cisco Nexus 1000V searches the NetFlow cache for flows that have expired and exports them to the NetFlow collector server.
-
Flows are bundled together based on space availability in the UDP export packet and based on an export timer.
-
The NetFlow collector software creates real-time or historical reports from the data.
Exporting Flows to the NetFlow Collector Server
Timers determine when a flow is exported to the NetFlow collector server. See the following figure where a flow is ready for export when one of the following occurs:
-
The flow is inactive for a certain amount of time, during which no new packets are received for the flow.
-
The flow has lived longer than the active timer, such as a long FTP download.
-
The flow cache is full and some flows must be aged out to make room for new flows.
What NetFlow Data Looks Like
The following figure shows an example of NetFlow data.
Network Analysis Module
You can also use the Cisco Network Analysis Module (NAM) to monitor NetFlow data sources. NAM enables traffic analysis views and reports such as hosts, applications, conversations, VLAN, and QoS.
High Availability for NetFlow
The Cisco Nexus 1000V supports stateful restarts for NetFlow. After a reboot or supervisor switchover, the Cisco Nexus 1000V applies the running configuration.