NetFlow to Monitor Network Traffic

NetFlow is a network protocol developed by Cisco Systems for collecting IP traffic information. NetFlow has become an industry standard for traffic monitoring and is supported on various platforms. Routers or switches that support NetFlow  can collect IP traffic statistics on all interfaces where NetFlow is enabled, and later export those statistics as NetFlow records, towards at least one NetFlow collector.

Network Flows
A network flow can be defined in many ways. Cisco standard NetFlow defines a flow as a unidirectional sequence of packets that all share the following 7 values.

  1. Ingress interface (SNMP ifIndex)
  2. Source IP address
  3. Destination IP address
  4. IP protocol
  5. Source port for UDP or TCP, 0 for other protocols
  6. Destination port for UDP or TCP, type and code for ICMP, or 0 for other protocols
  7. IP Type of Service
Additional information added to a flow includes
  • Flow timestamps to understand the life of a flow; timestamps are useful for calculating packets and bytes per second
  • Next hop IP addresses including BGP routing Autonomous Systems (AS)
  • Subnet mask for the source and destination addresses to calculate prefixes
  • TCP flags to examine TCP handshakes


Netflow configuration on Cisco routers is very simple, just enable the NetFlow on interfaces, define the version to be used and the destination i.e. IP address of the NetFlow collector. In the below image, we will configure the router to send the flows to the workstation, where NetFlow Analyzer is installed.

interface FastEthernet 0/1
 description ### INSIDE ###
 ip address
 ip flow ingress
ip flow-export version 9
ip flow-export destination 9996

Just this much configuration will start sending the Flows towards Netflow Analyzer. Here is the sample output for the LAN segment from the above scenario.

Apart from using the NetFlow collector, you can also use CLI to view the Flows using the command

show ip cache flow

NetFlow Top-Talkers

NetFlow top-talkers feature is also very handy to use from Command Line Interface when you want to identify users who are utilizing more WAN bandwidth. To configu-re flow-top-talkers, just add the following configuration to the above configuration on the Router.

ip flow-top-talkers
 top 20
 sort-by bytes

To verify the top-talkers on the network, use the command,

Router#sh ip flow top-talkers

SrcIf  SrcIPaddress    DstIf  DstIPaddress    Pr SrcP DstP  Bytes
Fa0/1  Fa0/0   11 9215 7CB9   267K
Fa0/1  Fa0/0 11 9215 AF16   265K
Fa0/1  Fa0/0    06 D4FD C196   225K
Fa0/1  Fa0/0  06 C766 01BB   118K
Fa0/1  Fa0/0    11 81B7 82D7   107K
Fa0/1  Fa0/0 11 81B7 C8D3    97K
Fa0/1  Fa0/0  11 9215 B0BB    67K
Fa0/1  Fa0/0  11 81B7 C350    63K
Fa0/1  Fa0/0    11 81B7 D785    52K
Fa0/1  Fa0/0   11 9215 AC98    48K
Fa0/1  Fa0/0   11 81B7 0FA0    36K
Fa0/1  Fa0/0    11 81B7 DC90    34K
Fa0/1  Local   11 81B7 81B7    34K
Fa0/1  Fa0/0 06 CC11 4E21    18K
Fa0/1  Fa0/0    06 DDAA 836F    16K
Fa0/1  Fa0/0   11 81B7 B2B3    12K
Fa0/1  Fa0/0   11 81B7 434C  8851
Fa0/1  Fa0/0  06 C5F3 01BB  6174
Fa0/1  Fa0/0 06 F5DE 0050  5567
Fa0/1  Fa0/0   11 81B7 866D  5123
20 of 20 top talkers shown. 380 flows processed.


Popular posts from this blog

Specifying SSH port in Ansible Inventory

Ansible-Playbook to display output of multiple show commands (using stdout_lines with Loop)

Filtering Routes in BGP using Route-maps and Prefix-list

Ansible Playbook for Network OS Upgrade with pre and post checks

Bypassing Proxy Server in Google Chrome

VMware NSX Traffic Flow — East-West & North-South

Export or Backup Azure Network Security Groups into CSV using PowerShell

Ansible-playbook for backing up running config of Cisco IOS