Using Cisco IOS Flexible NetFlow Flow Sampling for Efficient Traffic Analysis
- Pavan Raja
- Apr 8, 2025
- 12 min read
Summary:
**Introduction to Flexible NetFlow (NetFlow v9) Configuration and Utilization Guide**
### 1. Introduction to Flexible NetFlow Flexible NetFlow, also known as NetFlow v9, is a feature introduced in Cisco IOS Release 12.2(33)SRC that enhances network traffic analysis by providing more detailed information about the flows traversing the network devices. This feature helps reduce CPU overhead by allowing for customizable flow records and advanced monitoring options.
### 2. Platform Support Flexible NetFlow is specifically added to the Cisco 7200 series routers starting from Cisco IOS Release 12.2(33)SRC. For other platforms, refer to the feature information table below:
**Feature Information Table (Table1):** - **Introduced in**: Cisco IOS Release 12.2(33)SRC - **Platforms**: Supported for the Cisco 7200 series routers - **Subsequent Versions**: Also supported in versions 12.2(50)SY and 12.4(9)T unless otherwise noted.
### 3. Setting Up Flow Exporters To begin configuring Flexible NetFlow, you need to set up flow exporters that will collect the flow data from network devices. Use the following steps: - **Define a Source Interface**: Assign an interface for the flow exporter to use. - ```shell ip address crypto ikev2 keyring cisco1 crypto ikev2 proposal cisco1 10 default crypto ikev2 policy cisco1 10 set pfs group 2 set encryption aes 256 set hash sha-256 crypto ipsec transform-set cisco1 esp-aes 256 esp-sha-256 crypto map cisco1 10 match address all crypto map cisco1 10 set peer crypto map cisco1 10 set transform-set cisco1 interface crypto map cisco1 ``` - **Configure Flow Sampling**: Implement flow sampling to limit the number of packets analyzed, reducing CPU overhead. Use commands like `mode`, `record`, and `sampler` to configure these samplers.
### 4. Customizing Flow Records and Monitors Flexible NetFlow allows for customization of flow records by modifying the template used in exporters. Define custom templates with specific fields that are relevant to your network analysis needs. Use commands such as: - ```shell ip flow-export version 9 ip flow-export source ip flow-export destination ip flow-export record route ip flow-export monitor ```
### 5. Advanced Features Implement advanced features like Top N Talkers and IPv4 multicast statistics support: - **Top N Talkers**: Use the `top` command to analyze the most active talkers in your network, helping identify high bandwidth users or potential bottlenecks. - **IPv4 Multicast Statistics Support**: Monitor multicast traffic by configuring multicast groups and analyzing their flow records using the `show ip mroute` command.
### 6. Release History and Documentation Refer to Cisco Feature Navigator (http://www.cisco.com/go/cfn) for up-to-date information on which software images support Flexible NetFlow. Detailed documentation about configuring a Flow Monitor and all related commands can be found in the release notes or feature set documents linked from the Cisco Support and Documentation website.
### 7. Technical Assistance For installation, configuration, troubleshooting, and resolving issues related to Cisco products and technologies, visit the Cisco Support and Documentation website: http://www.cisco.com/go/support.
### Conclusion This guide provides a comprehensive overview of configuring and utilizing Cisco's Flexible NetFlow for effective network traffic analysis while minimizing CPU overhead. By following the detailed steps outlined in this document, you can set up flexible netflow samplers, customize flow records, and leverage advanced features to gain deeper insights into your network traffic.
Details:
This document discusses how to use Cisco's Flexible NetFlow flow sampling feature to reduce the CPU overhead associated with analyzing network traffic. NetFlow is a technology that provides statistics on packets passing through a router, and it supports various applications including network monitoring, planning, analysis, and accounting.
Flexible NetFlow enhances original NetFlow by allowing for customizable traffic analysis parameters based on specific requirements. This feature enables the creation of more complex configurations for advanced data export and analysis. The document provides information about prerequisites for using flow sampling, details the capabilities of Flexible NetFlow samplers, and offers step-by-step instructions for configuring sampling to reduce CPU usage during traffic analysis.
For up-to-date information on platform support and software release caveats, users can refer to CiscoFeature Navigator or the release notes specific to their platform and software version. Overall, this document serves as a guide for optimizing network performance by reducing unnecessary CPU consumption through effective use of Flexible NetFlow flow sampling.
The provided text outlines prerequisites and restrictions for implementing flow sampling using Cisco's Flexible NetFlow on routers, along with information about how to configure it for both IPv4 and IPv6 traffic. Here is a summary:
1. **Prerequisites:**
You must be familiar with the "Cisco IOS Flexible NetFlow Overview" module.
The networking device must run a Cisco IOS release that supports Flexible NetFlow. Check the "Cisco IOS Flexible NetFlow Features Roadmap" for compatible versions.
Your router and any interfaces you want to configure for Flexible NetFlow should have either IPv4 or IPv6 routing enabled, along with either Express Forwarding (IPv4) or Express Forwarding IPv6 (IPv6).
2. **Configuration Examples:**
The document suggests that more detailed configuration examples can be found in the referenced pages 7 and 9 for further guidance.
3. **Feature Information:**
Additional information about Flexible NetFlow features is available on page 11 of the document.
4. **Restrictions:**
Starting from Cisco IOS Release 12.2(50)SY, deterministic sampling is not supported.
5. **Flow Samplers:**
Flow samplers are created in a router's configuration to reduce the CPU load by limiting packet analysis. They use either random or deterministic sampling techniques:
Deterministic mode uses a consistent sampling position each time.
Random mode selects a randomly positioned sample each time.
6. **Additional References:**
Where to go next and additional references are mentioned on pages 9 and 9 of the document, respectively.
This summary captures the key points about setting up and using flow sampling for Flexible NetFlow in Cisco routers, including necessary conditions and limitations.
To configure flow sampling in order to decrease the CPU overhead when using Flexible NetFlow for analyzing traffic, follow these steps:
1. **Configuring a Flow Monitor**:
Begin by creating a flow monitor which defines the types of traffic you want to analyze. Each flow monitor has its own cache assigned to it and requires a record to define the contents and layout of its cache entries. The record format can be either one of the predefined formats or customized by an advanced user.
2. **Configuring and Enabling Flow Sampling**:
After setting up the flow monitor, apply samplers to the interface in conjunction with this flow monitor using the `ip flow monitor` command. This reduces the number of packets that need to be analyzed by the flow monitor, thereby decreasing CPU overhead. Note that while sampling decreases packet analysis and thus reduces memory usage, it also results in a loss of accuracy as some information may not be captured accurately due to the reduced sample size.
In summary, configuring flow sampling allows for more efficient use of router resources, particularly when dealing with large volumes of traffic by reducing the number of packets that need to be processed, albeit at the cost of potentially less accurate data representation in the cache. To summarize and provide a clear overview of configuring and enabling flow sampling in Cisco IOS Flexible NetFlow to reduce CPU overhead for analyzing traffic, follow these steps: 1. **Enable Privileged EXEC Mode**: Use the `enable` command to enter privileged EXEC mode. Enter your password if prompted. 2. **Enter Global Configuration Mode**: Use the `configure terminal` command to enter global configuration mode. 3. **Create and Configure Flow Monitor**: Use the `flow monitor monitor-name` command to create a flow monitor and configure its settings. Optionally, add a description using the `description` command. 4. **Specify Flow Record**: Use the `record {record-name | netflow-original | netflow {ipv4 | ipv6} record
}` command to specify the type of flow record you want to emulate with the flow monitor. 5. **Exit Configuration Mode**: Use the `end` command to exit the flow monitor configuration mode and return to privileged EXEC mode. ### Summary Steps: 1. Enable (enter privileged EXEC mode). 2. Configure terminal (enter global configuration mode). 3. Flow monitor monitor-name (create a flow monitor). 4. Description description (optional, add a description). 5. Record {record-name | netflow-original | netflow {ipv4 | ipv6} record
}.
6. End (exit the flow monitor configuration mode and return to privileged EXEC mode).
### Detailed Steps:
**Step 1**: `enable` - Enables privileged EXEC mode. Enter your password if prompted.
**Step 2**: `configure terminal` - Enters global configuration mode.
**Step 3**: `flow monitor monitor-name` - Creates a flow monitor and enters Flexible NetFlow flow monitor configuration mode.
**Step 4**: `description description` (Optional) - Adds a description for the flow monitor.
**Step 5**: `record {record-name | netflow-original | netflow {ipv4 | ipv6} record }` - Specifies the type of flow record to emulate with the flow monitor.
**Step 6**: `end` - Exits Flexible NetFlow flow monitor configuration mode and returns to privileged EXEC mode.
This process helps in configuring a flow sampler that reduces CPU overhead by emulating original NetFlow, either for IPv4 or IPv6 traffic, thus simplifying network traffic analysis without the full complexity of capturing all packets. The provided text outlines the process for configuring flow sampling in Cisco IOS to reduce CPU overhead when analyzing traffic using Flexible NetFlow. Here's a summary of the steps involved: 1. Enable privileged EXEC mode by entering "enable" command and providing your password if required. 2. Enter global configuration mode with "configure terminal". 3. Create a new sampler or modify an existing one by specifying its name with "sampler sampler-name". 4. Optionally, provide a description for the flow sampler using "description description". 5. Set the sampler mode to either deterministic or random, and specify the window size (range is from 2 to 32,768). 6. Exit the sampler configuration mode by entering "exit". 7. Specify the interface type and number on which you want to apply the flow monitor. You can choose between IPv4 and IPv6 for this purpose. 8. Assign the flow monitor to either input or output traffic using the syntax "{ip | ipv6} flow monitor monitor-name [
sampler-name] {input | output}".
9. Save your configuration with "end".
10. Verify the status of the sampler with "show sampler sampler-name".
These steps help in efficiently reducing CPU usage by sampling a portion of network traffic, which is then analyzed using the NetFlow feature to provide detailed flow information without overloading the system with all incoming and outgoing data.
The summarized text provides a guide on configuring and enabling flow sampling using Cisco IOS Flexible NetFlow, which helps in reducing the CPU overhead of analyzing network traffic. It includes examples for both IPv4 and IPv6 traffic configurations and demonstrates how to add or remove samplers from existing flow monitors. The process involves entering interface configuration mode by specifying the type number, assigning a flow monitor and sampler, displaying status with "show sampler," and exiting back to privileged EXEC mode.
The provided text outlines several examples of configuring Cisco IOS Flexible NetFlow Flow Sampling for different types of traffic, including IPv4 and IPv6 original-input/output traffic, as well as adding a sampler to an already enabled flow monitor. Here's a summary of the key points from each example:
1. **IPv4 Configuration Example:**
Start in global configuration mode with `!`.
Define a flow monitor named `FLOW-MONITOR-1` and configure it to record NetFlow data for IPv4 traffic based on original input (`record netflow ipv4 original-input`).
Create a sampler named `SAMPLER-1` set to deterministic mode with a sampling rate of 1 out of 2.
Assign the sampler to the interface Ethernet 0/0, enabling flow monitoring for IPv4 traffic (`ip flow monitor FLOW-MONITOR-1 sampler SAMPLER-1 input`).
2. **IPv6 Configuration Example:**
Similar setup in global configuration mode with `!`.
Define a new flow monitor named `FLOW-MONITOR-2` to record NetFlow data for IPv6 traffic, specifically original output (`record netflow ipv6 original-output`) and also for original input (`record netflow ipv6 original-input`).
Configure the sampler `SAMPLER-1` in deterministic mode with a sampling rate of 1 out of 2.
Assign the sampler to interfaces using IPv4 (`interface Ethernet 0/0`, `ip address ...`) and IPv6 (`ipv6 cef`, `ipv6 address ...`), enabling flow monitoring for both protocols (`ipv6 flow monitor FLOW-MONITOR-2 sampler SAMPLER-1 output` for original output, and `ipv6 flow monitor FLOW-MONITOR-1 sampler SAMPLER-1 input` for original input).
3. **Adding a Sampler to an Already Enabled Flow Monitor:**
Attempting to add another sampler (`SAMPLER-2`) to a flow monitor (`FLOW-MONITOR-1`) already enabled on the interface results in an error, indicating that the flow monitor cannot be enabled with two samplers (`% Flow Monitor: Flow Monitor 'FLOW-MONITOR-1' is already on in full mode and cannot be enabled with a sampler.`).
To resolve this, remove the existing flow monitor from the interface before adding the new sampler (`Router(config)# interface Ethernet 0/0` followed by `Router(config-if)# ip flow monitor FLOW-MONITOR-1 sampler SAMPLER-2 input`).
These examples demonstrate how to configure Cisco IOS for flexible NetFlow sampling, which helps reduce CPU overhead in analyzing traffic by only sampling a portion of the traffic and recording detailed information for sampled packets.
The text discusses the use of Cisco IOS Flexible NetFlow Flow Sampling to reduce CPU overhead in analyzing traffic. It provides a step-by-step guide on how to remove a sampler from a flow monitor and enable it without the sampler, using commands such as "no ip flow monitor FLOW-MONITOR-1 sampler SAMPLER-2 input" followed by "ip flow monitor FLOW-MONITOR-1 input".
The text also recommends further reading for those interested in advanced configurations like quality of service (QoS) and bandwidth monitoring, application and user flow monitoring and profiling, and security analysis. It suggests referring to specific modules such as "Customizing Cisco IOS Flexible NetFlow Flow Records and Flow Monitors" for more detailed information on configuring predefined records or "Configuring Data Export for Cisco IOS Flexible NetFlow with Flow Exporters" if interested in data export configuration.
Lastly, the text provides a list of related documents including an overview of Flexible NetFlow and its roadmap to provide further context and guidance on implementing this feature effectively within network management operations.
The document provides a comprehensive guide on configuring and utilizing Cisco's Flexible NetFlow (NetFlow v9) to analyze network traffic more effectively, reducing CPU overhead in the process. It includes detailed steps for setting up flow exporters, customizing flow records and monitors, and using advanced features like Top N Talkers and IPv4 multicast statistics support. The document also covers the release history of this feature and provides a link to locate MIBs and download them from Cisco's website. Additionally, it offers technical assistance through the Cisco Support and Documentation website for software installation, configuration, troubleshooting, and resolving issues related to Cisco products and technologies.
The text provided is a summary of the introduction and support information for the Flexible NetFlow feature in various Cisco IOS releases. Here's a breakdown of what it tells us:
1. **Introduction of Flexible NetFlow**: The feature was introduced in CiscoIOS Release 12.2(33)SRC, with subsequent versions like 12.2(50)SY and 12.4(9)T also supporting this feature unless otherwise noted.
2. **Platform Support**: Support for Flexible NetFlow was added specifically for the Cisco 7200 series routers in Cisco IOS Release 12.2(33)SRC.
3. **Cisco Feature Navigator**: This tool allows users to check which software images support a specific feature, release, or platform on the http://www.cisco.com/go/cfn website without needing an account on Cisco.com.
4. **Feature Information Table (Table1)**: This table lists the versions of Cisco IOS releases in which each feature was introduced or modified. For Flexible NetFlow:
It was introduced in version 12.2(33)SRC.
Support for this feature was added later for the Cisco 7200 series routers in version 12.2(50)SY and further extended to version 12.4(9)T.
5. **Documentation**: Information about configuring a Flow Monitor and detailed descriptions of all commands related to Flexible NetFlow are found in the documentation provided with each release or feature set, as noted in Table1.
6. **Commands Affected**: The table lists various command names that were either introduced or modified due to the inclusion of Flexible NetFlow. These include descriptive fields like 'description (Flexible NetFlow)' and platform-specific commands such as 'match ipv4 destination'.
In summary, this text outlines the introduction, supported platforms, documentation locations, and affected commands for the Flexible NetFlow feature across different Cisco IOS releases.
This article discusses how to reduce the CPU overhead of analyzing traffic using Cisco's Flexible NetFlow by implementing flow sampling, which involves creating flexible netflow samplers that limit the number of packets analyzed. The process includes configuring the sampler with specific modes such as random or deterministic techniques, and setting up the necessary parameters for each mode.
The article provides step-by-step guidance on how to configure these samplers using commands like 'mode', 'record', and 'sampler' in the Cisco IOS operating system. It also offers examples of configurations that can be implemented through various commands such as 'show sampler', 'clear sampler', and 'debug sampler'.
Key points include:
Prerequisites for implementing flow sampling are outlined, including understanding how samplers work and their modes (random or deterministic).
The article provides detailed information about configuring these samplers to reduce CPU overhead in traffic analysis.
Examples of configuration commands such as 'mode', 'record', and 'sampler' are given to help set up the system correctly.
Additional useful commands for monitoring the sampler performance, including 'show sampler', 'clear sampler', and 'debug sampler'.
This method aims to improve network efficiency by decreasing unnecessary traffic analysis without compromising on the quality of data being analyzed. The use of flexible netflow samplers allows for a balance between capturing enough information and reducing CPU load, which is essential in large-scale networks where detailed flow analytics are required but hardware resources must be conserved.
The text provided is a legal disclaimer that clarifies several points about the document. Here's a summary:
The addresses mentioned in the document are not actual IP addresses but rather examples or placeholders for illustrative purposes.
Any instances where actual IP addresses appear in the content are unintended and merely coincidental.
This information is from 2006 to 2011, referring to a time when Cisco Systems, Inc., held copyrights over this document.
The disclaimer serves to prevent misuse of the depicted examples or accidental use of actual IP addresses that might lead to confusion or legal issues for users.
Comments