Under the disruptive influence of cloud computing and containerized technology, networks have become increasingly opaque. Modern enterprises are using technology that is more complex and faster-pace. Yet for all these changes, NetFlow, a technology developed in the 1990s has remained a staple for network security and quality of service monitoring.
What is NetFlow?
NetFlow is a network protocol and Cisco IOS application that was developed by Cisco to collect and monitor traffic data generated by routers and switches (many routers have a NetFlow feature that automatically records NetFlow data). Devices compatible with NetFlow produce data that can be exported to a NetFlow collector/software agent.
After exporting NetFlow data, an administrator can use a NetFlow traffic analyzer to view visual representations of this flow data to gauge the performance of the network. For example, if there is an unusual spike in traffic then a NetFlow Analyzer will send you an alert.
Identifying abnormal levels of traffic is useful for diagnosing cyber attacks like DDoS attacks so the user can take steps to mitigate it ASAP. In other words, using NetFlow is a great way to monitor and troubleshoot your network.
Configure and verify Cisco NetFlow with the Cisco UCS Manager GUI
While Cisco 7200, 7500, 7400, MGX, and AS5800 are all compatible with the NetFlow application, you will have to purchase a feature license to be able to use the NetFlow function.
Before enabling NetFlow you need to configure your router for IP routing, enable Cisco Express Forwarding, distributed Cisco Express Forwarding, or fast switching. In this example, we’re going to be configuring NetFlow through the Cisco UCS Manager graphical user interface (GUI).
Cisco UCS Manager is a system used to communicate with routers and switches across a network. It includes adapters like Cisco UCS VIC 1225, Cisco UCS VIC 1240, and Cisco UCS VIC 1280. To configure NetFlow with UCS Manager:
- Go to the LAN tab > NetFlow > General page and check the radio button. Define a Flow Record
- Now we need to define a flow record. To do this click the LAN tab > NetFlow Monitoring.
- Next, right-click on Flow Record Definitions > Create Flow Record Definition.
- Go to the Create Flow Record Definition dialog box and enter a Name and a Description. Now go to the Define Keys section and select one of the following: L2keys, IPv4keys, or Ipv6keys. These refer to Layer 2 Switched, IPv4, and IPv6.
- Go to the Select Measured Fields(non-keys) box and check the fields you want to include with the flow data. Options include; Counter Bytes Long, Counter Packets Long, Sys Uptime First, and Sys Uptime Last. Define a Flow Collector
- Once this is done it is time to define a Flow Collector. To do this go to the LAN tab > NetFlow Monitoring > Flow Collectors and click the Add button.
- Go to the Create Flow Collectors box and enter a Name and Description for the flow collector. Now enter the Collector IP, Port, Exporter Gateway IP, and VLAN. Define a Flow Exporter
- After this, we need to define a Flow Exporter. Go to the LAN tab > Network Monitoring > Flow Exporters > Create Flow Exporter. Enter a Name and a Description. Now fill out the rest of the form options: DSCP, Exporter Profile, Flow Collector, Template Data Timeout, Option Exporter Stats Timeout, and Option Interface Table Timeout. Define a Flow Monitor
- Now it’s time to define a Flow Monitor. To do this go to LAN > NetFlow Monitoring > Flow Monitors (icon)and press Create Flow Monitor. Enter a Name and a Description. Then enter a Flow Definition, Flow Exporter 1, Flow Exporter 2, and Timeout Policy. Define a Flow Monitor Session
- After defining a Flow Monitor we need to Define a Flow Monitor Session. We can do this by going to LAN > Network Monitoring > Flow Monitor Sessions. Press Create Flow Monitor Session, then enter a Name and Description. Under the Host Receive Direction Monitor, select the flow monitor you want to use from the list or press Create Flow Monitor if you want to create one.
- Under the Host Transmit Direction Monitor 1 parameter, select the flow monitor you want to use from the list or use the Create Flow Monitor option to create one. Fill out the Host Receive Direction Monitor 2 and Host Transmit Direction Monitor 2 parameters with any additional configurations. Assign a Flow Monitor Session to a vNIC
- Now we need to Assign a Flow Monitor Session to a vNIC. Click LAN > NetFlow Monitoring > Flow Monitor Sessions and select the Flow Monitor Session you want to configure. Set the Flow Exporter Profile default and then go to Properties and expand the vNICs option. Click the Add button and then select which vNIC you want to use with the flow monitor session.
- Save the changes and finish.
Configure and verify Cisco NetFlow through a Command-line interface
If you want to use the Command Line Interface (CLI) to configure NetFlow on an interface then this is another alternative to the GUI. The process to configure and verify NetFlow is relatively simple:
- To enable EXEC mode, enter the following command:
router > enable
- Now, enter Global Configuration Mode by entering the configure command:
router > configure terminal
- Select the interface you want to configure for NetFlow by typing the number:
router > interface ethernet 0/0
- Next, we need to Enable NetFlow ingress and egress on the interface. To do that enter these two commands:
router > ip flow ingress router > ip flow egress
- If you want to enable NetFlow on another interface use the following command to return to Global Configuration Mode:
router > exit
- Then repeat the entire process until you have configured all the interfaces you need.
- To finish, use the End command to return to EXEC mode:
router > end
Verify that NetFlow is Up and Running
To ensure that NetFlow is operational you can use the show IP flow interface, show IP cache flow, and show IP cache verbose flow commands:
- Use the show IP flow interface command to view the NetFlow configuration for the interface:
router > show ip flow interface
- Use the show ip cache flow command to verify that NetFlow is working alongside a summary of statistics:
router > show ip cache flow
- Use the show ip cache verbose flow command to verify that NetFlow is working alongside a summary of statistics. It can be used to view Source Mask and AS, Destination Port Mask AS, ToS and TCP, Flow Rate, and more. To use the command enter the following:
router > show ip cache verbose flow
After you’ve finished configuring NetFlow the next stage is to choose a flow collection tool. Even after following the steps above you won’t be able to use NetFlow unless you have a software agent/NetFlow analyzer to collect the information generated by your devices. The good news is that these tools are widely available. In this section we’re going to look at two platforms:
SolarWinds NetFlow Traffic Analyzer
SolarWinds NetFlow Traffic Analyzer is a NetFlow traffic analyzer and bandwidth monitoring tool that you can use to view NetFlow outputs. The tool allows you to view IPv4 and IPv6 flow data. It also has a GUI with performance dashboards where you can see NetFlow sources and an overview of the Top Bandwidth Hogs within the network.
For example, you could look up the name of a switch in your network and view the Traffic In, Traffic Out, Last Received NetFlow, and Last Received CBQOS to see if traffic is normal.
The software has an alerts system so you receive alerts when there is a fluctuation in traffic that you need to take note of. You can configure when alerts are generated with custom parameters. For example, you can set a Trigger Condition as when Application traffic exceeds the threshold and then set an Ingress Traffic parameter. The tool starts at a price of (£1,475). There is also a 30-day free trial version.
SolarWinds NetFlow Traffic AnalyzerDownload 30-day FREE Trial
Paessler PRTG Network Monitor
PRTG Network Monitor is a piece of network monitoring software that can monitor NetFlow traffic. It supports all NetFlow versions and provides a GUI to monitor devices. You can monitor NetFlow with sensors. There is a NetFlow V5 sensor and a NetFlow V9 sensor.
The sensors measure network traffic in kbit per second in a variety of formats (including, FTP/P2P, DHCP, DNS, Ident, ICMP, SNMP, IMAP, NetBIOS, SSH, Telnet, HTTP, HTTPS, UDP, TCP, and more). All traffic is presented in a graphical overview which shows a Top Talkers, Top Connections, and Top Protocols, alongside a time period of your choice.
The sensors can be configured to send you alerts via email and SMS if traffic reaches unusual levels. The price of the Paessler PRTG Network Monitor starts at $1,600 (£1,232) for 500 sensors and one server installation. There is also a 30-day free trial version.
Paessler PRTG Network MonitorDownload 30-day FREE Trial
Managing Performance and Security Events with NetFlow Monitoring
Once NetFlow is configured on your devices you’ll be able to monitor packets transmitted throughout your network. NetFlow monitoring is extremely useful as part of your network monitoring strategy because it allows you to view traffic and to identify cyber-attacks like DoS or DDoS.
If you plan to use a NetFlow monitoring to oversee your network then it is a good idea to download a NetFlow analyzer. It will provide you with a GUI to monitor traffic and make it easier to identify cyber-attacks. Monitoring traffic will help you to keep a watchful eye on performance and security events.