If you were to ask most network engineers to configure their network to be monitored, they'd likely set up SNMP and logging and be done with it. They might get some rudimentary interface utilization statistics from SNMP, but they'd be blind to the rich meta data and in depth traffic statistics that they could be getting from netflow.

With netflow we can collect traffic statistics on a per-flow basis rather than just a per-interface basis. Information like this can transform your security teams ability to track down bad actors and for you to identify network bottlenecks, network misconfigurations, user behaviors, and more.

While netflow information can be views from a switches command line, it lacks the ability to provide historical trends, create alerts, or view data from multiple devices in the network at once. For this, we're going to need a netflow server, otherwise known as a netflow collector. Popular netflow collectors are SolarWinds, Cisco's Stealthwatch, and ManageEngine. There are opensource options available as well.

Cisco has even built a netflow collector into DNA Center to enable the Assurance feature set.

Netflow has progressed through multiple versions but to get the most our netflow configuration, we want to use version 9. Earlier versions mostly deprecated at this point but version 5 is still used and configurable. Netflow version 5 doesn't provide the flexibility of version 9 to choose exactly which fields you find important. Additionally, version 9 adds support for IPv6 that version 5 lacks.

There are three portions of a flexible netflow configuration:

• The flow exporter
  Defines the servers that netflow data will be sent to. We'll define the IP address of the collector, port information, source-interface, and netflow version here.

• The flow record
  This defines the metadata that will actually be collected by our switches. We can record information such as:

  • Layer 2 Source and Destination, VLAN, TOS

  • Layer 3 Source and Destination, Protocol

  • Layer 4 ports

  • Interface and flow direction, next hop

  • VRF and MPLS labels

  • Timestamps

  • Packet size

  • Forwarding Status

• The flow monitor
  The flow monitor is where we combine the flow exporter and record policies. We can attach multiple flow exporters here under the flow monitor policy. This is what will be attached to an interface.

After defining the components of our netflow policy, it can then be applied to monitor an interface.

Below is my do-everything netflow configuration. It's possibly a little overkill for every application but it gives you a great deal of information about your network traffic. If you were planning on applying this configuration to a routed interface, I would remove the datalink information from the flow record policy because every frame transiting the link would have the same source and destination information.

Configuration

Of course, Cisco’s configuration guide is the best place to go for in depth documentation of the various options that can be configured.

If you’d like to view the netflow cached data on the switch itself, “show ip cache flow” is the way to go. You can also see which interfaces you have netflow enabled on with “show ip flow interface” and view statistics regarding your exporter with “show ip flow export”.