Home > Articles > NetFlow for Cybersecurity

NetFlow for Cybersecurity

Chapter Description

In this sample chapter from CCNA Cyber Ops SECOPS 210-255 Official Cert Guide, readers learn how to configure basic NetFlow in a Cisco device. Content also covers the industry standard IPFIX as well as how NetFlow is used for cybersecurity and incident response.

NetFlow Versions

key_topic.jpg

There are several versions of NetFlow. Table 4-3 lists all versions of NetFlow and provides a brief description of the features supported.

Table 4-3 NetFlow Versions

NetFlow Version

Description

Version 1 (v1)

(Obsolete.) The first implementation of NetFlow. NetFlow v1 was limited to IPv4 without IP network masks and autonomous system numbers (ASNs).

Version 2 (v2)

Never released.

Version 3 (v3)

Never released.

Version 4 (v4)

Never released.

Version 5 (v5)

Popular NetFlow version on many routers from different vendors. Limited to IPv4 flows.

Version 6 (v6)

(Obsolete.) No longer supported by Cisco.

Version 7 (v7)

(Obsolete.) Like version 5, with a source router field.

Version 8 (v8)

(Obsolete.) Several aggregation forms, but only for information that is already present in v5 records.

Version 9 (v9)

Template based, available (as of 2009) on some recent routers. Mostly used to report flows such as IPv6, Multiprotocol Label Switching (MPLS), and even plain IPv4 with Border Gateway Protocol (BGP) next hop.

IPFIX

IPFIX is an IETF standard based on NetFlow v9 with several extensions.

Table 4-4 lists the NetFlow v1 flow header format, and Table 4-5 lists the attributes of the NetFlow v1 flow record format.

Table 4-4 NetFlow v1 Flow Header Format

Bytes

Contents

Description

0–1

version

NetFlow export format version number

2–3

count

Number of flows exported in this packet (1–24)

4–7

sys_uptime

Current time in milliseconds since the export device booted

8–11

unix_secs

Current count of seconds since 0000 UTC 1970

12–16

unix_nsecs

Residual nanoseconds since 0000 UTC 1970

Table 4-5 NetFlow v1 Flow Record Format

Bytes

Contents

Description

0–3

srcaddr

Source IP address

4–7

dstaddr

Destination IP address

8–11

nexthop

IP address of next-hop router

12–13

input

SNMP index of input interface

14–15

output

SNMP index of output interface

16–19

dPkts

Packets in the flow

20–23

dOctets

Total number of Layer 3 bytes in the packets of the flow

24–27

first

SysUptime at start of flow

28–31

last

SysUptime at the time the last packet of the flow was received

32–33

srcport

TCP/UDP source port number or equivalent

34–35

dstport

TCP/UDP destination port number or equivalent

36–37

pad1

Unused (0) bytes

38

prot

IP protocol type (for example, TCP = 6; UDP = 17)

39

tos

IP type of service (ToS)

40

flags

Cumulative OR of TCP flags

41-48

pad2

Unused (0) bytes

Table 4-6 lists the NetFlow v5 flow header format, and Table 4-7 lists the attributes of the NetFlow v5 flow record format.

Table 4-6 NetFlow v5 Flow Header Format

Bytes

Contents

Description

0–1

version

NetFlow export format version number.

2–3

count

Number of flows exported in this packet (1–30).

4–7

sys_uptime

Current time in milliseconds since the export device booted.

8–11

unix_secs

Current count of seconds since 0000 UTC 1970.

12–15

unix_nsecs

Residual nanoseconds since 0000 UTC 1970.

16-19

flow_sequence

Sequence counter of total flows seen.

20

engine_type

Type of flow-switching engine.

21

engine_id

Slot number of the flow-switching engine.

22–23

sampling_interval

First 2 bits hold the sampling mode; remaining 14 bits hold value of sampling interval.

Table 4-7 NetFlow v5 Flow Record Format

Bytes

Contents

Description

0–3

srcaddr

Source IP address

4–7

dstaddr

Destination IP address

8–11

nexthop

IP address of next-hop router

12–13

input

Simple Network Management Protocol (SNMP) index of input interface

14–15

output

SNMP index of output interface

16–19

dPkts

Packets in the flow

20–23

dOctets

Total number of Layer 3 bytes in the packets of the flow

24–27

first

SysUptime at start of flow

28–31

last

SysUptime at the time the last packet of the flow was received

32–33

srcport

TCP/UDP source port number or equivalent

34–35

dstport

TCP/UDP destination port number or equivalent

36

pad1

Unused (0) bytes

37

tcp_flags

Cumulative OR of TCP flags

38

prot

IP protocol type (for example, TCP = 6; UDP = 17)

39

tos

IP type of service (ToS)

40–41

src_as

Autonomous system number (ASN) of the source, either origin or peer

42–43

dst_as

ASN of the destination, either origin or peer

44

src_mask

Source address prefix mask bits

45

dst_mask

Destination address prefix mask bits

46–47

pad2

Unused (0) bytes

Table 4-8 lists the NetFlow v7 flow header format, and Table 4-9 lists the attributes of the NetFlow v7 flow record format.

Table 4-8 NetFlow v7 Flow Header Format

Bytes

Contents

Description

0–1

version

NetFlow export format version number

2–3

count

Number of flows exported in this packet (1–30)

4–7

sys_uptime

Current time in milliseconds since the export device booted

8–11

unix_secs

Current count of seconds since 0000 UTC 1970

12–15

unix_nsecs

Residual nanoseconds since 0000 UTC 1970

16–19

flow_sequence

Sequence counter of total flows seen

20–23

reserved

Unused (0) bytes

Table 4-9 NetFlow v7 Flow Record Format

Bytes

Contents

Description

0-3

srcaddr

Source IP address.

4-7

dstaddr

Destination IP address.

8-11

nexthop

IP address of next-hop router.

12-13

input

SNMP index of input interface.

14-15

output

SNMP index of output interface.

16-19

dPkts

Packets in the flow.

20-23

dOctets

Total number of Layer 3 bytes in the packets of the flow.

24-27

first

SysUptime at start of flow.

28-31

last

SysUptime at the time the last packet of the flow was received.

32-33

srcport

TCP/UDP source port number or equivalent.

34-35

dstport

TCP/UDP destination port number or equivalent.

36

padl

Unused (0) bytes.

37

tcp flags

Cumulative OR of TCP flags.

38

prot

IP protocol type (for example, TCP = 6; UDP = 17).

39

tos

IP type of service (ToS).

40-41

src as

ASN of the source, either origin or peer.

42-43

dst as

ASN of the destination, either origin or peer.

44

src mask

Source address prefix mask bits.

45

dst mask

Destination address prefix mask bits.

46-47

flags

Flags indicating, among other things, what flows are invalid.

48-51

router sc

IP address of the router that is bypassed by the Catalyst 5000 series switch. (This is the same address the router uses when it sends NetFlow export packets. This IP address is propagated to all switches bypassing the router through the Fibre Channel Protocol [FCP].)

The most popular version of NetFlow is Version 9. The NetFlow v9 format is template based. Templates provide a flexible design to the record format. This feature allows for future enhancements to NetFlow services without requiring fundamental changes to the underlying flow record format.

The following are the benefits of using NetFlow templates:

  • They provide vendor-neutral support for companies that create applications that provide collector or analysis capabilities for NetFlow so that they are not required to reinvent their product each time a new NetFlow feature is added.

  • New features can be added to NetFlow more quickly, without breaking current implementations and with backward compatibility.

The NetFlow v9 record format consists of a packet header followed by at least one or more template or data FlowSets. A template FlowSet provides a description of the fields that will be present in future data FlowSets. These data FlowSets may occur later within the same export packet or in subsequent export packets. Figure 4-2 shows a basic illustration of the NetFlow v9 export packet.

Figure 4-2

Figure 4-2 NetFlow v9 Export Packet

Figure 4-3 shows a more detailed illustration of the NetFlow v9 export packet and the relationship between each field and its attributes.

Figure 4-3

Figure 4-3 NetFlow v9 Export Packet Details

The format of the NetFlow v9 packet header is very similar to its predecessors and is illustrated in Figure 4-4.

Figure 4-4

Figure 4-4 NetFlow v9 Packet Header Format

Table 4-10 lists the NetFlow v9 packet header field descriptions.

Table 4-10 NetFlow v9 Packet Header Field Descriptions

Field Name

Value

Version

The version of NetFlow records exported in this packet. The hexadecimal value 0x0009 represents NetFlow v9.

Count

Number of FlowSet records (both template and data) contained within the export packet.

System Uptime

Time in milliseconds since the device started.

UNIX Seconds

Seconds since 0000 coordinated universal time (UTC) 1970.

Sequence Number

Incremental sequence counter of all export packets sent by this export device; this value is cumulative, and it can be used to identify whether any export packets have been missed.

Note: This is a change from the NetFlow v5 and v8 headers, where this number represented "total flows."

Source ID

A 32-bit value that is used to ensure uniqueness for all flows exported from a particular NetFlow-enabled device. The Source ID field is the equivalent of the Engine Type and Engine ID fields found in the NetFlow v5 and v8 headers.

The format of this field is vendor specific. In Cisco's implementation, the first 2 bytes are reserved for future expansion and will always be 0. Byte 3 provides uniqueness with respect to the routing engine on the exporting device. Byte 4 provides uniqueness with respect to the particular line card or Versatile Interface Processor on the exporting device. NetFlow collectors should use the combination of the source IP address plus the Source ID field to associate an incoming NetFlow export packet with a unique instance of NetFlow on a particular device.

As previously mentioned, templates are one of the main benefits of NetFlow v9 because they provide flexibility to allow a NetFlow collector or display application to process NetFlow data without necessarily knowing the format of the data in advance.

Figure 4-5 shows the format of the NetFlow v9 template FlowSet.

Figure 4-5

Figure 4-5 NetFlow v9 Template FlowSet Format

Table 4-11 lists the NetFlow v9 template FlowSet field descriptions.

Table 4-11 NetFlow v9 Template FlowSet Field Descriptions

Field

Description

flowset_id

The flowset_id field is used to distinguish template records from data records. A template record always has a flowset_id in the range of 0 to 255. Currently, the template record that describes flow fields has a flowset_id of 0, and the template record that describes option fields (described later) has a flowset_id of 1. A data record always has a nonzero flowset_id greater than 255.

length

Length refers to the total length of this FlowSet. Because an individual template FlowSet may contain multiple template IDs (as illustrated earlier), the length value should be used to determine the position of the next FlowSet record, which could be either a template or a data FlowSet.

Length is expressed in type/length/value (TLV) format, meaning that the value includes the bytes used for the flowset_id and the length of bytes themselves, in addition to the combined lengths of all template records included in this FlowSet.

template_id

As a router generates different template FlowSets to match the type of NetFlow data it will be exporting, each template is given a unique ID. This uniqueness is local to the router that generated the template_id.

Templates that define data record formats begin numbering at 256 because 0 through 255 are reserved for flowset_ids.

field_count

This field gives the number of fields in this template record. Because a template FlowSet may contain multiple template records, this field allows the parser to determine the end of the current template record and the start of the next.

field_type

This numeric value represents the type of the field. The possible values of the field type are vendor specific. Cisco-supplied values are consistent across all platforms that support NetFlow v9.

At the time of the initial release of the NetFlow v9 code (and after any subsequent changes that could add new field-type definitions), Cisco provided a file that defines the known field types and their lengths.

Table 4-12 details the currently defined field types.

field_length

This number gives the length of the field_type field, in bytes.

Table 4-12 lists the NetFlow v9 field type definitions.

Table 4-12 NetFlow v9 Field Type Definitions

Field Type

Value

Length (bytes)

Description

IN_BYTES

1

N (default is 4)

Incoming counter with length N × 8 bits for number of bytes associated with an IP flow.

IN_PKTS

2

N (default is 4)

Incoming counter with length N × 8 bits for the number of packets associated with an IP flow.

FLOWS

3

N

Number of flows that were aggregated; default for N is 4.

PROTOCOL

4

1

IP protocol byte.

SRC_TOS

5

1

Type of service byte setting when entering incoming interface.

TCP_FLAGS

6

1

Cumulative of all the TCP flags seen for this flow.

L4_SRC_PORT

7

2

TCP/UDP source port number (for example, FTP, Telnet, or equivalent).

IPV4_SRC_ADDR

8

4

IPv4 source address.

SRC_MASK

9

1

The number of contiguous bits in the source address subnet mask (that is, the submask in slash notation).

INPUT_SNMP

10

N

Input interface index; default for N is 2, but higher values could be used.

L4_DST_PORT

11

2

TCP/UDP destination port number (for example, FTP, Telnet, or equivalent).

IPV4_DST_ADDR

12

4

IPv4 destination address.

DST_MASK

13

1

The number of contiguous bits in the destination address subnet mask (that is, the submask in slash notation).

OUTPUT_SNMP

14

N

Output interface index; default for N is 2, but higher values could be used.

IPV4_NEXT_HOP

15

4

IPv4 address of next-hop router.

SRC_AS

16

N (default is 2)

Source BGP ASN, where N could be 2 or 4.

DST_AS

17

N (default is 2)

Destination BGP ASN, where N could be 2 or 4.

BGP_IPV4_NEXT_HOP

18

4

Next-hop router's IP in the BGP domain.

MUL_DST_PKTS

19

N (default is 4)

IP multicast outgoing packet counter with length N × 8 bits for packets associated with the IP flow.

MUL_DST_BYTES

20

N (default is 4)

IP multicast outgoing byte counter with length N × 8 bits for bytes associated with the IP flow.

LAST_SWITCHED

21

4

System uptime at which the last packet of this flow was switched.

FIRST_SWITCHED

22

4

System uptime at which the first packet of this flow was switched.

OUT_BYTES

23

N (default is 4)

Outgoing counter with length N × 8 bits for the number of bytes associated with an IP flow.

OUT_PKTS

24

N (default is 4)

Outgoing counter with length N × 8 bits for the number of packets associated with an IP flow.

MIN_PKT_LNGTH

25

2

Minimum IP packet length on incoming packets of the flow.

MAX_PKT_LNGTH

26

2

Maximum IP packet length on incoming packets of the flow.

IPV6_SRC_ADDR

27

16

IPv6 source address.

IPV6_DST_ADDR

28

16

IPv6 destination address.

IPV6_SRC_MASK

29

1

Length of the IPv6 source mask in contiguous bits.

IPV6_DST_MASK

30

1

Length of the IPv6 destination mask in contiguous bits.

IPV6_FLOW_LABEL

31

3

IPv6 flow label as per RFC 2460 definition.

ICMP_TYPE

32

2

Internet Control Message Protocol (ICMP) packet type; reported as ((ICMP Type * 256) + ICMP code).

MUL_IGMP_TYPE

33

1

Internet Group Management Protocol (IGMP) packet type.

SAMPLING_INTERVAL

34

4

When using sampled NetFlow, this is the rate at which packets are sampled. For example, a value of 100 indicates that 1 of every 100 packets is sampled.

SAMPLING_ALGORITHM

35

1

The type of algorithm used for sampled NetFlow: 0x01 = deterministic sampling, 0x02 = random sampling.

FLOW_ACTIVE_TIMEOUT

36

2

Timeout value (in seconds) for active flow entries in the NetFlow cache.

FLOW_INACTIVE_TIMEOUT

37

2

Timeout value (in seconds) for inactive flow entries in the NetFlow cache.

ENGINE_TYPE

38

1

Type of flow switching engine: RP = 0, VIP/ Linecard = 1.

ENGINE_ID

39

1

ID number of the flow switching engine.

TOTAL_BYTES_EXP

40

N (default is 4)

Counter with length N × 8 bits for the number of bytes exported by the observation domain.

TOTAL_PKTS_EXP

41

N (default is 4)

Counter with length N × 8 bits for the number of packets exported by the observation domain.

TOTAL_FLOWS_EXP

42

N (default is 4)

Counter with length N × 8 bits for the number of flows exported by the observation domain.

Vendor proprietary

43

N/A

N/A

IPV4_SRC_PREFIX

44

4

IPv4 source address prefix (specific for Catalyst architecture).

IPV4_DST_PREFIX

45

4

IPv4 destination address prefix (specific for Catalyst architecture).

MPLS_TOP_LABEL_TYPE

46

1

MPLS top label type: 0x00 = UNKNOWN, 0x01 = TE-MIDPT, 0x02 = ATOM, 0x03 = VPN, 0x04 = BGP, 0x05 = LDP.

MPLS_TOP_LABEL_IP_ADDR

47

4

Forwarding Equivalent Class corresponding to the MPLS top label.

FLOW_SAMPLER_ID

48

1

Identifier shown in show flow-sampler.

FLOW_SAMPLER_MODE

49

1

The type of algorithm used for sampling data: 0x02 = random sampling. Used in connection with FLOW_SAMPLER_MODE.

FLOW_SAMPLER_RANDOM_INTERVAL

50

4

Packet interval at which to sample. Used in connection with FLOW_SAMPLER_MODE.

Vendor proprietary

51

N/A

N/A

MIN_TTL

52

1

Minimum Time to Live (TTL) on incoming packets of the flow.

MAX_TTL

53

1

Maximum TTL on incoming packets of the flow.

IPV4_IDENT

54

2

The IP v4 identification field.

DST_TOS

55

1

Type of service byte setting when exiting outgoing interface.

IN_SRC_MAC

56

6

Incoming source MAC address.

OUT_DST_MAC

57

6

Outgoing destination MAC address.

SRC_VLAN

58

2

Virtual LAN identifier associated with ingress interface.

DST_VLAN

59

2

Virtual LAN identifier associated with egress interface.

IP_PROTOCOL_VERSION

60

1

Internet Protocol version set to 4 for IPv4, set to 6 for IPv6. If not present in the template, Version 4 is assumed.

DIRECTION

61

1

Flow direction: 0 = ingress flow, 1 = egress flow.

IPV6_NEXT_HOP

62

16

IPv6 address of the next-hop router.

BPG_IPV6_NEXT_HOP

63

16

Next-hop router in the BGP domain.

IPV6_OPTION_HEADERS

64

4

Bit-encoded field identifying IPv6 option headers found in the flow.

Vendor proprietary

65

N/A

N/A

Vendor proprietary

66

N/A

N/A

Vendor proprietary

67

N/A

N/A

Vendor proprietary

68

N/A

N/A

Vendor proprietary

69

N/A

N/A

MPLS_LABEL_1

70

3

MPLS label at position 1 in the stack.

MPLS_LABEL_2

71

3

MPLS label at position 2 in the stack.

MPLS_LABEL_3

72

3

MPLS label at position 3 in the stack.

MPLS_LABEL_4

73

3

MPLS label at position 4 in the stack.

MPLS_LABEL_5

74

3

MPLS label at position 5 in the stack.

MPLS_LABEL_6

75

3

MPLS label at position 6 in the stack.

MPLS_LABEL_7

76

3

MPLS label at position 7 in the stack.

MPLS_LABEL_8

77

3

MPLS label at position 8 in the stack.

MPLS_LABEL_9

78

3

MPLS label at position 9 in the stack.

MPLS_LABEL_10

79

3

MPLS label at position 10 in the stack.

IN_DST_MAC

80

6

Incoming destination MAC address.

OUT_SRC_MAC

81

6

Outgoing source MAC address.

IF_NAME

82

N (default specified in template)

Shortened interface name (for example, FE1/0).

IF_DESC

83

N (default specified in template)

Full interface name (for example, FastEthernet 1/0).

SAMPLER_NAME

84

N (default specified in template)

Name of the flow sampler.

IN_PERMANENT_BYTES

85

N (default is 4)

Running byte counter for a permanent flow.

IN_PERMANENT_PKTS

86

N (default is 4)

Running packet counter for a permanent flow.

Vendor proprietary

87

N/A

N/A

FRAGMENT_OFFSET

88

2

The fragment-offset value from fragmented IP packets.

FORWARDING STATUS

89

1

Forwarding status is encoded on 1 byte, with the 2 left bits giving the status and the 6 remaining bits giving the reason code.

MPLS PAL RD

90

8 (array)

MPLS PAL route distinguisher.

MPLS PREFIX LEN

91

1

Number of consecutive bits in the MPLS prefix length.

SRC TRAFFIC INDEX

92

4

BGP policy accounting source traffic index.

DST TRAFFIC INDEX

93

4

BGP policy accounting destination traffic index.

APPLICATION DESCRIPTION

94

N

Description of the application.

APPLICATION TAG

95

1+n

Eight bits of engine ID, followed by n bits of classification.

APPLICATION NAME

96

N

Application name associated with a classification.

Not used

97

N/A

N/A

postipDiffServCodePoint

98

1

The value of a differentiated services code point (DSCP) encoded in the Differentiated Services field, after modification.

replication factor

99

4

Multicast replication factor.

Deprecated

100

N

Deprecated.

Not used

101

N/A

N/A

layer2packetSectionOffset

102

Layer 2 packet section offset.

layer2packetSectionSize

103

 

Layer 2 packet section size.

layer2packetSectionData

104

 

Layer 2 packet section data.

Reserved for future use

105 thru 127

N/A

N/A

Figure 4-6 shows the NetFlow v9 template FlowSet format.

Figure 4-6

Figure 4-6 NetFlow v9 Template FlowSet Format

Table 4-13 lists the NetFlow v9 data FlowSet definitions.

Table 4-13 NetFlow v9 Data FlowSet Definitions

Field

Description

flowset_id

A flowset_id precedes each group of records within a NetFlow v9 data FlowSet. The flowset_id maps to a (previously received) template_id. The collector and display applications should use the flowset_id to map the appropriate type and length to any field values that follow.

length

This field gives the length of the data FlowSet. Length is expressed in TLV format, meaning that the value includes the bytes used for the flowset_id and the length bytes themselves, as well as the combined lengths of any included data records.

record_N through field_M

The remainder of the v9 data FlowSet is a collection of field values. The type and length of the fields have been previously defined in the template record referenced by the flowset_id/template_id.

padding

Padding should be inserted to align the end of the FlowSet on a 32-bit boundary. Pay attention that the length field will include those padding bits.

IPFIX is modeled after NetFlow v9. This is why many of these NetFlow v9 concepts and fields are very similar to IPFIX. Just like IPFIX, NetFlow v9 has the concept of options templates used to supply metadata about the NetFlow process itself. Figure 4-7 illustrates the format of the options template.

Figure 4-7

Figure 4-7 NetFlow v9 Options Template Format

Table 4-14 lists the NetFlow v9 data options template definitions.

Table 4-14 NetFlow v9 Data Options Template Definitions

Field

Description

flowset_id = 1

The flowset_id is used to distinguish template records from data records. A template record always has a flowset_id of 1. A data record always has a nonzero flowset_id that is greater than 255.

length

This field gives the total length of this FlowSet. Because an individual template FlowSet may contain multiple template_ids, the length value should be used to determine the position of the next FlowSet record, which could be either a template or a data FlowSet.

Length is expressed in TLV format, meaning that the value includes the bytes used for the flowset_id and the length of bytes themselves, as well as the combined lengths of all template records included in this FlowSet.

template_id

As a router generates different template FlowSets to match the type of NetFlow data it will be exporting, each template is given a unique ID. This uniqueness is local to the router that generated the template_id. The template_id is greater than 255. template_ids less than 255 are reserved.

option_scope_length

This field gives the length in bytes of any scope fields contained in this options template.

options_length

This field gives the length (in bytes) of any Options field definitions contained in this options template.

scope_field_N_type

This field gives the relevant portion of the NetFlow process to which the options record refers. Currently defined values follow:

0x0001 = system

0x0002 = interface

0x0003 = line card

0x0004 = NetFlow cache

0x0005 = template

For instance, Random Sampled NetFlow can be implemented on a perinterface basis. So, if the options record were reporting on how sampling is configured, the scope for the report would be 0x0002 (interface).

scope_field_N_length

This field gives the length (in bytes) of the Scope field, as it would appear in an options record.

option_field_N_type

This numeric value represents the type of the field that appears in the options record. Possible values are detailed in template FlowSet format.

option_field_N_length

This number is the length (in bytes) of the field, as it would appear in an options record.

padding

Padding is inserted to align the end of the FlowSet on a 32-bit boundary.

Cisco Flexible NetFlow

Flexible NetFlow provides enhanced optimization of the network infrastructure, reduces costs, and improves capacity planning and security detection beyond other flow-based technologies available today. Flexible NetFlow supports IPv6 and Network-Based Application Recognition (NBAR) 2 for IPv6 starting in Cisco IOS Software Version 15.2(1)T. It also supports IPv6 transition techniques (IPv6 inside IPv4). Flexible NetFlow can detect the following tunneling technologies that give full IPv6 connectivity for IPv6-capable hosts that are on the IPv4 Internet but that have no direct native connection to an IPv6 network:

  • Teredo

  • Intra-Site Automatic Tunnel Addressing Protocol (ISATAP)

  • 6to4

  • 6rd

Flexible NetFlow classification inside Teredo, ISATAP, 6to4, and 6rd was introduced in Cisco IOS Software Version 15.2(2)T. Export over IPv6 was introduced in Cisco IOS Software Version 15.2(2)T, Cisco IOS XE 3.7.0S, and Cisco Nexus Software Version 4.2.1.

Flexible NetFlow tracks different applications simultaneously. For instance, security monitoring, traffic analysis, and billing can be tracked separately, and the information customized per application.

Flexible NetFlow allows the network administrator or security professional to create multiple flow caches or information databases to track. Conventionally, NetFlow has a single cache and all applications use the same cache information. Flexible NetFlow supports the collection of specific security information in one flow cache and traffic analysis in another. Subsequently, each NetFlow cache serves a different purpose. For instance, multicast and security information can be tracked separately and the results sent to two different collectors. Figure 4-8 shows the Flexible NetFlow model and how three different monitors are used. Monitor 1 exports Flexible NetFlow data to “Exporter 1.” Monitor 2 exports Flexible NetFlow data to “Exporter 2,” and Monitor 3 exports Flexible NetFlow data to “Exporter 1” and “Exporter 3.”

Figure 4-8

Figure 4-8 The Flexible NetFlow Model

The following are the Flexible NetFlow components:

  • Records

  • Flow monitors

  • Flow exporters

  • Flow samplers

In Flexible NetFlow, the administrator can specify what to track, resulting in fewer flows. This helps to scale in busy networks and use fewer resources that are already taxed by other features and services.

Flexible NetFlow Records

Flexible NetFlow records are a combination of key and non-key fields. In Flexible NetFlow, records are appointed to flow monitors to define the cache that is used for storing flow data. There are seven default attributes in the IP packet identity, or “key fields,” for a flow and for a device to determine whether the packet information is unique or similar to other packets sent over the network. Fields such as TCP flags, subnet masks, packets, and number of bytes are “non-key fields.” However, they are often collected and exported in NetFlow or in IPFIX.

Flexible NetFlow Key Fields

There are several Flexible NetFlow key fields in each packet that is forwarded within a NetFlow-enabled device. The device looks for a set of IP packet attributes for the flow and determines whether the packet information is unique or similar to other packets. In Flexible NetFlow, key fields are configurable, which enables the administrator to conduct a more granular traffic analysis.

Table 4-15 lists the key fields related to the actual flow, device interface, and Layer 2 services.

Table 4-15 Flexible NetFlow Key Fields Related to Flow, Interface, and Layer 2

 

Flow

Interface

Layer 2

Fields

Sampler ID

Direction

Class ID

Input

Output

Source VLAN

Destination VLAN

Dot1q priority

Source MAC address

Destination MAC address

Table 4-16 lists the IPv4- and IPv6-related key fields.

Table 4-16 Flexible NetFlow IPv4 and IPv6 Key Fields

 

IPv4

IPv6

Fields

IP (Source or Destination)

Prefix (Source or Destination)

Mask (Source or Destination)

Minimum-Mask (Source or Destination)

Protocol

Fragmentation Flags

Fragmentation Offset

Identification

Header Length

Total Length

Payload Size

Packet Section (Header)

Packet Section (Payload)

Time to Live (TTL)

Options bitmap

Version

Precedence

DSCP

TOS

IP (Source or Destination)

Prefix (Source or Destination)

Mask (Source or Destination)

Minimum-Mask (Source or Destination)

Protocol

Traffic Class

Flow Label

Option Header

Header Length

Payload Length

Payload Size

Packet Section (Header)

Packet Section (Payload)

DSCP

Extension Headers

Hop-Limit

Length

Next-header

Version

Table 4-17 lists the Layer 3 routing protocol–related key fields.

Table 4-17 Flexible NetFlow Layer 3 Routing Protocol Key Fields

 

Routing

Fields

Source or Destination AS

Peer AS

Traffic Index

Forwarding Status

Input VRF Name

IGP Next Hop

BGP Next Hop

Table 4-18 lists the transport-related key fields.

Table 4-18 Flexible NetFlow Transport Key Fields

 

Transport

Fields

Destination Port

Source Port

ICMP Code

ICMP Type

IGMP Type (IPv4 only)

TCP ACK Number

TCP Header Length

TCP Sequence Number

TCP Window-Size

TCP Source Port

TCP Destination Port

TCP Urgent Pointer

Only the Application ID is a Layer 3 routing protocol key field.

Table 4-19 lists the multicast-related key fields.

Table 4-19 Flexible NetFlow Multicast Key Fields

 

Multicast

Fields

Replication Factor (IPv4 only)

RPF Check Drop (IPv4 only)

Is-Multicast

Flexible NetFlow Non-Key Fields

There are several non-key Flexible NetFlow fields. Table 4-20 lists the non-key fields that are related to counters, such as byte counts, number of packets, and more. A network administrator can use non-key fields for different purposes. For instance, the number of packets and amount of data (bytes) can be used for capacity planning and also to identify denial-of-service (DoS) attacks as well as other anomalies in the network.

Table 4-20 Flexible NetFlow Counters Non-Key Fields

 

Counters

Fields

Bytes

Bytes Long

Bytes Square Sum

Bytes Square Sum Long

Packets

Packets Long

Bytes Replicated

Bytes Replicated Long

Packets Replicated

Packets Replicated Long

Table 4-21 lists the timestamp-related non-key fields.

Table 4-21 Flexible NetFlow Timestamp Non-Key Fields

 

Timestamp

Fields

sysUpTime First Packet

sysUpTime First Packet

Absolute First Packet

Absolute Last Packet

Table 4-22 lists the IPv4-only non-key fields.

Table 4-22 Flexible NetFlow IPv4-Only Non-Key Fields

 

IPv4 Only

Fields

Total Length Minimum

Total Length Maximum

TTL Minimum

TTL Maximum

Table 4-23 lists the IPv4 and IPv6 non-key fields.

Table 4-23 Flexible NetFlow IPv4 and IPv6 Non-Key Fields

 

IPv4 and IPv6

Fields

Total Length Minimum

Total Length Maximum

NetFlow Predefined Records

Flexible NetFlow includes several predefined records that can help an administrator and security professional start deploying NetFlow within their organization. Alternatively, they can create their own customized records for more granular analysis. As Cisco evolves Flexible NetFlow, many popular user-defined flow records could be made available as predefined records to make them easier to implement.

The predefined records guarantee backward compatibility with legacy NetFlow collectors. Predefined records have a unique blend of key and non-key fields that allows the network administrator and security professional to monitor different types of traffic in their environment without any customization.

User-Defined Records

As the name indicates, Flexible NetFlow gives the network administrator and security professional the flexibility to create their own records (user-defined records) by specifying key and non-key fields to customize the data collection. The values in non-key fields are added to flows to provide additional information about the traffic in the flows. A change in the value of a non-key field does not create a new flow. In most cases, the values for non-key fields are taken from only the first packet in the flow. Flexible NetFlow enables you to capture counter values such as the number of bytes and packets in a flow as non-key fields.

Flexible NetFlow adds a new NetFlow v9 export format field type for the header and packet section types. A device configured for Flexible NetFlow communicates to the collector the configured section sizes in the corresponding NetFlow v9 export template fields.

Flow Monitors

In Flexible NetFlow, flow monitors are applied to the network device interfaces to perform network traffic monitoring. Flow data is collected from the network traffic and added to the flow monitor cache during the monitoring process based on the key and non-key fields in the flow record.

Flow Exporters

The entities that export the data in the flow monitor cache to a remote system are called flow exporters. Flow exporters are configured as separate entities and are assigned to flow monitors. An administrator can create several flow exporters and assign them to one or more flow monitors. A flow exporter includes the destination address of the reporting server, the type of transport (UDP or SCTP), and the export format corresponding of the NetFlow version or IPFIX.

Flow Samplers

Flow samplers are created as separate components in a router’s configuration. Flow samplers are used to reduce the load on the device that is running Flexible NetFlow by limiting the number of packets that are selected for analysis.

Flow sampling exchanges monitoring accuracy for router performance. When you apply a sampler to a flow monitor, the overhead load on the router due to running the flow monitor is reduced because the number of packets that the flow monitor must analyze is reduced. The reduction in the number of packets that are analyzed by the flow monitor causes a corresponding reduction in the accuracy of the information stored in the flow monitor’s cache.

Flexible NetFlow Configuration

The following sections provide step-by-step configuration guidance on how to enable and configure Flexible NetFlow in a Cisco IOS device. Figure 4-9 shows the configuration steps in a sequential graphical representation.

Figure 4-9

Figure 4-9 Flexible NetFlow Configuration Steps

The configuration steps, which are described in detail in the corresponding sections, are as follows:

  • Step 1. Configure a flow record

  • Step 2. Configure a flow monitor

  • Step 3. Configure a flow exporter for the flow monitor

  • Step 4. Apply the flow monitor to an interface

The topology shown in Figure 4-10 is used in the following examples.

Figure 4-10

Figure 4-10 Flexible NetFlow Configuration Example Topology

This figure shows a Cisco ASR 1004 at the New York headquarters that is configured for Flexible NetFlow. The outside network is 209.165.200.224/29, and the inside network is 209.165.200.232/29.

Configure a Flow Record

The following are the steps required to configure a customized flow record.

  • Step 1. Log in to your router and enter into enable mode with the enable command:

    NY-ASR1004>enable
  • Step 2. Enter into configuration mode with the configure terminal command:

    NY-ASR1004#configure terminal
    Enter configuration commands, one per line. End with CNTL/Z.
  • Step 3. Create a flow record with the flow record command. In this example, the record name is NY-ASR-FLOW-RECORD-1. After you’ve entered the flow record command, the router enters flow record configuration mode. You can also use the flow record command to edit an existing flow record:

    NY-ASR1004(config)#flow record NY-ASR-FLOW-RECORD-1
  • Step 4. (Optional.) Enter a description for the new flow record:

    NY-ASR1004(config-flow-record)#description FLOW RECORD 1 for basic traf
    fic analysis
  • Step 5. Configure a key field for the flow record using the match command. In this example, the IPv4 destination address is configured as a key field for the record:

    NY-ASR1004(config-flow-record)#match ipv4 destination address

    The output of the match ? command shows all the primary options for the key field categories that you learned earlier in this chapter:

    NY-ASR1004(config-flow-record)#match ?
      application  Application fields
      flow         Flow identifying fields
      interface    Interface fields
      ipv4         IPv4 fields
      ipv6         IPv6 fields
      routing      Routing attributes
      transport    Transport layer fields
  • Step 6. Configure a non-key field with the collect command. In this example, the input interface is configured as a non-key field for the record:

    NY-ASR1004(config-flow-record)#collect interface input

    The output of the collect ? command shows all the options for the non-key field categories that you learned earlier in this chapter:

    NY-ASR1004(config-flow-record)#collect ?
      application  Application fields
      counter      Counter fields
      flow         Flow identifying fields
      interface    Interface fields
      ipv4         IPv4 fields
      ipv6         IPv6 fields
      routing      Routing attributes
      timestamp    Timestamp fields
      transport    Transport layer fields
  • Step 7. Exit configuration mode with the end command and return to privileged EXEC mode:

    NY-ASR1004(config-flow-record)#end

You can use the show flow record command to show the status and fields for the flow record. If multiple flow records are configured in the router, you can use the show flow record name command to show the output of a specific flow record, as shown in Example 4-1.

Example 4-1 Output of the show flow record Command

NY-ASR1004#/>show flow record NY-ASR-FLOW-RECORD-1/>
flow record NY-ASR-FLOW-RECORD-1:
  Description:        Used for basic traffic analysis
  No. of users:       0
  Total field space:  8 bytes
  Fields:
    match ipv4 destination address
    collect interface input

Use the show running-config flow record command to show the flow record configuration in the running configuration, as shown in Example 4-2.

Example 4-2 Output of the show running-config flow record Command

NY-ASR1004#show running-config flow record
Current configuration:
!
flow record NY-ASR-FLOW-RECORD-1
 description Used for basic traffic analysis
 match ipv4 destination address
 collect interface input
!

Configuring a Flow Monitor for IPv4 or IPv6

The following are the steps required to configure a flow monitor for IPv4 or IPv6 implementations. In the following examples, a flow monitor is configured for the previously configured flow record.

  • Step 1. Log in to your router and enter into enable mode with the enable command:

    NY-ASR1004>enable
  • Step 2. Enter into configuration mode with the configure terminal command:

    NY-ASR1004#configure terminal
    Enter configuration commands, one per line.  End with CNTL/Z.
  • Step 3. Create a flow monitor with the flow monitor command. In this example, the flow monitor is called NY-ASR-FLOW-MON-1:

    NY-ASR1004(config)#flow monitor NY-ASR-FLOW-MON-1
  • Step 4. (Optional.) Enter a description for the new flow monitor:

    NY-ASR1004(config-flow-monitor)#description monitor for IPv4 traffic in
    NY
  • Step 5. Identify the record for the flow monitor:

    NY-ASR1004(config-flow-monitor)#record netflow NY-ASR-FLOW-RECORD-1
  • In the following example, the record ? command is used to see all the flow monitor record options:

    NY-ASR1004(config-flow-monitor)#record ?
      NY-ASR-FLOW-RECORD-1  Used for basic traffic analysis
      netflow               Traditional NetFlow collection schemes
      netflow-original      Traditional IPv4 input NetFlow with origin ASs
  • Step 6. Exit configuration mode with the end command and return to privileged EXEC mode:

    NY-ASR1004(config-flow-record)#end

You can use the show flow monitor command to show the status and configured parameters for the flow monitor, as shown in Example 4-3.

Example 4-3 Output of the show flow monitor Command

NY-ASR1004#/>show flow monitor/>
Flow Monitor NY-ASR-FLOW-MON-1:
  Description:       monitor for IPv4 traffic in NY
  Flow Record:       NY-ASR-FLOW-RECORD-1
  Cache:
    Type:              normal (Platform cache)
    Status:            not allocated
    Size:              200000 entries
    Inactive Timeout:  15 secs
    Active Timeout:    1800 secs
    Update Timeout:    1800 secs

Use the show running-config flow monitor command to display the flow monitor configuration in the running configuration, as shown in Example 4-4.

Example 4-4 Output of the show running-config flow monitor Command

NY-ASR1004#/>show running-config flow monitor/>
Current configuration:
!
flow monitor NY-ASR-FLOW-MON-1
 description monitor for IPv4 traffic in NY
 record NY-ASR-FLOW-RECORD-1
 cache entries 200000

Configuring a Flow Exporter for the Flow Monitor

Complete the following steps to configure a flow exporter for the flow monitor in order to export the data that is collected by NetFlow to a remote system for further analysis and storage. This is an optional step. IPv4 and IPv6 are supported for flow exporters.

  • Step 1. Log in to the router and enter into enable and configuration modes, as you learned in previous steps.

  • Step 2. Create a flow exporter with the flow exporter command. In this example, the exporter name is NY-EXPORTER-1:

    NY-ASR1004(config)#flow exporter NY-EXPORTER-1
  • Step 3. (Optional.) Enter a description for the exporter:

    NY-ASR1004(config-flow-exporter)#description exports to New York Collector
  • Step 4. Configure the export protocol using the export-protocol command. In this example, NetFlow v9 is used. You can also configure legacy NetFlow v5 with the netflow-v5 keyword or IPFIX with the ipfix keyword. IPFIX support was added in Cisco IOS Software Release 15.2(4)M and Cisco IOS XE Release 3.7S:

    NY-ASR1004(config-flow-exporter)#export-protocol netflow-v9
  • Step 5. Enter the IP address of the destination host with the destination command. In this example, the destination host is 10.10.10.123:

    NY-ASR1004(config-flow-exporter)#destination 10.10.10.123
  • Step 6. You can configure the UDP port used by the flow exporter with the transport udp command. The default is UDP port 9995.

  • Step 7. Exit the Flexible NetFlow flow monitor configuration mode with the exit command and specify the name of the exporter in the flow monitor:

    NY-ASR1004(config)#flow monitor NY-ASR-FLOW-MON-1
    NY-ASR1004(config-flow-monitor)#exporter NY-EXPORTER-1

You can use the show flow exporter command to view the configured options for the Flexible NetFlow exporter, as demonstrated in Example 4-5.

Example 4-5 Output of the show flow exporter Command

NY-ASR1004#/>show flow exporter/>
Flow Exporter NY-EXPORTER-1:
  Description:              exports to New York Collector
  Export protocol:          NetFlow Version 9
  Transport Configuration:
    Destination IP address: 10.10.10.123
    Source IP address:      209.165.200.225
    Transport Protocol:     UDP
    Destination Port:       9995
    Source Port:            55939
    DSCP:                   0x0
    TTL:                    255
    Output Features:        Used

You can use the show running-config flow exporter command to view the flow exporter configuration in the command line interface (CLI), as demonstrated in Example 4-6.

Example 4-6 Output of the show running-config flow exporter Command

NY-ASR1004# />show running-config flow exporter/>
Current configuration:
!
flow exporter NY-EXPORTER-1
 description exports to New York Collector
 destination 10.10.10.123

You can use the show flow monitor name NY-ASR-FLOW-MON-1 cache format record command to display the status and flow data in the NetFlow cache for the flow monitor, as demonstrated in Example 4-7.

Example 4-7 Output of the show flow monitor name NY-ASR-FLOW-MON-1 cache format record Command

NY-ASR1004#/>show flow monitor name NY-ASR-FLOW-MON-1 cache format record/>
  Cache type:                                 Normal (Platform cache)
  Cache size:                               200000
  Current entries:                            4
  High Watermark:                             4
  Flows added:                              132
  Flows aged:                                42
    - Active timeout   (  3600 secs)          3
    - Inactive timeout (    15 secs)         94
    - Event aged                              0
    - Watermark aged                          0
    - Emergency aged                          0
IPV4 DESTINATION ADDRESS:  10.10.20.5
ipv4 source address:       10.10.10.42
trns source port:          25
trns destination port:     25
counter bytes:             34320
counter packets:           1112
IPV4 DESTINATION ADDRESS:  10.10.1.2
ipv4 source address:       10.10.10.2
trns source port:          20
trns destination port:     20
counter bytes:             3914221
counter packets:           5124
IPV4 DESTINATION ADDRESS:  10.10.10.200
ipv4 source address:       10.20.10.6
trns source port:          32
trns destination port:     3073
counter bytes:             82723
counter packets:           8232

Applying a Flow Monitor to an Interface

A flow monitor must be applied to at least one interface. To apply the flow monitor to an interface, use the ip flow monitor name input command in interface configuration mode, as demonstrated in Example 4-8.

Example 4-8 Applying the Flow Monitor to an Interface

NY-ASR1004(config)#/>interface FastEthernet0/1/1/>
NY-ASR1004(config-if)#/>ip flow monitor NY-ASR-FLOW-MON-1 input/>

In Example 4-8, the flow monitor NY-ASR-FLOW-MON-1 is applied to interface FastEthernet0/1/1. Example 4-9 shows the complete configuration.

Example 4-9 Flexible NetFlow Configuration

flow record NY-ASR-FLOW-RECORD-1
 description used for basic traffic analysis
 match ipv4 destination address
 collect interface input
!
!
flow exporter NY-EXPORTER-1
 description exports to New York Collector
 destination 10.10.10.123
!
!
flow monitor NY-ASR-FLOW-MON-1
 description monitor for IPv4 traffic in NY
 record NY-ASR-FLOW-RECORD-1
 exporter NY-EXPORTER-1
 cache entries 200000
!
interface FastEthernet0/1/1
 ip address 209.165.200.233 255.255.255.248
 ip flow monitor NY-ASR-FLOW-MON-1 input

There are currently no related articles. Please check back later.