NetFlow Versions
There are several versions of NetFlow. Table 4-3 lists all versions of NetFlow and provides a brief description of the features supported.
Table 4-3 NetFlow Versions
NetFlow Version |
Description |
Version 1 (v1) |
(Obsolete.) The first implementation of NetFlow. NetFlow v1 was limited to IPv4 without IP network masks and autonomous system numbers (ASNs). |
Version 2 (v2) |
Never released. |
Version 3 (v3) |
Never released. |
Version 4 (v4) |
Never released. |
Version 5 (v5) |
Popular NetFlow version on many routers from different vendors. Limited to IPv4 flows. |
Version 6 (v6) |
(Obsolete.) No longer supported by Cisco. |
Version 7 (v7) |
(Obsolete.) Like version 5, with a source router field. |
Version 8 (v8) |
(Obsolete.) Several aggregation forms, but only for information that is already present in v5 records. |
Version 9 (v9) |
Template based, available (as of 2009) on some recent routers. Mostly used to report flows such as IPv6, Multiprotocol Label Switching (MPLS), and even plain IPv4 with Border Gateway Protocol (BGP) next hop. |
IPFIX |
IPFIX is an IETF standard based on NetFlow v9 with several extensions. |
Table 4-4 lists the NetFlow v1 flow header format, and Table 4-5 lists the attributes of the NetFlow v1 flow record format.
Table 4-4 NetFlow v1 Flow Header Format
Bytes |
Contents |
Description |
0–1 |
version |
NetFlow export format version number |
2–3 |
count |
Number of flows exported in this packet (1–24) |
4–7 |
sys_uptime |
Current time in milliseconds since the export device booted |
8–11 |
unix_secs |
Current count of seconds since 0000 UTC 1970 |
12–16 |
unix_nsecs |
Residual nanoseconds since 0000 UTC 1970 |
Table 4-5 NetFlow v1 Flow Record Format
Bytes |
Contents |
Description |
0–3 |
srcaddr |
Source IP address |
4–7 |
dstaddr |
Destination IP address |
8–11 |
nexthop |
IP address of next-hop router |
12–13 |
input |
SNMP index of input interface |
14–15 |
output |
SNMP index of output interface |
16–19 |
dPkts |
Packets in the flow |
20–23 |
dOctets |
Total number of Layer 3 bytes in the packets of the flow |
24–27 |
first |
SysUptime at start of flow |
28–31 |
last |
SysUptime at the time the last packet of the flow was received |
32–33 |
srcport |
TCP/UDP source port number or equivalent |
34–35 |
dstport |
TCP/UDP destination port number or equivalent |
36–37 |
pad1 |
Unused (0) bytes |
38 |
prot |
IP protocol type (for example, TCP = 6; UDP = 17) |
39 |
tos |
IP type of service (ToS) |
40 |
flags |
Cumulative OR of TCP flags |
41-48 |
pad2 |
Unused (0) bytes |
Table 4-6 lists the NetFlow v5 flow header format, and Table 4-7 lists the attributes of the NetFlow v5 flow record format.
Table 4-6 NetFlow v5 Flow Header Format
Bytes |
Contents |
Description |
0–1 |
version |
NetFlow export format version number. |
2–3 |
count |
Number of flows exported in this packet (1–30). |
4–7 |
sys_uptime |
Current time in milliseconds since the export device booted. |
8–11 |
unix_secs |
Current count of seconds since 0000 UTC 1970. |
12–15 |
unix_nsecs |
Residual nanoseconds since 0000 UTC 1970. |
16-19 |
flow_sequence |
Sequence counter of total flows seen. |
20 |
engine_type |
Type of flow-switching engine. |
21 |
engine_id |
Slot number of the flow-switching engine. |
22–23 |
sampling_interval |
First 2 bits hold the sampling mode; remaining 14 bits hold value of sampling interval. |
Table 4-7 NetFlow v5 Flow Record Format
Bytes |
Contents |
Description |
0–3 |
srcaddr |
Source IP address |
4–7 |
dstaddr |
Destination IP address |
8–11 |
nexthop |
IP address of next-hop router |
12–13 |
input |
Simple Network Management Protocol (SNMP) index of input interface |
14–15 |
output |
SNMP index of output interface |
16–19 |
dPkts |
Packets in the flow |
20–23 |
dOctets |
Total number of Layer 3 bytes in the packets of the flow |
24–27 |
first |
SysUptime at start of flow |
28–31 |
last |
SysUptime at the time the last packet of the flow was received |
32–33 |
srcport |
TCP/UDP source port number or equivalent |
34–35 |
dstport |
TCP/UDP destination port number or equivalent |
36 |
pad1 |
Unused (0) bytes |
37 |
tcp_flags |
Cumulative OR of TCP flags |
38 |
prot |
IP protocol type (for example, TCP = 6; UDP = 17) |
39 |
tos |
IP type of service (ToS) |
40–41 |
src_as |
Autonomous system number (ASN) of the source, either origin or peer |
42–43 |
dst_as |
ASN of the destination, either origin or peer |
44 |
src_mask |
Source address prefix mask bits |
45 |
dst_mask |
Destination address prefix mask bits |
46–47 |
pad2 |
Unused (0) bytes |
Table 4-8 lists the NetFlow v7 flow header format, and Table 4-9 lists the attributes of the NetFlow v7 flow record format.
Table 4-8 NetFlow v7 Flow Header Format
Bytes |
Contents |
Description |
0–1 |
version |
NetFlow export format version number |
2–3 |
count |
Number of flows exported in this packet (1–30) |
4–7 |
sys_uptime |
Current time in milliseconds since the export device booted |
8–11 |
unix_secs |
Current count of seconds since 0000 UTC 1970 |
12–15 |
unix_nsecs |
Residual nanoseconds since 0000 UTC 1970 |
16–19 |
flow_sequence |
Sequence counter of total flows seen |
20–23 |
reserved |
Unused (0) bytes |
Table 4-9 NetFlow v7 Flow Record Format
Bytes |
Contents |
Description |
0-3 |
srcaddr |
Source IP address. |
4-7 |
dstaddr |
Destination IP address. |
8-11 |
nexthop |
IP address of next-hop router. |
12-13 |
input |
SNMP index of input interface. |
14-15 |
output |
SNMP index of output interface. |
16-19 |
dPkts |
Packets in the flow. |
20-23 |
dOctets |
Total number of Layer 3 bytes in the packets of the flow. |
24-27 |
first |
SysUptime at start of flow. |
28-31 |
last |
SysUptime at the time the last packet of the flow was received. |
32-33 |
srcport |
TCP/UDP source port number or equivalent. |
34-35 |
dstport |
TCP/UDP destination port number or equivalent. |
36 |
padl |
Unused (0) bytes. |
37 |
tcp flags |
Cumulative OR of TCP flags. |
38 |
prot |
IP protocol type (for example, TCP = 6; UDP = 17). |
39 |
tos |
IP type of service (ToS). |
40-41 |
src as |
ASN of the source, either origin or peer. |
42-43 |
dst as |
ASN of the destination, either origin or peer. |
44 |
src mask |
Source address prefix mask bits. |
45 |
dst mask |
Destination address prefix mask bits. |
46-47 |
flags |
Flags indicating, among other things, what flows are invalid. |
48-51 |
router sc |
IP address of the router that is bypassed by the Catalyst 5000 series switch. (This is the same address the router uses when it sends NetFlow export packets. This IP address is propagated to all switches bypassing the router through the Fibre Channel Protocol [FCP].) |
The most popular version of NetFlow is Version 9. The NetFlow v9 format is template based. Templates provide a flexible design to the record format. This feature allows for future enhancements to NetFlow services without requiring fundamental changes to the underlying flow record format.
The following are the benefits of using NetFlow templates:
They provide vendor-neutral support for companies that create applications that provide collector or analysis capabilities for NetFlow so that they are not required to reinvent their product each time a new NetFlow feature is added.
New features can be added to NetFlow more quickly, without breaking current implementations and with backward compatibility.
The NetFlow v9 record format consists of a packet header followed by at least one or more template or data FlowSets. A template FlowSet provides a description of the fields that will be present in future data FlowSets. These data FlowSets may occur later within the same export packet or in subsequent export packets. Figure 4-2 shows a basic illustration of the NetFlow v9 export packet.
)
Figure 4-2 NetFlow v9 Export Packet
Figure 4-3 shows a more detailed illustration of the NetFlow v9 export packet and the relationship between each field and its attributes.
)
Figure 4-3 NetFlow v9 Export Packet Details
The format of the NetFlow v9 packet header is very similar to its predecessors and is illustrated in Figure 4-4.
)
Figure 4-4 NetFlow v9 Packet Header Format
Table 4-10 lists the NetFlow v9 packet header field descriptions.
Table 4-10 NetFlow v9 Packet Header Field Descriptions
Field Name |
Value |
Version |
The version of NetFlow records exported in this packet. The hexadecimal value 0x0009 represents NetFlow v9. |
Count |
Number of FlowSet records (both template and data) contained within the export packet. |
System Uptime |
Time in milliseconds since the device started. |
UNIX Seconds |
Seconds since 0000 coordinated universal time (UTC) 1970. |
Sequence Number |
Incremental sequence counter of all export packets sent by this export device; this value is cumulative, and it can be used to identify whether any export packets have been missed. Note: This is a change from the NetFlow v5 and v8 headers, where this number represented "total flows." |
Source ID |
A 32-bit value that is used to ensure uniqueness for all flows exported from a particular NetFlow-enabled device. The Source ID field is the equivalent of the Engine Type and Engine ID fields found in the NetFlow v5 and v8 headers. The format of this field is vendor specific. In Cisco's implementation, the first 2 bytes are reserved for future expansion and will always be 0. Byte 3 provides uniqueness with respect to the routing engine on the exporting device. Byte 4 provides uniqueness with respect to the particular line card or Versatile Interface Processor on the exporting device. NetFlow collectors should use the combination of the source IP address plus the Source ID field to associate an incoming NetFlow export packet with a unique instance of NetFlow on a particular device. |
As previously mentioned, templates are one of the main benefits of NetFlow v9 because they provide flexibility to allow a NetFlow collector or display application to process NetFlow data without necessarily knowing the format of the data in advance.
Figure 4-5 shows the format of the NetFlow v9 template FlowSet.
)
Figure 4-5 NetFlow v9 Template FlowSet Format
Table 4-11 lists the NetFlow v9 template FlowSet field descriptions.
Table 4-11 NetFlow v9 Template FlowSet Field Descriptions
Field |
Description |
flowset_id |
The flowset_id field is used to distinguish template records from data records. A template record always has a flowset_id in the range of 0 to 255. Currently, the template record that describes flow fields has a flowset_id of 0, and the template record that describes option fields (described later) has a flowset_id of 1. A data record always has a nonzero flowset_id greater than 255. |
length |
Length refers to the total length of this FlowSet. Because an individual template FlowSet may contain multiple template IDs (as illustrated earlier), the length value should be used to determine the position of the next FlowSet record, which could be either a template or a data FlowSet. Length is expressed in type/length/value (TLV) format, meaning that the value includes the bytes used for the flowset_id and the length of bytes themselves, in addition to the combined lengths of all template records included in this FlowSet. |
template_id |
As a router generates different template FlowSets to match the type of NetFlow data it will be exporting, each template is given a unique ID. This uniqueness is local to the router that generated the template_id. Templates that define data record formats begin numbering at 256 because 0 through 255 are reserved for flowset_ids. |
field_count |
This field gives the number of fields in this template record. Because a template FlowSet may contain multiple template records, this field allows the parser to determine the end of the current template record and the start of the next. |
field_type |
This numeric value represents the type of the field. The possible values of the field type are vendor specific. Cisco-supplied values are consistent across all platforms that support NetFlow v9. At the time of the initial release of the NetFlow v9 code (and after any subsequent changes that could add new field-type definitions), Cisco provided a file that defines the known field types and their lengths. Table 4-12 details the currently defined field types. |
field_length |
This number gives the length of the field_type field, in bytes. |
Table 4-12 lists the NetFlow v9 field type definitions.
Table 4-12 NetFlow v9 Field Type Definitions
Field Type |
Value |
Length (bytes) |
Description |
IN_BYTES |
1 |
N (default is 4) |
Incoming counter with length N × 8 bits for number of bytes associated with an IP flow. |
IN_PKTS |
2 |
N (default is 4) |
Incoming counter with length N × 8 bits for the number of packets associated with an IP flow. |
FLOWS |
3 |
N |
Number of flows that were aggregated; default for N is 4. |
PROTOCOL |
4 |
1 |
IP protocol byte. |
SRC_TOS |
5 |
1 |
Type of service byte setting when entering incoming interface. |
TCP_FLAGS |
6 |
1 |
Cumulative of all the TCP flags seen for this flow. |
L4_SRC_PORT |
7 |
2 |
TCP/UDP source port number (for example, FTP, Telnet, or equivalent). |
IPV4_SRC_ADDR |
8 |
4 |
IPv4 source address. |
SRC_MASK |
9 |
1 |
The number of contiguous bits in the source address subnet mask (that is, the submask in slash notation). |
INPUT_SNMP |
10 |
N |
Input interface index; default for N is 2, but higher values could be used. |
L4_DST_PORT |
11 |
2 |
TCP/UDP destination port number (for example, FTP, Telnet, or equivalent). |
IPV4_DST_ADDR |
12 |
4 |
IPv4 destination address. |
DST_MASK |
13 |
1 |
The number of contiguous bits in the destination address subnet mask (that is, the submask in slash notation). |
OUTPUT_SNMP |
14 |
N |
Output interface index; default for N is 2, but higher values could be used. |
IPV4_NEXT_HOP |
15 |
4 |
IPv4 address of next-hop router. |
SRC_AS |
16 |
N (default is 2) |
Source BGP ASN, where N could be 2 or 4. |
DST_AS |
17 |
N (default is 2) |
Destination BGP ASN, where N could be 2 or 4. |
BGP_IPV4_NEXT_HOP |
18 |
4 |
Next-hop router's IP in the BGP domain. |
MUL_DST_PKTS |
19 |
N (default is 4) |
IP multicast outgoing packet counter with length N × 8 bits for packets associated with the IP flow. |
MUL_DST_BYTES |
20 |
N (default is 4) |
IP multicast outgoing byte counter with length N × 8 bits for bytes associated with the IP flow. |
LAST_SWITCHED |
21 |
4 |
System uptime at which the last packet of this flow was switched. |
FIRST_SWITCHED |
22 |
4 |
System uptime at which the first packet of this flow was switched. |
OUT_BYTES |
23 |
N (default is 4) |
Outgoing counter with length N × 8 bits for the number of bytes associated with an IP flow. |
OUT_PKTS |
24 |
N (default is 4) |
Outgoing counter with length N × 8 bits for the number of packets associated with an IP flow. |
MIN_PKT_LNGTH |
25 |
2 |
Minimum IP packet length on incoming packets of the flow. |
MAX_PKT_LNGTH |
26 |
2 |
Maximum IP packet length on incoming packets of the flow. |
IPV6_SRC_ADDR |
27 |
16 |
IPv6 source address. |
IPV6_DST_ADDR |
28 |
16 |
IPv6 destination address. |
IPV6_SRC_MASK |
29 |
1 |
Length of the IPv6 source mask in contiguous bits. |
IPV6_DST_MASK |
30 |
1 |
Length of the IPv6 destination mask in contiguous bits. |
IPV6_FLOW_LABEL |
31 |
3 |
IPv6 flow label as per RFC 2460 definition. |
ICMP_TYPE |
32 |
2 |
Internet Control Message Protocol (ICMP) packet type; reported as ((ICMP Type * 256) + ICMP code). |
MUL_IGMP_TYPE |
33 |
1 |
Internet Group Management Protocol (IGMP) packet type. |
SAMPLING_INTERVAL |
34 |
4 |
When using sampled NetFlow, this is the rate at which packets are sampled. For example, a value of 100 indicates that 1 of every 100 packets is sampled. |
SAMPLING_ALGORITHM |
35 |
1 |
The type of algorithm used for sampled NetFlow: 0x01 = deterministic sampling, 0x02 = random sampling. |
FLOW_ACTIVE_TIMEOUT |
36 |
2 |
Timeout value (in seconds) for active flow entries in the NetFlow cache. |
FLOW_INACTIVE_TIMEOUT |
37 |
2 |
Timeout value (in seconds) for inactive flow entries in the NetFlow cache. |
ENGINE_TYPE |
38 |
1 |
Type of flow switching engine: RP = 0, VIP/ Linecard = 1. |
ENGINE_ID |
39 |
1 |
ID number of the flow switching engine. |
TOTAL_BYTES_EXP |
40 |
N (default is 4) |
Counter with length N × 8 bits for the number of bytes exported by the observation domain. |
TOTAL_PKTS_EXP |
41 |
N (default is 4) |
Counter with length N × 8 bits for the number of packets exported by the observation domain. |
TOTAL_FLOWS_EXP |
42 |
N (default is 4) |
Counter with length N × 8 bits for the number of flows exported by the observation domain. |
Vendor proprietary |
43 |
N/A |
N/A |
IPV4_SRC_PREFIX |
44 |
4 |
IPv4 source address prefix (specific for Catalyst architecture). |
IPV4_DST_PREFIX |
45 |
4 |
IPv4 destination address prefix (specific for Catalyst architecture). |
MPLS_TOP_LABEL_TYPE |
46 |
1 |
MPLS top label type: 0x00 = UNKNOWN, 0x01 = TE-MIDPT, 0x02 = ATOM, 0x03 = VPN, 0x04 = BGP, 0x05 = LDP. |
MPLS_TOP_LABEL_IP_ADDR |
47 |
4 |
Forwarding Equivalent Class corresponding to the MPLS top label. |
FLOW_SAMPLER_ID |
48 |
1 |
Identifier shown in show flow-sampler. |
FLOW_SAMPLER_MODE |
49 |
1 |
The type of algorithm used for sampling data: 0x02 = random sampling. Used in connection with FLOW_SAMPLER_MODE. |
FLOW_SAMPLER_RANDOM_INTERVAL |
50 |
4 |
Packet interval at which to sample. Used in connection with FLOW_SAMPLER_MODE. |
Vendor proprietary |
51 |
N/A |
N/A |
MIN_TTL |
52 |
1 |
Minimum Time to Live (TTL) on incoming packets of the flow. |
MAX_TTL |
53 |
1 |
Maximum TTL on incoming packets of the flow. |
IPV4_IDENT |
54 |
2 |
The IP v4 identification field. |
DST_TOS |
55 |
1 |
Type of service byte setting when exiting outgoing interface. |
IN_SRC_MAC |
56 |
6 |
Incoming source MAC address. |
OUT_DST_MAC |
57 |
6 |
Outgoing destination MAC address. |
SRC_VLAN |
58 |
2 |
Virtual LAN identifier associated with ingress interface. |
DST_VLAN |
59 |
2 |
Virtual LAN identifier associated with egress interface. |
IP_PROTOCOL_VERSION |
60 |
1 |
Internet Protocol version set to 4 for IPv4, set to 6 for IPv6. If not present in the template, Version 4 is assumed. |
DIRECTION |
61 |
1 |
Flow direction: 0 = ingress flow, 1 = egress flow. |
IPV6_NEXT_HOP |
62 |
16 |
IPv6 address of the next-hop router. |
BPG_IPV6_NEXT_HOP |
63 |
16 |
Next-hop router in the BGP domain. |
IPV6_OPTION_HEADERS |
64 |
4 |
Bit-encoded field identifying IPv6 option headers found in the flow. |
Vendor proprietary |
65 |
N/A |
N/A |
Vendor proprietary |
66 |
N/A |
N/A |
Vendor proprietary |
67 |
N/A |
N/A |
Vendor proprietary |
68 |
N/A |
N/A |
Vendor proprietary |
69 |
N/A |
N/A |
MPLS_LABEL_1 |
70 |
3 |
MPLS label at position 1 in the stack. |
MPLS_LABEL_2 |
71 |
3 |
MPLS label at position 2 in the stack. |
MPLS_LABEL_3 |
72 |
3 |
MPLS label at position 3 in the stack. |
MPLS_LABEL_4 |
73 |
3 |
MPLS label at position 4 in the stack. |
MPLS_LABEL_5 |
74 |
3 |
MPLS label at position 5 in the stack. |
MPLS_LABEL_6 |
75 |
3 |
MPLS label at position 6 in the stack. |
MPLS_LABEL_7 |
76 |
3 |
MPLS label at position 7 in the stack. |
MPLS_LABEL_8 |
77 |
3 |
MPLS label at position 8 in the stack. |
MPLS_LABEL_9 |
78 |
3 |
MPLS label at position 9 in the stack. |
MPLS_LABEL_10 |
79 |
3 |
MPLS label at position 10 in the stack. |
IN_DST_MAC |
80 |
6 |
Incoming destination MAC address. |
OUT_SRC_MAC |
81 |
6 |
Outgoing source MAC address. |
IF_NAME |
82 |
N (default specified in template) |
Shortened interface name (for example, FE1/0). |
IF_DESC |
83 |
N (default specified in template) |
Full interface name (for example, FastEthernet 1/0). |
SAMPLER_NAME |
84 |
N (default specified in template) |
Name of the flow sampler. |
IN_PERMANENT_BYTES |
85 |
N (default is 4) |
Running byte counter for a permanent flow. |
IN_PERMANENT_PKTS |
86 |
N (default is 4) |
Running packet counter for a permanent flow. |
Vendor proprietary |
87 |
N/A |
N/A |
FRAGMENT_OFFSET |
88 |
2 |
The fragment-offset value from fragmented IP packets. |
FORWARDING STATUS |
89 |
1 |
Forwarding status is encoded on 1 byte, with the 2 left bits giving the status and the 6 remaining bits giving the reason code. |
MPLS PAL RD |
90 |
8 (array) |
MPLS PAL route distinguisher. |
MPLS PREFIX LEN |
91 |
1 |
Number of consecutive bits in the MPLS prefix length. |
SRC TRAFFIC INDEX |
92 |
4 |
BGP policy accounting source traffic index. |
DST TRAFFIC INDEX |
93 |
4 |
BGP policy accounting destination traffic index. |
APPLICATION DESCRIPTION |
94 |
N |
Description of the application. |
APPLICATION TAG |
95 |
1+n |
Eight bits of engine ID, followed by n bits of classification. |
APPLICATION NAME |
96 |
N |
Application name associated with a classification. |
Not used |
97 |
N/A |
N/A |
postipDiffServCodePoint |
98 |
1 |
The value of a differentiated services code point (DSCP) encoded in the Differentiated Services field, after modification. |
replication factor |
99 |
4 |
Multicast replication factor. |
Deprecated |
100 |
N |
Deprecated. |
Not used |
101 |
N/A |
N/A |
layer2packetSectionOffset |
102 |
Layer 2 packet section offset. |
|
layer2packetSectionSize |
103 |
|
Layer 2 packet section size. |
layer2packetSectionData |
104 |
|
Layer 2 packet section data. |
Reserved for future use |
105 thru 127 |
N/A |
N/A |
Figure 4-6 shows the NetFlow v9 template FlowSet format.
)
Figure 4-6 NetFlow v9 Template FlowSet Format
Table 4-13 lists the NetFlow v9 data FlowSet definitions.
Table 4-13 NetFlow v9 Data FlowSet Definitions
Field |
Description |
flowset_id |
A flowset_id precedes each group of records within a NetFlow v9 data FlowSet. The flowset_id maps to a (previously received) template_id. The collector and display applications should use the flowset_id to map the appropriate type and length to any field values that follow. |
length |
This field gives the length of the data FlowSet. Length is expressed in TLV format, meaning that the value includes the bytes used for the flowset_id and the length bytes themselves, as well as the combined lengths of any included data records. |
record_N through field_M |
The remainder of the v9 data FlowSet is a collection of field values. The type and length of the fields have been previously defined in the template record referenced by the flowset_id/template_id. |
padding |
Padding should be inserted to align the end of the FlowSet on a 32-bit boundary. Pay attention that the length field will include those padding bits. |
IPFIX is modeled after NetFlow v9. This is why many of these NetFlow v9 concepts and fields are very similar to IPFIX. Just like IPFIX, NetFlow v9 has the concept of options templates used to supply metadata about the NetFlow process itself. Figure 4-7 illustrates the format of the options template.
)
Figure 4-7 NetFlow v9 Options Template Format
Table 4-14 lists the NetFlow v9 data options template definitions.
Table 4-14 NetFlow v9 Data Options Template Definitions
Field |
Description |
flowset_id = 1 |
The flowset_id is used to distinguish template records from data records. A template record always has a flowset_id of 1. A data record always has a nonzero flowset_id that is greater than 255. |
length |
This field gives the total length of this FlowSet. Because an individual template FlowSet may contain multiple template_ids, the length value should be used to determine the position of the next FlowSet record, which could be either a template or a data FlowSet. Length is expressed in TLV format, meaning that the value includes the bytes used for the flowset_id and the length of bytes themselves, as well as the combined lengths of all template records included in this FlowSet. |
template_id |
As a router generates different template FlowSets to match the type of NetFlow data it will be exporting, each template is given a unique ID. This uniqueness is local to the router that generated the template_id. The template_id is greater than 255. template_ids less than 255 are reserved. |
option_scope_length |
This field gives the length in bytes of any scope fields contained in this options template. |
options_length |
This field gives the length (in bytes) of any Options field definitions contained in this options template. |
scope_field_N_type |
This field gives the relevant portion of the NetFlow process to which the options record refers. Currently defined values follow: 0x0001 = system 0x0002 = interface 0x0003 = line card 0x0004 = NetFlow cache 0x0005 = template For instance, Random Sampled NetFlow can be implemented on a perinterface basis. So, if the options record were reporting on how sampling is configured, the scope for the report would be 0x0002 (interface). |
scope_field_N_length |
This field gives the length (in bytes) of the Scope field, as it would appear in an options record. |
option_field_N_type |
This numeric value represents the type of the field that appears in the options record. Possible values are detailed in template FlowSet format. |
option_field_N_length |
This number is the length (in bytes) of the field, as it would appear in an options record. |
padding |
Padding is inserted to align the end of the FlowSet on a 32-bit boundary. |
Cisco Flexible NetFlow
Flexible NetFlow provides enhanced optimization of the network infrastructure, reduces costs, and improves capacity planning and security detection beyond other flow-based technologies available today. Flexible NetFlow supports IPv6 and Network-Based Application Recognition (NBAR) 2 for IPv6 starting in Cisco IOS Software Version 15.2(1)T. It also supports IPv6 transition techniques (IPv6 inside IPv4). Flexible NetFlow can detect the following tunneling technologies that give full IPv6 connectivity for IPv6-capable hosts that are on the IPv4 Internet but that have no direct native connection to an IPv6 network:
Teredo
Intra-Site Automatic Tunnel Addressing Protocol (ISATAP)
6to4
6rd
Flexible NetFlow classification inside Teredo, ISATAP, 6to4, and 6rd was introduced in Cisco IOS Software Version 15.2(2)T. Export over IPv6 was introduced in Cisco IOS Software Version 15.2(2)T, Cisco IOS XE 3.7.0S, and Cisco Nexus Software Version 4.2.1.
Flexible NetFlow tracks different applications simultaneously. For instance, security monitoring, traffic analysis, and billing can be tracked separately, and the information customized per application.
Flexible NetFlow allows the network administrator or security professional to create multiple flow caches or information databases to track. Conventionally, NetFlow has a single cache and all applications use the same cache information. Flexible NetFlow supports the collection of specific security information in one flow cache and traffic analysis in another. Subsequently, each NetFlow cache serves a different purpose. For instance, multicast and security information can be tracked separately and the results sent to two different collectors. Figure 4-8 shows the Flexible NetFlow model and how three different monitors are used. Monitor 1 exports Flexible NetFlow data to “Exporter 1.” Monitor 2 exports Flexible NetFlow data to “Exporter 2,” and Monitor 3 exports Flexible NetFlow data to “Exporter 1” and “Exporter 3.”
)
Figure 4-8 The Flexible NetFlow Model
The following are the Flexible NetFlow components:
Records
Flow monitors
Flow exporters
Flow samplers
In Flexible NetFlow, the administrator can specify what to track, resulting in fewer flows. This helps to scale in busy networks and use fewer resources that are already taxed by other features and services.
Flexible NetFlow Records
Flexible NetFlow records are a combination of key and non-key fields. In Flexible NetFlow, records are appointed to flow monitors to define the cache that is used for storing flow data. There are seven default attributes in the IP packet identity, or “key fields,” for a flow and for a device to determine whether the packet information is unique or similar to other packets sent over the network. Fields such as TCP flags, subnet masks, packets, and number of bytes are “non-key fields.” However, they are often collected and exported in NetFlow or in IPFIX.
Flexible NetFlow Key Fields
There are several Flexible NetFlow key fields in each packet that is forwarded within a NetFlow-enabled device. The device looks for a set of IP packet attributes for the flow and determines whether the packet information is unique or similar to other packets. In Flexible NetFlow, key fields are configurable, which enables the administrator to conduct a more granular traffic analysis.
Table 4-15 lists the key fields related to the actual flow, device interface, and Layer 2 services.
Table 4-15 Flexible NetFlow Key Fields Related to Flow, Interface, and Layer 2
|
Flow |
Interface |
Layer 2 |
Fields |
Sampler ID Direction Class ID |
Input Output |
Source VLAN Destination VLAN Dot1q priority Source MAC address Destination MAC address |
Table 4-16 lists the IPv4- and IPv6-related key fields.
Table 4-16 Flexible NetFlow IPv4 and IPv6 Key Fields
|
IPv4 |
IPv6 |
Fields |
IP (Source or Destination) Prefix (Source or Destination) Mask (Source or Destination) Minimum-Mask (Source or Destination) Protocol Fragmentation Flags Fragmentation Offset Identification Header Length Total Length Payload Size Packet Section (Header) Packet Section (Payload) Time to Live (TTL) Options bitmap Version Precedence DSCP TOS |
IP (Source or Destination) Prefix (Source or Destination) Mask (Source or Destination) Minimum-Mask (Source or Destination) Protocol Traffic Class Flow Label Option Header Header Length Payload Length Payload Size Packet Section (Header) Packet Section (Payload) DSCP Extension Headers Hop-Limit Length Next-header Version |
Table 4-17 lists the Layer 3 routing protocol–related key fields.
Table 4-17 Flexible NetFlow Layer 3 Routing Protocol Key Fields
|
Routing |
Fields |
Source or Destination AS Peer AS Traffic Index Forwarding Status Input VRF Name IGP Next Hop BGP Next Hop |
Table 4-18 lists the transport-related key fields.
Table 4-18 Flexible NetFlow Transport Key Fields
|
Transport |
Fields |
Destination Port Source Port ICMP Code ICMP Type IGMP Type (IPv4 only) TCP ACK Number TCP Header Length TCP Sequence Number TCP Window-Size TCP Source Port TCP Destination Port TCP Urgent Pointer |
Only the Application ID is a Layer 3 routing protocol key field.
Table 4-19 lists the multicast-related key fields.
Table 4-19 Flexible NetFlow Multicast Key Fields
|
Multicast |
Fields |
Replication Factor (IPv4 only) RPF Check Drop (IPv4 only) Is-Multicast |
Flexible NetFlow Non-Key Fields
There are several non-key Flexible NetFlow fields. Table 4-20 lists the non-key fields that are related to counters, such as byte counts, number of packets, and more. A network administrator can use non-key fields for different purposes. For instance, the number of packets and amount of data (bytes) can be used for capacity planning and also to identify denial-of-service (DoS) attacks as well as other anomalies in the network.
Table 4-20 Flexible NetFlow Counters Non-Key Fields
|
Counters |
Fields |
Bytes Bytes Long Bytes Square Sum Bytes Square Sum Long Packets Packets Long Bytes Replicated Bytes Replicated Long Packets Replicated Packets Replicated Long |
Table 4-21 lists the timestamp-related non-key fields.
Table 4-21 Flexible NetFlow Timestamp Non-Key Fields
|
Timestamp |
Fields |
sysUpTime First Packet sysUpTime First Packet Absolute First Packet Absolute Last Packet |
Table 4-22 lists the IPv4-only non-key fields.
Table 4-22 Flexible NetFlow IPv4-Only Non-Key Fields
|
IPv4 Only |
Fields |
Total Length Minimum Total Length Maximum TTL Minimum TTL Maximum |
Table 4-23 lists the IPv4 and IPv6 non-key fields.
Table 4-23 Flexible NetFlow IPv4 and IPv6 Non-Key Fields
|
IPv4 and IPv6 |
Fields |
Total Length Minimum Total Length Maximum |
NetFlow Predefined Records
Flexible NetFlow includes several predefined records that can help an administrator and security professional start deploying NetFlow within their organization. Alternatively, they can create their own customized records for more granular analysis. As Cisco evolves Flexible NetFlow, many popular user-defined flow records could be made available as predefined records to make them easier to implement.
The predefined records guarantee backward compatibility with legacy NetFlow collectors. Predefined records have a unique blend of key and non-key fields that allows the network administrator and security professional to monitor different types of traffic in their environment without any customization.
User-Defined Records
As the name indicates, Flexible NetFlow gives the network administrator and security professional the flexibility to create their own records (user-defined records) by specifying key and non-key fields to customize the data collection. The values in non-key fields are added to flows to provide additional information about the traffic in the flows. A change in the value of a non-key field does not create a new flow. In most cases, the values for non-key fields are taken from only the first packet in the flow. Flexible NetFlow enables you to capture counter values such as the number of bytes and packets in a flow as non-key fields.
Flexible NetFlow adds a new NetFlow v9 export format field type for the header and packet section types. A device configured for Flexible NetFlow communicates to the collector the configured section sizes in the corresponding NetFlow v9 export template fields.
Flow Monitors
In Flexible NetFlow, flow monitors are applied to the network device interfaces to perform network traffic monitoring. Flow data is collected from the network traffic and added to the flow monitor cache during the monitoring process based on the key and non-key fields in the flow record.
Flow Exporters
The entities that export the data in the flow monitor cache to a remote system are called flow exporters. Flow exporters are configured as separate entities and are assigned to flow monitors. An administrator can create several flow exporters and assign them to one or more flow monitors. A flow exporter includes the destination address of the reporting server, the type of transport (UDP or SCTP), and the export format corresponding of the NetFlow version or IPFIX.
Flow Samplers
Flow samplers are created as separate components in a router’s configuration. Flow samplers are used to reduce the load on the device that is running Flexible NetFlow by limiting the number of packets that are selected for analysis.
Flow sampling exchanges monitoring accuracy for router performance. When you apply a sampler to a flow monitor, the overhead load on the router due to running the flow monitor is reduced because the number of packets that the flow monitor must analyze is reduced. The reduction in the number of packets that are analyzed by the flow monitor causes a corresponding reduction in the accuracy of the information stored in the flow monitor’s cache.
Flexible NetFlow Configuration
The following sections provide step-by-step configuration guidance on how to enable and configure Flexible NetFlow in a Cisco IOS device. Figure 4-9 shows the configuration steps in a sequential graphical representation.
)
Figure 4-9 Flexible NetFlow Configuration Steps
The configuration steps, which are described in detail in the corresponding sections, are as follows:
Step 1. Configure a flow record
Step 2. Configure a flow monitor
Step 3. Configure a flow exporter for the flow monitor
Step 4. Apply the flow monitor to an interface
The topology shown in Figure 4-10 is used in the following examples.
)
Figure 4-10 Flexible NetFlow Configuration Example Topology
This figure shows a Cisco ASR 1004 at the New York headquarters that is configured for Flexible NetFlow. The outside network is 209.165.200.224/29, and the inside network is 209.165.200.232/29.
Configure a Flow Record
The following are the steps required to configure a customized flow record.
Step 1. Log in to your router and enter into enable mode with the enable command:
NY-ASR1004>enable
Step 2. Enter into configuration mode with the configure terminal command:
NY-ASR1004#configure terminal Enter configuration commands, one per line. End with CNTL/Z.
Step 3. Create a flow record with the flow record command. In this example, the record name is NY-ASR-FLOW-RECORD-1. After you’ve entered the flow record command, the router enters flow record configuration mode. You can also use the flow record command to edit an existing flow record:
NY-ASR1004(config)#flow record NY-ASR-FLOW-RECORD-1
Step 4. (Optional.) Enter a description for the new flow record:
NY-ASR1004(config-flow-record)#description FLOW RECORD 1 for basic traf fic analysis
Step 5. Configure a key field for the flow record using the match command. In this example, the IPv4 destination address is configured as a key field for the record:
NY-ASR1004(config-flow-record)#match ipv4 destination address
The output of the match ? command shows all the primary options for the key field categories that you learned earlier in this chapter:
NY-ASR1004(config-flow-record)#match ? application Application fields flow Flow identifying fields interface Interface fields ipv4 IPv4 fields ipv6 IPv6 fields routing Routing attributes transport Transport layer fields
Step 6. Configure a non-key field with the collect command. In this example, the input interface is configured as a non-key field for the record:
NY-ASR1004(config-flow-record)#collect interface input
The output of the collect ? command shows all the options for the non-key field categories that you learned earlier in this chapter:
NY-ASR1004(config-flow-record)#collect ? application Application fields counter Counter fields flow Flow identifying fields interface Interface fields ipv4 IPv4 fields ipv6 IPv6 fields routing Routing attributes timestamp Timestamp fields transport Transport layer fields
Step 7. Exit configuration mode with the end command and return to privileged EXEC mode:
NY-ASR1004(config-flow-record)#end
You can use the show flow record command to show the status and fields for the flow record. If multiple flow records are configured in the router, you can use the show flow record name command to show the output of a specific flow record, as shown in Example 4-1.
Example 4-1 Output of the show flow record Command
NY-ASR1004#/>show flow record NY-ASR-FLOW-RECORD-1/>
flow record NY-ASR-FLOW-RECORD-1:
Description: Used for basic traffic analysis
No. of users: 0
Total field space: 8 bytes
Fields:
match ipv4 destination address
collect interface input
Use the show running-config flow record command to show the flow record configuration in the running configuration, as shown in Example 4-2.
Example 4-2 Output of the show running-config flow record Command
NY-ASR1004#show running-config flow record Current configuration: ! flow record NY-ASR-FLOW-RECORD-1 description Used for basic traffic analysis match ipv4 destination address collect interface input !
Configuring a Flow Monitor for IPv4 or IPv6
The following are the steps required to configure a flow monitor for IPv4 or IPv6 implementations. In the following examples, a flow monitor is configured for the previously configured flow record.
Step 1. Log in to your router and enter into enable mode with the enable command:
NY-ASR1004>enable
Step 2. Enter into configuration mode with the configure terminal command:
NY-ASR1004#configure terminal Enter configuration commands, one per line. End with CNTL/Z.
Step 3. Create a flow monitor with the flow monitor command. In this example, the flow monitor is called NY-ASR-FLOW-MON-1:
NY-ASR1004(config)#flow monitor NY-ASR-FLOW-MON-1
Step 4. (Optional.) Enter a description for the new flow monitor:
NY-ASR1004(config-flow-monitor)#description monitor for IPv4 traffic in NY
Step 5. Identify the record for the flow monitor:
NY-ASR1004(config-flow-monitor)#record netflow NY-ASR-FLOW-RECORD-1
In the following example, the record ? command is used to see all the flow monitor record options:
NY-ASR1004(config-flow-monitor)#record ? NY-ASR-FLOW-RECORD-1 Used for basic traffic analysis netflow Traditional NetFlow collection schemes netflow-original Traditional IPv4 input NetFlow with origin ASs
Step 6. Exit configuration mode with the end command and return to privileged EXEC mode:
NY-ASR1004(config-flow-record)#end
You can use the show flow monitor command to show the status and configured parameters for the flow monitor, as shown in Example 4-3.
Example 4-3 Output of the show flow monitor Command
NY-ASR1004#/>show flow monitor/>
Flow Monitor NY-ASR-FLOW-MON-1:
Description: monitor for IPv4 traffic in NY
Flow Record: NY-ASR-FLOW-RECORD-1
Cache:
Type: normal (Platform cache)
Status: not allocated
Size: 200000 entries
Inactive Timeout: 15 secs
Active Timeout: 1800 secs
Update Timeout: 1800 secs
Use the show running-config flow monitor command to display the flow monitor configuration in the running configuration, as shown in Example 4-4.
Example 4-4 Output of the show running-config flow monitor Command
NY-ASR1004#/>show running-config flow monitor/> Current configuration: ! flow monitor NY-ASR-FLOW-MON-1 description monitor for IPv4 traffic in NY record NY-ASR-FLOW-RECORD-1 cache entries 200000
Configuring a Flow Exporter for the Flow Monitor
Complete the following steps to configure a flow exporter for the flow monitor in order to export the data that is collected by NetFlow to a remote system for further analysis and storage. This is an optional step. IPv4 and IPv6 are supported for flow exporters.
Step 1. Log in to the router and enter into enable and configuration modes, as you learned in previous steps.
Step 2. Create a flow exporter with the flow exporter command. In this example, the exporter name is NY-EXPORTER-1:
NY-ASR1004(config)#flow exporter NY-EXPORTER-1
Step 3. (Optional.) Enter a description for the exporter:
NY-ASR1004(config-flow-exporter)#description exports to New York Collector
Step 4. Configure the export protocol using the export-protocol command. In this example, NetFlow v9 is used. You can also configure legacy NetFlow v5 with the netflow-v5 keyword or IPFIX with the ipfix keyword. IPFIX support was added in Cisco IOS Software Release 15.2(4)M and Cisco IOS XE Release 3.7S:
NY-ASR1004(config-flow-exporter)#export-protocol netflow-v9
Step 5. Enter the IP address of the destination host with the destination command. In this example, the destination host is 10.10.10.123:
NY-ASR1004(config-flow-exporter)#destination 10.10.10.123
Step 6. You can configure the UDP port used by the flow exporter with the transport udp command. The default is UDP port 9995.
Step 7. Exit the Flexible NetFlow flow monitor configuration mode with the exit command and specify the name of the exporter in the flow monitor:
NY-ASR1004(config)#flow monitor NY-ASR-FLOW-MON-1 NY-ASR1004(config-flow-monitor)#exporter NY-EXPORTER-1
You can use the show flow exporter command to view the configured options for the Flexible NetFlow exporter, as demonstrated in Example 4-5.
Example 4-5 Output of the show flow exporter Command
NY-ASR1004#/>show flow exporter/>
Flow Exporter NY-EXPORTER-1:
Description: exports to New York Collector
Export protocol: NetFlow Version 9
Transport Configuration:
Destination IP address: 10.10.10.123
Source IP address: 209.165.200.225
Transport Protocol: UDP
Destination Port: 9995
Source Port: 55939
DSCP: 0x0
TTL: 255
Output Features: Used
You can use the show running-config flow exporter command to view the flow exporter configuration in the command line interface (CLI), as demonstrated in Example 4-6.
Example 4-6 Output of the show running-config flow exporter Command
NY-ASR1004# />show running-config flow exporter/> Current configuration: ! flow exporter NY-EXPORTER-1 description exports to New York Collector destination 10.10.10.123
You can use the show flow monitor name NY-ASR-FLOW-MON-1 cache format record command to display the status and flow data in the NetFlow cache for the flow monitor, as demonstrated in Example 4-7.
Example 4-7 Output of the show flow monitor name NY-ASR-FLOW-MON-1 cache format record Command
NY-ASR1004#/>show flow monitor name NY-ASR-FLOW-MON-1 cache format record/>
Cache type: Normal (Platform cache)
Cache size: 200000
Current entries: 4
High Watermark: 4
Flows added: 132
Flows aged: 42
- Active timeout ( 3600 secs) 3
- Inactive timeout ( 15 secs) 94
- Event aged 0
- Watermark aged 0
- Emergency aged 0
IPV4 DESTINATION ADDRESS: 10.10.20.5
ipv4 source address: 10.10.10.42
trns source port: 25
trns destination port: 25
counter bytes: 34320
counter packets: 1112
IPV4 DESTINATION ADDRESS: 10.10.1.2
ipv4 source address: 10.10.10.2
trns source port: 20
trns destination port: 20
counter bytes: 3914221
counter packets: 5124
IPV4 DESTINATION ADDRESS: 10.10.10.200
ipv4 source address: 10.20.10.6
trns source port: 32
trns destination port: 3073
counter bytes: 82723
counter packets: 8232
Applying a Flow Monitor to an Interface
A flow monitor must be applied to at least one interface. To apply the flow monitor to an interface, use the ip flow monitor name input command in interface configuration mode, as demonstrated in Example 4-8.
Example 4-8 Applying the Flow Monitor to an Interface
NY-ASR1004(config)#/>interface FastEthernet0/1/1/> NY-ASR1004(config-if)#/>ip flow monitor NY-ASR-FLOW-MON-1 input/>
In Example 4-8, the flow monitor NY-ASR-FLOW-MON-1 is applied to interface FastEthernet0/1/1. Example 4-9 shows the complete configuration.
Example 4-9 Flexible NetFlow Configuration
flow record NY-ASR-FLOW-RECORD-1 description used for basic traffic analysis match ipv4 destination address collect interface input ! ! flow exporter NY-EXPORTER-1 description exports to New York Collector destination 10.10.10.123 ! ! flow monitor NY-ASR-FLOW-MON-1 description monitor for IPv4 traffic in NY record NY-ASR-FLOW-RECORD-1 exporter NY-EXPORTER-1 cache entries 200000 ! interface FastEthernet0/1/1 ip address 209.165.200.233 255.255.255.248 ip flow monitor NY-ASR-FLOW-MON-1 input