Netflow is just one of those really powerful troubleshooting tools that any organization just can’t do without. I can’t imagine trying to maintain a healthy network without such a tool as Netflow. It’s so light and efficient and can open your eyes to everything that’s going on in your network if implemented correctly.
Fluke Networks published an article not long after we began running Netflow Tracker. The article was actually published prior to the acquisition of Visual Networks by Fluke. Prior to running Netflow Tracker we were using / renting Visual Networks CSU/DSU from our ISP which at that time was Sprint. Using the Visaul Networks CSU/DSU behind our Branch Routers and in conjunction with a hosted PAM solution gave us metrics and reporting capabilities. At the time we were a Layer 2 Frame Relay Hub & Spoke Topology.
Murphy Hoffman Company & Fluke Networks Article
With over 40,000 customers spread across ten states, the Network Team at Murphy Hoffman Company, has its work cut out to ensure the company’s network runs like a fine oiled machine. The diverse network supports services including sales, Leasing, Rental, Refrigeration, Body Shop and support. In addition, the Networking Team must manage a diverse architecture that includes both custom and commercial off the shelf software.
The ability to characterize IP traffic and understand how and where it flows is critical for network availability, performance and troubleshooting. Monitoring IP traffic flows facilitates more accurate capacity planning and ensures that resources are used appropriately in support of organizational goals. It helps IT determine where to apply Quality of Service or QoS, optimize resource usage and it plays a vital role in network security to detect Denial of Service or DoS attacks, network propagated worms, and other undesirable network events.
What is an IP Flow
Each packet that is forwarded within a Router is examined for a set of IP packet Attributes. These attributes are the IP packet identity or fingerprint of the packet and determine if the packet is unique or similar to other packets. Traditionally a flow is based on a set of 5 and up to 7 IP packet attributes.
The 7 Packet Attributes used by NetFlow
- IP source address
- IP destination address
- Source port
- Destination port
- Layer 3 protocol type
- Class of Service
- Router Interface
For Netflow to consider a flow to be valid it must contain the following
- IP Source Address
- IP Destination Address
- Ingress Interface
One of things that must be done with Netflow Tracker is the configuration of a port # for each individual Router that is going to export it’s Netflow information to Tracker. The Port definitions defined with Netflow Tracker are called listener ports. Each Port is unique with respect to each individual Router. This is done underneath Settings Listener Ports. The format looks like this 0.0.0.0:2063. If you are going to implement Netflow in your network I would highly recommend being consistent across all your Routers. If you want and expect consistent reporting regardless of the bandwidth make sure your configuration is same across all your Routers…!
We need to define the export version, the timeout value, and of course the destination. Lets assume that our Netflow (collector) Server is at 172.16.0.40 listening on port 2063.
Router#configure terminal
Router(config)#ip flow-export version 9
Router(config)#ip flow-cache timeout active 1
Router(config)#ip flow-export destination 172.16.0.40 2063
Router(config)#exit
Router#
Next we need to configure the Interface that the ip cache flow exports will be reported from. Since I’m using version 9 exports in this example and my Netflow Tracker is at the correct version to receive the version 9 exports I can cleanly and simply configure ingress and egress on the WAN interface alone. The WAN interface in my Topology is the closest interface (Last Reporting Interface) toward my Netflow Tracker. The timeout value above is important. A value of 1 is a more real-time reporting interval.
Router#configure terminal
Router(config)#
Router(config)#interface MFR0.1 point-to-point
Router(config-if)#description PVC for MPLS
Router(config-if)#ip address 10.1.1.20 255.255.255.252
Router(config-if)#ip flow ingress
Router(config-if)#ip flow egress
Router(config-if)#no cdp enable
Router(config-if)#frame-relay interface-dlci 100
Router(config-if)#exit
Router(config)#exit
Router#
Lets make sure the Router is truly exporting it’s cache flow as expected.
Router#show ip cache flow
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
Gi0/1 192.168.60.20 Gi0/0.1 192.168.74.69 06 07D0 C2EA 1
Gi0/1 162.16.0.25 Gi0/0.1 162.16.124.30 06 A42A 0EC1 360
Gi0/1 162.16.100.16 Gi0/0.1 162.16.119.65 06 189C 0522 1
Gi0/1 162.16.100.25 Gi0/0.1 162.16.60.72 06 03E0 0506 5
Gi0/1 162.16.100.11 Gi0/0.1 162.16.70.118 11 0035 FA40 1
Gi0/1 162.16.116.61 Gi0/0.1 192.168.60.21 06 08DB 1BA8 1
Gi0/1 162.16.60.30 Gi0/0.1 162.18.133.213 01 0000 0303 2
Gi0/1 162.16.60.30 Gi0/0.1 162.16.69.212 01 0000 0303 3
Gi0/1 162.16.60.30 Gi0/0.1 162.16.85.212 01 0000 0303 39
Gi0/1 162.16.60.26 Gi0/0.1 162.21.124.88 06 0D3D F3B1 4
Gi0/1 162.16.100.22 Gi0/0.1 162.16.110.96 06 1F4E 0A18 6
Gi0/1 192.168.60.22 Gi0/0.1 162.21.98.51 06 1466 0488 1
Gi0/1 162.16.60.55 Gi0/0.1 162.16.100.25 06 053A 03E0 28
Gi0/1 162.16.60.11 Gi0/0.1 162.21.124.86 06 1661 C9C0 21
Netflow Troubleshooting commands
show ip flow export verbose
show ip cache flow
show ip cache flow verbose
show ip cache interface xyz verbose
show ip flow interface
