Under the disruptive influence of cloud computing and containerized technology, networks have become increasingly opaque. Modern enterprises are using technology that is more complex and faster-pace. Yet for all these changes, NetFlow, a technology developed in the 1990s has remained a staple for network security and quality of service monitoring.

What is NetFlow?

NetFlow is a network protocol and Cisco IOS application that was developed by Cisco to collect and monitor traffic data generated by routers and switches (many routers have a NetFlow feature that automatically records NetFlow data). Devices compatible with NetFlow produce data that can be exported to a NetFlow collector/software agent.

After exporting NetFlow data, an administrator can use a NetFlow traffic analyzer to view visual representations of this flow data to gauge the performance of the network. For example, if there is an unusual spike in traffic then a NetFlow Analyzer will send you an alert.

Identifying abnormal levels of traffic is useful for diagnosing cyber attacks like DDoS attacks so the user can take steps to mitigate it ASAP. In other words, using NetFlow is a great way to monitor and troubleshoot your network.

Configure and verify Cisco NetFlow with the Cisco UCS Manager GUI

While Cisco 7200, 7500, 7400, MGX, and AS5800 are all compatible with the NetFlow application, you will have to purchase a feature license to be able to use the NetFlow function.

Before enabling NetFlow you need to configure your router for IP routing, enable Cisco Express Forwarding, distributed Cisco Express Forwarding, or fast switching. In this example, we’re going to be configuring NetFlow through the Cisco UCS Manager graphical user interface (GUI).

Cisco UCS Manager is a system used to communicate with routers and switches across a network. It includes adapters like Cisco UCS VIC 1225, Cisco UCS VIC 1240, and Cisco UCS VIC 1280. To configure NetFlow with UCS Manager:

  • Go to the LAN tab > NetFlow > General page and check the radio button. Define a Flow Record
  • Now we need to define a flow record. To do this click the LAN tab > NetFlow Monitoring.
  • Next, right-click on Flow Record Definitions > Create Flow Record Definition.
  • Go to the Create Flow Record Definition dialog box and enter a Name and a Description. Now go to the Define Keys section and select one of the following: L2keys, IPv4keys, or Ipv6keys. These refer to Layer 2 Switched, IPv4, and IPv6.
  • Go to the Select Measured Fields(non-keys) box and check the fields you want to include with the flow data. Options include; Counter Bytes Long, Counter Packets Long, Sys Uptime First, and Sys Uptime Last. Define a Flow Collector
  • Once this is done it is time to define a Flow Collector. To do this go to the LAN tab > NetFlow Monitoring > Flow Collectors and click the Add button.
  • Go to the Create Flow Collectors box and enter a Name and Description for the flow collector. Now enter the Collector IP, Port, Exporter Gateway IP, and VLAN. Define a Flow Exporter
  • After this, we need to define a Flow Exporter. Go to the LAN tab > Network Monitoring > Flow Exporters > Create Flow Exporter. Enter a Name and a Description. Now fill out the rest of the form options: DSCP, Exporter Profile, Flow Collector, Template Data Timeout, Option Exporter Stats Timeout, and Option Interface Table Timeout. Define a Flow Monitor
  • Now it’s time to define a Flow Monitor. To do this go to LAN > NetFlow Monitoring > Flow Monitors (icon)and press Create Flow Monitor. Enter a Name and a Description. Then enter a Flow Definition, Flow Exporter 1, Flow Exporter 2, and Timeout Policy. Define a Flow Monitor Session
  • After defining a Flow Monitor we need to Define a Flow Monitor Session. We can do this by going to LAN > Network Monitoring > Flow Monitor Sessions. Press Create Flow Monitor Session, then enter a Name and Description. Under the Host Receive Direction Monitor, select the flow monitor you want to use from the list or press Create Flow Monitor if you want to create one.
  • Under the Host Transmit Direction Monitor 1 parameter, select the flow monitor you want to use from the list or use the Create Flow Monitor option to create one. Fill out the Host Receive Direction Monitor 2 and Host Transmit Direction Monitor 2 parameters with any additional configurations. Assign a Flow Monitor Session to a vNIC
  • Now we need to Assign a Flow Monitor Session to a vNIC. Click LAN > NetFlow Monitoring > Flow Monitor Sessions and select the Flow Monitor Session you want to configure. Set the Flow Exporter Profile default and then go to Properties and expand the vNICs option. Click the Add button and then select which vNIC you want to use with the flow monitor session.
  • Save the changes and finish.

Configure and verify Cisco NetFlow through a Command-line interface

If you want to use the Command Line Interface (CLI) to configure NetFlow on an interface then this is another alternative to the GUI. The process to configure and verify NetFlow is relatively simple:

  • To enable EXEC mode, enter the following command:
  • router > enable
  • Now, enter Global Configuration Mode by entering the configure command:
  • router > configure terminal
  • Select the interface you want to configure for NetFlow by typing the number:
  • router > interface ethernet 0/0
  • Next, we need to Enable NetFlow ingress and egress on the interface. To do that enter these two commands:
  • router > ip flow ingress
  • router > ip flow egress
  • If you want to enable NetFlow on another interface use the following command to return to Global Configuration Mode:
  • router > exit
  • Then repeat the entire process until you have configured all the interfaces you need.
  • To finish, use the End command to return to EXEC mode:
  • router > end

Verify that NetFlow is Up and Running

To ensure that NetFlow is operational you can use the show IP flow interface, show IP cache flow, and show IP cache verbose flow commands:

router > enable

router > configure terminal

router > interface ethernet 0/0

router > ip flow ingress router > ip flow egress

router > exit

router > end

  • Use the show IP flow interface command to view the NetFlow configuration for the interface:
  • router > show ip flow interface
  • Use the show ip cache flow command to verify that NetFlow is working alongside a summary of statistics:
  • router > show ip cache flow
  • Use the show ip cache verbose flow command to verify that NetFlow is working alongside a summary of statistics. It can be used to view Source Mask and AS, Destination Port Mask AS, ToS and TCP, Flow Rate, and more. To use the command enter the following:
  • router > show ip cache verbose flow

NetFlow Collectors and Analyzers

After you’ve finished configuring NetFlow the next stage is to choose a flow collection tool. Even after following the steps above you won’t be able to use NetFlow unless you have a software agent/NetFlow analyzer to collect the information generated by your devices. The good news is that these tools are widely available. In this section we’re going to look at two platforms:

router > show ip flow interface

router > show ip cache flow

router > show ip cache verbose flow

SolarWinds NetFlow Traffic Analyzer (FREE TRIAL)

SolarWinds NetFlow Traffic Analyzer is a NetFlow traffic analyzer and bandwidth monitoring tool that you can use to view NetFlow outputs. The tool allows you to view IPv4 and IPv6 flow data. It also has a GUI with performance dashboards where you can see NetFlow sources and an overview of the Top Bandwidth Hogs within the network.

For example, you could look up the name of a switch in your network and view the Traffic In, Traffic Out, Last Received NetFlow, and Last Received CBQOS to see if traffic is normal.

The software has an alerts system so you receive alerts when there is a fluctuation in traffic that you need to take note of. You can configure when alerts are generated with custom parameters. For example, you can set a Trigger Condition as when Application traffic exceeds the threshold and then set an Ingress Traffic parameter.

The tool starts at a price of (£1,475). There is also a 30-day free trial version.

Pros:

  • Excellent user interface, easy to navigate and remains uncluttered even when used on high volume networks
  • Supports multiple networking technologies such as Cisco Netflow, Juniper Networks J-Flow, and Huawei Netstream, making it a hardware-agnostic solution
  • Pre-built templates allow you to pull insights from packet capture right away
  • Installs on Windows as well as on multiple flavors of Linux
  • Built for the enterprise, offers SLA tracking and monitoring features

Cons:

  • Built for enterprise companies who process a lot of data, not the best fit for small LANs or home users

SolarWinds NetFlow Traffic Analyzer Download 30-day FREE Trial

ManageEngine NetFlow Analyzer

ManageEngine produces its NetFlow Analyzer as a complement to its main network monitoring system, which is called OpManager. If you buy both packages, they will slot together.

The NetFlow Analyzer is able to query switches and routers built by Cisco Systems through the use of the NetFlow protocol. The tool can also communicate with Juniper Networks equipment by the use of J-Flow and with Huawei NetStream. The software is also able to communicate using sFlow, IP-FIX, and AppFlow.

Use this monitoring system to watch over traffic patterns on your network. You will also be able to implement QoS traffic shaping for interactive applications, such as VoIP. The package also has Cisco NBAR capabilities built into it for port recognition.

ManageEngine NetFlow Analyzer is an on-premises package that will run on Windows Server and Linux. You can examine this package on a 30-day free trial.

  • Supports multiple protocols like NetFlow, great for monitoring Cisco equipment

  • Both tools work well alongside each other to help view traffic patterns and bandwidth usage

  • Easy to use interface automatically highlights bandwidth hogs and other network traffic outliers

  • Can proactively monitor switch port status to identify failing ports and misconfigurations

  • Built for enterprise use, not designed for small home networks

Site24x7 Network Monitoring

Site24x7 is a SaaS platform that offers a range of system monitoring and management packages. Network Monitoring is the Site24x7 service for traffic monitoring and management. The system can monitor network device statuses with SNMP and also track traffic patterns with NetFlow.

The tool is able to work with multi-vendor networks because it can communicate with devices supplied by Juniper Networks, D-Link, Dell, HP, and Canon, as well as Cisco Systems. In fact, the monitoring tool can extract traffic data from devices produced by a list of 450 vendors.

Overall, the Site24x7 Network Monitoring service will watch over switches, routers, firewalls, VPNs, wireless systems, load balancers, WAN accelerators, storage servers and devices, UPS units, and printers.

As it is resident on the cloud, this monitoring system isn’t limited to watching over one network. It can monitor multiple networks and connections to cloud platforms wherever they are located. Site24x7 Network Monitoring is available on a 30-day free trial.

  • Flexible cloud-based monitoring option

  • Offers a host of out-of-box monitoring options and dashboard templates for SQL server

  • Allows administrators to view dependencies within the application stack, good for building SLAs and optimizing uptime

  • Offers root cause analysis enhanced by AI to fix technical issues faster

  • Can unify SQL monitoring across multi-cloud environments

  • Site24x7 is a feature-rich platform with options that extended beyond databases management, may require time to learn all options and features

Paessler PRTG Network Monitor

PRTG Network Monitor is a piece of network monitoring software that can monitor NetFlow traffic. It supports all NetFlow versions and provides a GUI to monitor devices. You can monitor NetFlow with sensors. There is a NetFlow V5 sensor and a NetFlow V9 sensor.

The sensors measure network traffic in kbit per second in a variety of formats (including, FTP/P2P, DHCP, DNS, Ident, ICMP, SNMP, IMAP, NetBIOS, SSH, Telnet, HTTP, HTTPS, UDP, TCP, and more). All traffic is presented in a graphical overview which shows a Top Talkers, Top Connections, and Top Protocols, alongside a time period of your choice.

The sensors can be configured to send you alerts via email and SMS if traffic reaches unusual levels. The price of the Paessler PRTG Network Monitor starts at $1,600 (£1,232) for 500 sensors and one server installation. There is also a 30-day free trial version.

  • Designed to be an infrastructure monitoring tool that supports multiple sensors types such as NetFlow, sFlow, and J-Flow

  • Offers additional monitoring on the same platform, supporting infrastructure, network, and application performance monitoring

  • Supports multiple channels and integrations for alerts

  • Uses easy to read graphing for traffic visualization

  • Very detailed platform, takes time to learn and fully utilize all of the features available

Managing Performance and Security Events with NetFlow Monitoring

Once NetFlow is configured on your devices you’ll be able to monitor packets transmitted throughout your network. NetFlow monitoring is extremely useful as part of your network monitoring strategy because it allows you to view traffic and to identify cyber-attacks like DoS or DDoS.

If you plan to use a NetFlow monitoring to oversee your network then it is a good idea to download a NetFlow analyzer. It will provide you with a GUI to monitor traffic and make it easier to identify cyber-attacks. Monitoring traffic will help you to keep a watchful eye on performance and security events.