NetFlow is used to collect data flows from interfaces. The information can be stored on the switch but more commonly sent to a server which collects the NetFlow data and spits it out into something shiny. Okay, not shiny but data more easily digestible.
Each packet is looked at for a set of IP packet attributes which are called key fields. The key fields help determine if the information within a packet is unique or similar to the other packets. If there are new values in the key fields then a new flow is created.
With that data you can create trend reports or gather protocol and interface statistics. In near real time you can find out who your top talkers are and what your most widely used protocols are traversing your network. It can even act as a security tool in finding network anomalies.
Netflow has 4 components:
The following NetFlow configuration was tested on a Cisco Catalyst 3850 running IOS version 15. On the Catalyst 3850, the exact version used is Flexible NetFlow (FNF). You will need at least IP Base licensing to use NetFlow. In short, Flexible NetFlow is Cisco’s migration from the traditional NetFlow. Aw how cute, it’s growing up.
Here is the full configuration I ended up with. After the configuration I go into more detail.
flow record AUNTFLOW match ipv4 destination address match ipv4 source address match ipv4 protocol match interface input match transport destination-port match transport source-port collect counter bytes long collect counter packets long collect interface input collect transport tcp flags collect timestamp absolute first collect timestamp absolute last ! ! flow exporter AUNTFLOWEXPORT description Export to netflow system destination 192.168.1.10 source vlan 10 transport udp 4739 ttl 60 ! ! flow monitor AUNTFLOWMON description Netflow monitor exporter AUNTFLOWEXPORT record AUNTFLOW cache timeout active 30 ! ! sampler AUNTFLOWSAMPLER description AUNTFLOW mode random 1 out-of 32 ! ! interface range g1/0/1 - 48 ip flow monitor AUNTFLOWMON sampler AUNTFLOWSAMPLER input