Filter
Top Products
62-5
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 62 Configuring Logging Policies
Logging on Cisco IOS Routers
• Logging on Cisco IOS Routers, page 62-1
NetFlow on Cisco IOS Routers
The ability to characterize IP traffic and understand how and where it flows is critical for network
availability, performance and troubleshooting. Monitoring IP traffic flows facilitates accurate capacity
planning, and ensures that network resources are used appropriately in support of organizational goals.
NetFlow is a logging feature available on IOS devices for recording, caching and transmitting IP
traffic-flow information on a per-interface basis. The basic output of NetFlow is a flow record, where a
“flow” is defined as a unidirectional stream of packets between a given source and destination—both
defined by a network-layer IP address and transport-layer source and destination port numbers.
On the IOS device, NetFlow consists of two key components—a NetFlow cache which stores IP flow
data, and the NetFlow export mechanism that transmits the NetFlow records to a collection server for
data reporting. Thus, when enabled, NetFlow records and caches statistics for incoming and outgoing
traffic flows, periodically transmitting these records from the device to a NetFlow collector, in the form
of User Datagram Protocol (UDP) datagrams.
Several different formats for the export packet, or flow record, have evolved as NetFlow has matured,
and these formats are commonly referred to as the NetFlow version. These versions are well
documented, and include versions 1, 5, 7, and 9. The most commonly used format is NetFlow version 5,
but version 9 is the latest format and has some advantages for extensibility, security, traffic analysis and
multicasting.
Security Manager currently supports Traditional NetFlow on IOS devices. Traditional NetFlow provides
a fixed flow record, even for version 9, meaning the device will use certain flags and predefined record
combinations in generating the flow. The device configuration settings define export destinations, export
interface, and certain version-specific transmission options.
More About Traffic Flows and NetFlow
Each packet that passes into or out of a router or switch is examined for a set of IP packet attributes.
These attributes are the IP packet identity or “fingerprint,” and they define whether the packet is unique,
or related to other packets.
All packets with the same source/destination IP address, source/destination ports, protocol interface, and
class of service are grouped into a flow and the packets and bytes are tallied. This method of flow
determination (or “fingerprinting”) is scalable because a large amount of network information can be
condensed into a database of NetFlow information called the NetFlow cache.
In general, the NetFlow cache is constantly filling with flows, and software in the router or switch is
searching the cache for flows that have terminated or expired, and these flows are exported to the
NetFlow collector. (Unlike SNMP polling, NetFlow export periodically transmits information to the
NetFlow collector.) The NetFlow collector has the job of assembling and organizing the exported flows
to produce the real-time or historical reports used for traffic and security analysis.
NetFlow Summary
To summarize, the following steps outline NetFlow:
• NetFlow is configured on the router or switch to capture IP traffic flows
• Flow records are stored in the local NetFlow cache
• Periodically, approximately 30 to 50 flow records are bundled together and exported to a NetFlow
collector server
• The collector software creates reports from the NetFlow data