Transcription
White PaperIntroduction to Cisco IOS NetFlow—A Technical OverviewLast updated: February 2006Successfully delivering mission critical, performance sensitive services and applications with NetFlow.INTRODUCTIONNetFlow is an embedded instrumentation within Cisco IOS Software to characterize network operation. Visibility into the network is anindispensable tool for IT professionals. In response to new requirements and pressures, network operators are finding it critical to understandhow the network is behaving including: Application and network usage Network productivity and utilization of network resources The impact of changes to the network Network anomaly and security vulnerabilities Long term compliance issuesCisco IOS NetFlow fulfills those needs, creating an environment where administrators have the tools to understand who, what, when, where, andhow network traffic is flowing. When the network behavior is understood, business process will improve and audit trail of how the network isutilized is available. This increased awareness reduces vulnerability of the network related to outage and allows efficient operation of the network.Improvements in network operation lower costs and drives higher business revenues by better utilization of the network infrastructure.Enterprises depend heavily on Cisco IOS NetFlow in order to meet their business objectives including Cisco IT: “As converged networks and IPtelephony become more prevalent, the ability to characterize traffic on the network—both for capacity planning and anomaly detection—willbecome even more critical.” Roland Dobbins, Cisco IT Network Engineer. Read more information on how Cisco IT uses NetFlow.This white paper illustrates the importance of NetFlow and demonstrates how NetFlow can be used by Enterprises, Small and Medium-sizedBusinesses (SMB), and Channel Partners to meet critical network challenges. It is a basic overview of how NetFlow works and produces data andreporting solutions.INCREASING IMPORTANCE OF NETWORK AWARENESSTraditional SNMP Performance MonitoringTraditionally customers relied almost exclusively on Simple Network Management Protocol (SNMP) to monitor bandwidth. Although SNMPfacilitates capacity planning, it does little to characterize traffic applications and patterns, essential for understanding how well the network supportsthe business. A more granular understanding of how bandwidth is being used is extremely important in today’s IP networks. Packet and byteinterface counters are useful but understanding which IP addresses are the source and destination of traffic and which applications are generatingthe traffic is invaluable.All contents are Copyright 1992–2006 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.Page 1 of 15
NetFlow Based Network AwarenessThe ability to characterize IP traffic and understand how and where it flows is critical for network availability, performance and troubleshooting.Monitoring IP traffic flows facilitates more accurate capacity planning and ensures that resources are used appropriately in support of organizationalgoals. It helps IT determine where to apply Quality of Service (QoS), optimize resource usage and it plays a vital role in network security to detectDenial–of–Service (DoS) attacks, network-propagated worms, and other undesirable network events.NetFlow facilitates solutions to many common problems encountered by IT professionals. Analyze new applications and their network impact—Identify new application network load such as VoIP or remote site additions. Reduction in peak WAN traffic—Use NetFlow statistics to measure WAN traffic improvement from application-policy changes. Understand whois utilizing the network and the network top talkers. Troubleshooting and understanding network pain points—Diagnose slow network performance, bandwidth hogs and bandwidth utilizationquickly with command line interface or reporting tools. Detection of unauthorized WAN traffic—Avoid costly upgrades by identifying the applications causing congestion. Security and anomaly detection—NetFlow can be used for anomaly detection, worm diagnosis along with applications such as Cisco CS-Mars. Validation of QoS parameters—Confirm that appropriate bandwidth has been allocated to each Class of Service (CoS) and that no CoS is overor under-subscribed.HOW DOES NETFLOW GIVE YOU NETWORK INFORMATION?What is an IP Flow?Each packet that is forwarded within a router or switch is examined for a set of IP packet attributes. These attributes are the IP packet identity orfingerprint of the packet and determine if the packet is unique or similar to other packets.Traditionally, an IP Flow is based on a set of 5 and up to 7 IP packet attributes.IP Packet attributes used by NetFlow: IP source address IP destination address Source port Destination port Layer 3 protocol type Class of Service Router or switch interfaceAll packets with the same source/destination IP address, source/destination ports, protocol interface and class of service are grouped into a flow andthen packets and bytes tallied. This methodology of fingerprinting or determining a flow is scalable because a large amount of network information iscondensed into a database of NetFlow information called the NetFlow cache. 2006 Cisco Systems, Inc. All rights reserved.Important notices, privacy statements, and trademarks of Cisco Systems, Inc. can be found on cisco.com.Page 2 of 16
Figure 1. Creating a Flow in the NetFlow CacheThis flow information is extremely useful for understanding network behavior: Source address allows the understanding of who is originating the traffic Destination address tells who is receiving the traffic Ports characterize the application utilizing the traffic Class of service examines the priority of the traffic The device interface tells how traffic is being utilized by the network device Tallied packets and bytes show the amount of trafficAdditional information added to a flow includes: Flow timestamps to understand the life of a flow; timestamps are useful for calculating packets and bytes per second Next hop IP addresses including BGP routing Autonomous Systems (AS) Subnet mask for the source and destination addresses to calculate prefixes TCP flags to examine TCP handshakesHow to Access the Data Produced by NetFlow?There are two primary methods to access NetFlow data: the Command Line Interface (CLI) with show commands or utilizing an applicationreporting tool. If you are interested in an immediate view of what is happening in your network the CLI can be used. NetFlow CLI is very useful fortroubleshooting.The other choice is to export NetFlow to a reporting server or what is called the “NetFlow Collector.” The NetFlow collector has the job ofassembling and understanding the exported flows and combining or aggregating them to produce the valuable reports used for traffic and securityanalysis. NetFlow export, unlike SNMP polling pushes information periodically to the NetFlow reporting collector. In general, the NetFlow cache isconstantly filling with flows and software in the router or switch is searching the cache for flows that have terminated or expired and these flows areexported to the NetFlow collector server. Flows are terminated when the network communication has ended (ie: a packet contains the TCP FIN flag).The following steps are used to implement NetFlow data reporting: NetFlow is configured to capture flows to the NetFlow cache NetFlow export is configured to send flows to the collector The NetFlow cache is searched for flows that have terminated and these are exported to the NetFlow collector server 2006 Cisco Systems, Inc. All rights reserved.Important notices, privacy statements, and trademarks of Cisco Systems, Inc. can be found on cisco.com.Page 3 of 16
Approximately 30 to 50 flows are bundled together and typically transported in UDP format to the NetFlow collector server The NetFlow collector software creates real-time or historical reports for the dataHow Does the Router or Switch Determine which Flows to Export to the NetFlow Collector Server?A flow is ready for export when it is inactive for a certain time (ie: no new packets received for the flow); or if the flow is long lived (active) and lastsgreater than the active timer (ie: long FTP download). Also, the flow is ready for export when a TCP flag indicates the flow is terminated (ie: FIN,RST flag). Their are timers to determine if a flow is inactive or if a flow is long lived and the default for the inactive flow timer is 15 seconds andthe active flow timer is 30 minutes. All the timers for export are configurable but the defaults are used in most cases except on the Cisco Catalyst6500 Series Switch platform. The collector can combine flows and aggregate traffic. For example, an FTP download that lasts longer than the activetimer may be broken into multiple flows and the collector can combine these flows showing total ftp traffic to a server at a specific time of day.What is the Format of the Export Data?There are various formats for the export packet and these are commonly called the export version. The export versions are well documented formatsincluding version 5, 7, and 9. The most common format used is NetFlow export version 5 but version 9 is the latest format and has some advantagesfor key technologies such as security, traffic analysis and multicast. To understand more about export versions and a detailed technical discussionabout NetFlow see the NetFlow Services and Solutions Guide. Figure 2 below is an example of the data available in a NetFlow cache.Figure 2. Example NetFlow CacheWHERE CAN NETFLOW BE IMPLEMENTED IN THE NETWORK?NetFlow is typically used on a central site because all traffic from the remote sites is characterized and is available within NetFlow. The locationwhere NetFlow is deployed may depend on the location of the reporting solution and the topology of the network. If the reporting collection serveris centrally located, then implementing NetFlow close to the reporting collector server is optimal. NetFlow can also be enabled at remote branchlocations with the understanding that the export data will utilize bandwidth. About 1-5% of the switched traffic is used for export to the collectionserver. 2006 Cisco Systems, Inc. All rights reserved.Important notices, privacy statements, and trademarks of Cisco Systems, Inc. can be found on cisco.com.Page 4 of 16
Figure 3. NetFlow Export to a CollectorAlmost all Cisco devices support NetFlow since its introduction in the 11.1 train of Cisco IOS Software and because of this, NetFlow is most likelyavailable in any devices in the network.Table 1.NetFlow Recent Cisco Device Support MatrixDeviceSupportedCisco 800, 1700, 2600YesCisco 1800, 2800, 3800YesCisco 4500YesCisco 6500YesCisco 7200, 7300, 7500YesCisco 7600YesCisco 10000, 12000, CRS-1YesCisco 2900, 3500, 3660, 3750No 2006 Cisco Systems, Inc. All rights reserved.Important notices, privacy statements, and trademarks of Cisco Systems, Inc. can be found on cisco.com.Page 5 of 16
WHICH APPLICATIONS REPORT ON NETFLOW DATA?There are a large number of NetFlow collectors including Cisco, freeware and third party commercial vendors’ products that report and utilizeNetFlow data. It is important to understand various factors when picking a partner for NetFlow reporting. What will be the main uses for NetFlow? Security, capacity planning and traffic analysis including application and user monitoring? Is real-time reporting or historical reporting more important? Which operating system is preferred for the server? Is this a large or small implementation of NetFlow and is scalability a concern? How much are you willing to pay for the product? Are there any current performance management products used in your organization and can these be extended to support NetFlow?Once the reporting application is chosen, the sizing of the server and number of servers are determined by talking with the vendor for the product.Some reporting systems, offer a two-tier architecture where collectors are placed near key sites in the network and they aggregate and forwardthe data to a main reporting server. Other smaller deployments may have a single server for reporting and collection. Figure 5 is a list of the CiscoNetFlow partner reporting products that are available, the operating system utilized and the main uses they offer. Also included are typical startingprices for the product with price ranges shown as low, medium, high. Low priced are for products that are less than 7500, Medium ranged pricesvary from 7500 to 25000 and high priced greater than 25000. In recent years, many new partners and solutions are available on both Windowsand Linux operating systems.Table 2.*Commercial NetFlow Reporting ProductsProduct NamePrimary UsePrimary UserOperating SystemStarting Price RangeCisco NetFlow CollectorTraffic AnalysisEnterprise, Service ProviderLinux, SolarisMediumCisco CS-MarsSecurity MonitoringEnterprise, SMBLinuxMediumAdventNetTraffic AnalysisEnterprise, SMBWindowsLowApoapsisTraffic AnalysisEnterpriseLinuxMediumArbor NetworksSecurity/Traffic AnalysisEnterprise, Service ProviderBSDHighCaligareTraffic/Security AnalysisEnterprise, Service ProviderLinuxMediumCrannog SoftwareTraffic AnalysisEnterprise, SMBWindowsLow*CA SoftwareTraffic AnalysisEnterprise, Service ProviderWindowsHigh*Evident SoftwareTraffic Analysis, BillingEnterpriseLinuxHigh*HPTraffic AnalysisEnterprise, Service ProviderLinux, SolarisHighIBM AuroraTraffic Analysis/SecurityEnterprise, Service ProviderLinuxMediumInfoVista (Crannog)Traffic AnalysisEnterprise, Service ProviderWindowsHighIsarNetTraffic AnalysisEnterprise, Service ProviderLinuxMedium*MicromuseTraffic AnalysisEnterprise, Service ProviderSolarisHighNetQoSTraffic/Security AnalysisEnterpriseWindowsHighValencia SystemsTraffic AnalysisEnterpriseWindowsHighWired CityTraffic AnalysisEnterpriseWindowsHighUse Cisco NetFlow Collector 2006 Cisco Systems, Inc. All rights reserved.Important notices, privacy statements, and trademarks of Cisco Systems, Inc. can be found on cisco.com.Page 6 of 16
Table 3.Freeware NetFlow Reporting ProductsProduct NamePrimary UseCommentOperating SystemCFlowdTraffic AnalysisNo Longer SupportedUnixFlow-toolsCollector DeviceScalableUnixFlowdCollector DeviceSupports V9BSD, LinuxFlowScanReporting for Flow-ToolsUnixNetFlow GuideReporting ToolsBSD, LinuxNetFlow MonitorTraffic AnalysisSupports V9LinuxNTOPCollector DeviceSupports V9UnixPanoptisSecurity MonitoringUnixStagerReporting for Flow-ToolsUnixFigure 4. Example of Traffic Analysis Reporting Utilizing a NetFlow Data 2006 Cisco Systems, Inc. All rights reserved.Important notices, privacy statements, and trademarks of Cisco Systems, Inc. can be found on cisco.com.Page 7 of 16
Figure 5. Example of CS-Mars Cisco Product that Utilizes NetFlow to Understand Security IncidentsSUMMARYNetFlow is an important technology available in your Cisco device to help you with visibility into how your network assets are being used andthe network behavior. NetFlow will help reduce costs by giving you an audit trail, reduce troubleshooting time and facilitate reports to understandnetwork utilization. It will help in the implementation of new IP applications and detect security vulnerabilities. NetFlow will let you understand whois using the network, the destination of traffic, when the network is utilized and the type of applications consuming bandwidth.For more information on NetFlow visit: http://www.cisco.com/go/netflowFor detailed technical Cisco IOS Software documentation on NetFlow: http://www.cisco.com/en/US/products/ps6601/prod white papers list.html 2006 Cisco Systems, Inc. All rights reserved.Important notices, privacy statements, and trademarks of Cisco Systems, Inc. can be found on cisco.com.Page 8 of 16
APPENDIX A—SOFTWARE PLATFORM CONFIGURATIONThe following is an example of a basic router configuration for NetFlow. NetFlow basic functionality is very easy to configure. NetFlow isconfigured on a per interface basis. When NetFlow is configured on the interface, IP packet flow information will be captured into the NetFlowcache. Also, the NetFlow data can be configured to export the NetFlow data to a collection server if a server is deployed.1.Configuring the interface to capture flows into the NetFlow cache. CEF followed by NetFlow flow capture is configured on the interface.Router(config)# ip cefRouter(config)# interface ethernet 1/0 .Router(config-if)# ip flow ingressOrRouter(config-if)# ip route-cache flowEither ip flow ingress or ip route-cache flow command can be used depending on the Cisco IOS Software version. Ip flow ingress isavailable in Cisco IOS Software Release 12.2(15)T or above.2.This step is required if exporting the NetFlow cache to a reporting server. The version or format of the NetFlow export packet is chosen andthen the destination IP address of the export server. The 9997 is the UDP port the server will use to receive the UDP export from the Ciscodevice.Router(config)# ip flow-export version 9Router(config)# ip flow-export destination 172.22.23.7 9997More Information on NetFlow ConfigurationAPPENDIX B—CISCO CATALYST 6500 SERIES SWITCH PLATFORM NETFLOW CONFIGURATIONThe following is an example of NetFlow on a Cisco Catalyst 6500 Series Switch. The Cisco Catalyst 6500 Series Switch has two aspects ofNetFlow configuration, configuration of hardware based NetFlow and software NetFlow. Almost all flows on the Cisco Catalyst 6500 Series Switchare hardware switched and the MLS commands are used to characterize NetFlow in hardware. The MSFC (software based NetFlow) will characterizesoftware based flows for packets that are punted up to the MSFC. Figure 8 shows the concept of two paths for NetFlow packets, the hardware andsoftware paths and the configuration for each path. Normally on Cisco Catalyst 6500 Series Switch both hardware and software based NetFlowis configured. 2006 Cisco Systems, Inc. All rights reserved.Important notices, privacy statements, and trademarks of Cisco Systems, Inc. can be found on cisco.com.Page 9 of 16
Figure 6. NetFlow Flow Characterization on Cisco Catalyst 6500 Series SwitchThe hardware switched flows use the MLS commands to configure NetFlow. Remember for hardware based flows NetFlow is enabled on allinterfaces when configured.mls aging normal 32(Set aging of inactive flows to 32 seconds)mls flow ip interface-full (Optionally configure a flow mask)mls nde sender version 5(Specify the version for export from the PFC)mls nde interface (send interface information with the export, command available by default withSupervisor720/Supervisor 32)The following is the configurations for NetFlow on the MSFC for software based flows. This configuration is equivalent to what is shown inAppendix A. The user configures NetFlow per interface to activate flow characterization and also configures an export destination for the hardwareand software switched flows.interface POS9/14ip address 42.50.31.1 255.255.255.252ip route-cache flow(also ip flow ingress can be used)ip flow-export version 5 (The export version is setup for the software flows exported from the MSFC)ip flow-export destination 10.1.1.209 9999 (The destination for hardware and software flows isspecified).More Information on the Cisco Catalyst 6500 Series Switch NetFlow Configuration 2006 Cisco Systems, Inc. All rights reserved.Important notices, privacy statements, and trademarks of Cisco Systems, Inc. can be found on cisco.com.Page 10 of 16
APPENDIX C—EXAMPLE SHOW COMMANDS FOR NETFLOW DATAThe following is an example of how to visualize the NetFlow data using the CLI. There are three methods to visualize the data depending onthe version of Cisco IOS Software. The traditional show command for NetFlow is “show ip cache flow” also available are two forms of top talkercommands. One for of top talkers command uses a static configuration to view top talkers in the network and another command called dynamic toptalkers allows real-time sorting and aggregation of NetFlow data. Also shown is a show MLS command to view the hardware cache on the CiscoCatalyst 6500 Series Switch.The following is the original NetFlow show command used for many years in Cisco IOS Software. Information provided includes packet sizedistribution; basic statistics about number of flows and export timer setting, a view of the protocol distribution statistics and the NetFlow cache.R3#show ip cache flowIP packet size distribution (469 total 480.000 .968 .000 .031 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000512544576 1024 1536 2048 2560 3072 3584 4096 4608.000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000IP Flow Switching Cache, 278544 bytes7 active, 4089 inactive, 261 added1278 ager polls, 0 flow alloc failuresActive flows timeout in 30 minutesInactive flows timeout in 15 secondsIP Sub Flow Cache, 25736 bytes1 active, 1023 inactive, 38 added, 38 added to flow0 alloc failures, 0 force free1 chunk, 1 chunk addedlast clearing of statistics neverProtocolTotalFlowsPackets BytesPackets Active(Sec) tFlow cache below)SrcIfSrcIPaddressDstIfDstIPaddressPr SrcP DstPPktsEt1/0172.16.7.2Null224.0.0.911 0208 02081Et1/0172.16.10.2Et0/0172.16.1.8406 0087 00871Et1/0172.16.10.2Et0/0172.16.1.8406 0050 00501Et1/0172.16.10.2Et0/0172.16.1.8506 0089 00891Et1/0172.16.10.2Et0/0172.16.1.8506 0050 00501 2006 Cisco Systems, Inc. All rights reserved.Important notices, privacy statements, and trademarks of Cisco Systems, Inc. can be found on cisco.com.Page 11 of 16
Et1/0172.16.10.2Et0/0172.16.1.8606 00B3 00B31Et1/0172.16.10.2Et0/0172.16.1.8606 0185 01852FieldDescriptionBytesNumber of bytes of memory used by the NetFlow cache.ActiveNumber of active flows in the NetFlow cache at the time this command was entered.InactiveNumber of flow buffers that are allocated in the NetFlow cache, but were not currently assigned to a specific flow atthe time this command was entered.AddedNumber of flows created since the start of the summary period.Ager PollsNumber of times the NetFlow code looked at the cache to cause entries to expire (used by Cisco for diagnosticsonly).Flow Alloc FailuresNumber of times the NetFlow code tried to allocate a flow but could not.Exporting FlowsIP address and User Datagram Protocol (UDP) port number of the workstation to which flows are exported.Flows Exported inUDP DatagramsTotal number of flows exported and the total number of UDP datagrams used to export the flows to the workstation.FailedNumber of flows that could not be exported by the router because of output interface limitations.Last Clearing of StatisticsStandard time output (hh:mm:ss) since the clear ip flow stats privileged EXEC command was executed. This timeoutput changes to hours and days after the time exceeds 24 hours.ProtocolIP protocol and the well-known port number. (Refer to http://www.iana.org, Protocol Assignment Number Services,for the latest RFC values.)Note: Only a small subset of all protocols is displayed.Total FlowsNumber of flows in the cache for this protocol since the last time the statistics were cleared.Flows/SecAverage number of flows for this protocol per second; equal to the total flows divided by the number of seconds forthis summary period.Packets/FlowAverage number of packets for the flows for this protocol; equal to the total packets for this protocol divided by thenumber of flows for this protocol for this summary period.Bytes/PktAverage number of bytes for the packets for this protocol; equal to the total bytes for this protocol divided by the totalnumber of packets for this protocol for this summary period.Packets/SecAverage number of packets for this protocol per second; equal to the total packets for this protocol divided by thetotal number of seconds for this summary period.Active(Sec)/FlowNumber of seconds from the first packet to the last packet of an expired flow divided by the number of total flows forthis protocol for this summary period.Idle(Sec)/FlowNumber of seconds observed from the last packet in each nonexpired flow for this protocol until the time at which theshow ip cache verbose flow command was entered divided by the total number of flows for this protocol for thissummary period.Show IP Cache Flow Field Descriptions in NetFlow Record DisplaySrcIfInterface on which the packet was received.Port Msk ASSource Border Gateway Protocol (BGP) autonomous system. This is always set to 0 in MPLS flows.SrcIPaddressIP address of the device that transmitted the packet.DstIfInterface from which the packet was transmitted.Note: If an asterisk (*) immediately follows the DstIf field, the flow being shown is an egress flow.Port Msk ASDestination BGP autonomous system. This is always set to 0 in MPLS flows. 2006 Cisco Systems, Inc. All rights reserved.Important notices, privacy statements, and trademarks of Cisco Systems, Inc. can be found on cisco.com.Page 12 of 16
FieldDescriptionDstIPaddressIP address of the destination device.NextHopSpecifies the BGP next-hop address. This is always set to 0 in MPLS flows.PrIP protocol well-known port number as described in RFC 1340, displayed in hexadecimal format.B/PkAverage number of bytes observed for the packets seen for this protocol (total bytes for this protocol or the totalnumber of flows for this protocol for this summary period).FlgsTCP flags (result of bitwise OR of TCP flags from all packets in the flow).ActiveNumber of active flows in the NetFlow cache at the time this command was entered.PktsNumber of packets switched through this flow.More Information on show ip cache flowThe following command will show hardware based flow specifically on the Cisco Catalyst 6500 Series Switch platform. Also, the above command“show ip cache flow” can be used to show both hardware and software flows on the Cisco Catalyst 6500 Series Switch but this depends onsupervisor and release of Cisco IOS Software being used.C6500#show mls netflow ipDisplaying Netflow entries in Supervisor EarlDstIPSrcIPProt:Src Port:DstPort Src i/f :AdjPtr ------------------------------10.102.130.213 10.214.39.79tcp:46528 :www:0x0 L3-57341715:47:38L3-Dynamic10.230.215.148 10.155.22.221 tcp:51813 :45912 :0x0 25Dynamic10.97.36.20010.17.64.177tcp:65211 :www:0x0 910.46.13.211tcp:27077 :60425 :0x0 10Dynamic10.90.33.185Dynamic The following describe the NetFlow Top Talkers command showing the largest packet and byte consumers on the network. Network Top Talkersdoes require some configuration. The configuration is shown followed by the show command. This command is available in Release 12.3(11)T andRelease 12.2(25)S and above Cisco IOS Software releases.Router(config)#ip p 10The following is the 10 ten talkers in network sorted by packets:R3#show ip flow top-talkersSrcIfSrcIPaddressDstIfDstIPaddressPr SrcP DstPEt1/0172.16.10.2Et0/0172.16.1.8406 0087 0087Pkts2100Et1/0172.16.10.2Et0/0172.16.1.8506 0089 00891892Et1/0172.16.10.2Et0/0172.16.1.8606 0185 01851762 2006 Cisco Systems, Inc. All rights reserved.Important notices, privacy statements, and trademarks of Cisco Systems, Inc. can be found on cisco.com.Page 13 of 16
Et1/0172.16.10.2Et0/0172.16.1.8606 00B3 00B32Et1/0172.16.10.2Et0/0172.16.1.8406 0050 00501Et1/0172.16.10.2Et0/0172.16.1.8506 0050 005017 of 10 top talkers shown. 7 flows processed.More Information on NetFlow MIB and Top TalkersThe following command shows the output of the Dynamic Top Talkers command to show all flows to a specific destination address. This commandwas released in Release 12.4(4)T. This command is very useful to search the NetFlow cache in various methods and shorting by number of flows,packets or bytes. This command is very useful for troubleshooting and on the real-time security monitoring.R3#show ip flow top 10 aggregate destination-addressThere are 3 top talkers:IPV4 DST-ADDRbytespktsflows 172.16.1.8616042172.16.1.8516042172.16.1.8416042 This following is an example of the Dynamic Top Talker command with the sorting of all flows to a specific destination on a port range.R3#show ip flow top 10 aggregate destination-address sorted-by bytes match source-port min 0 max1000There are 3 top talkers:IPV4 DST-ADDRbytespktsflows 172.16.1.848022172.16.1.858022172.16.1.868022 6 of 6 flows matched. 2006 Cisco Systems, Inc. All rights reserved.Important notices, privacy statements, and trademarks of Cisco Systems, Inc. can be found on cisco.com.Page 14 of 16
Other examples include: Top 10 protocols currently flowing through the router:router# show ip flow top 10 aggregate protocol Top 10 IP addresses which are sending the most packets:router# show ip flow top 10 aggregate source-address sorted-by packets Top 5 destination addresses to which we're routing most traffic from the 10.0.0.1/24 prefix:router# show ip flow top 5 aggregate destination-address match source-prefix 10.0.0.1/24 50 VLAN's which we're sending the least bytes to:router# show ip flow top 50 aggregate destination-vlan sorted-by bytes ascending Top 20 sources of 1-packet flows:router# show ip flow top 50 aggregate source-address match packets 1For more information on Dynamic Top Talkers.Corporate HeadquartersCisco Systems, Inc.170 West Tasman DriveSan Jose, CA 95134-1706USAwww.cisco.comTel: 408 526-4000800 553-NETS (6387)Fax: 408 526-4100European HeadquartersCisco Systems International BVHaarlerbergparkHaarlerbergweg 13-191101 CH AmsterdamThe Netherlandswww-europe.c
The most common format used is NetFlow export version 5 but version 9 is the latest format and has some advantages for key technologies such as security, traffic analysis and multicast. To understand more about export versions and a detailed technical discussion about NetFlow see the NetFlow Services and Solutions Guide .
![Cisco NetFlow Configuration [Cisco NetFlow] - Cisco](/img/3/cisco-netflow-configuration.jpg)
