Solved: Re: How does NetFlow analyze data?

thestudent · ‎09-30-2020

Hello,

I have a question regarding NetFlow, and NetFlow Configurations.

Here is my network diagram.

I've read that:

"NetFlow is a network protocol system created by Cisco that collects active IP network traffic as it flows in or out of an interface. The NetFlow data is then analyzed to create a picture of network traffic flow and volume."

Looking on my diagram, I have two edge routers. Router 1 is connected to one of my ISP. Router 2 is connected to 2 ISPs.

Edge Routers 1 and 2 has a netflow configured on it and exports the netflow data to the netflow collector on the cloud. You can look on my configurations:

Edge Router 1

flow exporter FlowExporter1
destination  (address of netflow collector)
source G0/0
transport udp 4739
export-protocol netflow-v5
!
flow monitor FlowMonitor1
exporter FlowExporter1
record netflow ipv4 original-input
!
interface GigabitEthernet0/0
ip flow monitor FlowMonitor1 input
***************************************************
Edge Router 2

flow exporter FlowExporter1
destination  (address of netflow collector)
source G0/0
transport udp 4739
export-protocol netflow-v5
!
flow monitor FlowMonitor1
exporter FlowExporter1
record netflow ipv4 original-input
!
interface GigabitEthernet0/0
ip flow monitor FlowMonitor1 input

Almost the same netflow configurations on Router 1 and Router 2, the only difference is that, Router 2 is connected to two ISPs.

My questions are:

1. On Router 2, do I need to apply the Flow Monitor on both interfaces facing the internet?

2. On Router 2, do I need to create a new Flow Exporter and make G0/1 as source?

3. How does netflow records the data, will it record the data on the interface where flow monitor is assigned?

4. If I don't configure anything on G0/1 of Router 2, how about the traffic on that interface?

I will appreaciate all help as I am still beginning on learning these things, This setup is already established but I have only 1 ISP on my router 2 back then.. After adding new ISP, do I need to inform the Security Network (where the netflow collector is located.) about the changes and do they need to make some changes too?

balaji.bandi · ‎09-30-2020

you can monitor any interface you see the same Data on Netflow.

you need to configure every interface you looking for specific information going to what ISP.

you can mix using the internal interface also, depends on the requirement.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

Seb Rupik · ‎10-01-2020

Hi there,

In answer to your questions:

1) Configure a flow monitor on all interfaces where you want to monitor the traffic streams.

2) If you use the same flowmonitor for both gi0/0 and gi0/1 it will be difficult to differentiate the which interface is carrying the traffic stream when looking at the netflow analyser. By creating a new flowmonitor with a different source port, you can configure your netflow collector to label flows on that port with a unique identity, ie 'R2_gi0_1'.

3) Input Logical Interface (ifIndex) is a component of the flow record used as one of the key fields to differentiate between flows. But it is just a numeric ID and not descriptive in any way without correlating it back to the SNMP interface index on the device from where the flow was sent.

4) If you didn't configure a flowmonitor on the Gi0/1 then you would be blind to the the flows ingressing on that interface.

cheers,

Seb.