|
|
This chapter describes the FlowCollector application, which is used with the NetFlow Services data export feature on Cisco 7500, 7200, and 7000 series routers and Catalyst 5000 series switches.
This chapter includes information on the following topics:
NetFlow services is a high-performance IP switching feature that captures a rich set of traffic statistics exported from routers and switches while they perform their switching functions. The exported NetFlow data consists of traffic flows, which are unidirectional sequences of packets between a particular source device and destination device that share the same protocol and transport-layer information. The captured traffic statistics can be used for a wide variety of purposes, such as network analysis and planning, network management, accounting, billing, and data mining.
Because of their unidirectional nature, flows from a client to a server are differentiated from flows from the server to the client. Also, flows are differentiated on the basis of protocol. For example, Hypertext Transfer Protocol (HTTP) Web packets from a particular source host to a particular destination host constitute a separate flow from File Transfer Protocol (FTP) file transfer packets between the same pair of hosts.
Routers and switches identify flows by looking for the following fields within IP packets: source IP address, destination IP address, source port number, destination port number, protocol type, Type of Service (ToS), and input interface. Catalyst 5000 switches can identify flows by looking at a subset of these fields. For example, they can identify flows by source and destination address only.
NetFlow captures flow statistics for IP and IP-encapsulated traffic, and is currently available on the following NetFlow data export devices:
NetFlow data export makes NetFlow traffic statistics available for purposes of network planning, billing, etc. An export device configured for Netflow data export maintains a flow cache used to capture flow-based traffic statistics. Traffic statistics for each active flow are maintained in the cache and are incremented as packets within each flow are switched. Periodically, summary traffic statistics for all expired flows are exported from the export device by means of UDP datagrams, which NetFlow FlowCollector receives and processes.
NetFlow data exported from the export device contains NetFlow statistics for the flow cache entries that have expired since the last export. Flow cache entries are expired and flushed from the cache when one of the following conditions occurs:
For flows that remain continuously active, flow cache entries are currently expired every 30 minutes to ensure periodic reporting of active flows.
NetFlow data export packets are sent to a user-specified destination, such as the workstation running FlowCollector, either when the number of recently expired flows reaches a predetermined maximum, or every second--whichever occurs first. For a Version 1 datagram, up to 24 flows can be sent in a single UDP datagram of approximately 1200 bytes. For a Version 5 datagram, up to 30 flows can be sent in a single UDP datagram of approximately 1500 bytes.
NetFlow exports flow information in UDP datagrams in one of three formats: Version 1 (V1), Version 5 (V5), and Version 7 (V7).
The Version 1 format was the original format supported in the initial NetFlow releases. The Version 5 format is a later enhancement for Cisco 7500, 7200, and 7000 series routers. The Version 7 format is a still later enhancement that added NetFlow support for Cisco Catalyst 5000 series switches equipped with a NetFlow feature card (NFFC). Versions 2 through 4 and Version 6 were either not released or are not supported by FlowCollector. For more information on the distinctions between the three format types, refer to the appendix "NetFlow Export Datagram Format," later in this guide.
The following types of information are part of the detailed traffic statistics:
FlowCollector provides fast, scalable, and economical data collection from multiple export devices exporting NetFlow data records. Figure 2-1 shows an example of a typical NetFlow data export scheme. In it, various export devices send export data to user-specified FlowCollector UDP ports.
Each of the export devices in this example is configured for NetFlow data export. Part of the configuration information for each export device includes the IP address and the UDP port number (a logical port designator) that identify FlowCollector as the receiver of flows from this export device. The UDP port number is a user-configurable designator: You can configure FlowCollector to listen for flows on a number of different UDP ports, and then configure your export devices so that each device exports flows to a dedicated UDP port, or have a number of devices export flows to the same, shared UDP port.
After you configure and start FlowCollector, it listens to the user-specified UDP ports for exported flows from the export devices you have configured for NetFlow data export.
FlowCollector performs the following functions:
FlowCollector collects and summarizes (aggregates) data into data files based on user-defined criteria specified in a FlowCollector thread. A thread is an aggregation task defined by a set of user-configurable attributes that specify how the FlowCollector will aggregate the traffic flows stored on the workstation. Two key thread attributes are:
FlowCollector provides a set of predefined aggregation schemes to help you collect NetFlow export data and summarize the data (that is, aggregate the flows). You can choose one or more of these aggregation schemes to customize FlowCollector to your operating context.
You can also use filters with aggregation schemes to include or exclude certain types of NetFlow data. FlowCollector provides a set of predefined filters to provide further help in refining the range and type of traffic statistics collected and summarized. You can also define your own filters to customize FlowCollector to your operating context.
For more information about threads, aggregation schemes, and filters, refer to the chapter "Customizing FlowCollector," later in this guide.
FlowCollector includes the NetFlow FlowCollector user interface (NFUI), which is an interactive, menu-oriented user interface used to perform the following tasks:
The user interface consists of a main menu that provides access to a series of submenus and information displays. The user interface is self-guiding: it displays some information and then prompts you to act on that information. The user interface also contains embedded help menus to assist you in navigating through the user interface and understanding menu operations. The help menus explain all the options available for retrieving, configuring, and reviewing the FlowCollector runtime configuration parameters and statistics.
For more information on the user interface, refer to the chapter "Using the NetFlow FlowCollector User Interface," later in this guide.
The remaining chapters and appendixes in this guide provide information on the following topics:
| For more information on... | Refer to ... |
|---|---|
| Installing, configuring, and validating FlowCollector (for information on first-time and upgrade installations) | "Installing, Configuring, and Validating FlowCollector" |
| Using the NetFlow FlowCollector user interface (NFUI) to review application statistics and resource definitions--such as for threads, filters, and protocols, or to create and modify FlowCollector resource definitions | "Using the NetFlow FlowCollector User Interface" |
| Locating and understanding FlowCollector data files | "Understanding the FlowCollector Data File Format" |
| Customizing FlowCollector operation using thread, filter, and protocol definitions, lists of port and autonomous system numbers, and other FlowCollector configuration parameters | "Customizing FlowCollector" |
| Helpful information and procedures in case you encounter problems while using FlowCollector | "Troubleshooting" |
| NetFlow export datagram formats | "NetFlow Export Datagram Format" |
|
|