1-2
Cisco CNS NetFlow Collection Engine User Guide, Release 5.0.2
OL-6899-01
Chapter 1 Overview
What Are NetFlow Services?
Catalyst 5000 series switches can identify flows by looking at a subset of these fields. For example, they
can identify flows by source and destination address only.
Note
For Catalyst 5000 series switches, the analog to NetFlow services is integrated Multilayer Switching
(MLS) management. Included are products, utilities, and partner applications designed to gather flow
statistics, export the statistics, and collect and perform data reduction on the exported statistics. MLS
management then forwards them to consumer applications for traffic monitoring, planning, and
accounting.
NetFlow Services Device and IOS Release Support
You can find the most up-to-date information available to help you determine the compatibility among
different Cisco hardware platforms, Cisco IOS software releases, and supported NetFlow data export
versions at the following URL:
http://tools.cisco.com/ITDIT/CFN/Dispatch?SearchText=Netflow&act=featSelect&rnFeatId=null
&featStartsWith=&task=TextSearch&altrole=
Note
Except for descriptions requiring references to specific router or switch platforms, the remainder of this
chapter and the remaining chapters of this guide use the term export device instead of the terms router
and switch.
NetFlow Data Export
NetFlow data export makes NetFlow traffic statistics available for purposes of network planning, billing,
and so on. An export device configured for NetFlow data export maintains a flow cache used to capture
flow-based traffic statistics. Traffic statistics for each active flow are maintained in the cache and are
updated when packets within each flow are switched. Periodically, summary traffic statistics for all
expired flows are exported from the export device by means of User Datagram Protocol (UDP)
datagrams, which CNS NetFlow Collection Engine receives and processes.
How and When Flow Statistics Are Exported
NetFlow data exported from the export device contains NetFlow statistics for the flow cache entries that
have expired since the last export. Flow cache entries expire and are flushed from the cache when one
of the following conditions occurs:
•
The transport protocol indicates that the connection is completed (TCP FIN) plus a small delay to
allow for the completion of the FIN acknowledgment handshaking.
•
Traffic inactivity exceeds 15 seconds.
For flows that remain continuously active, flow cache entries currently expire every 30 minutes to ensure
periodic reporting of active flows.
NetFlow data export packets are sent to a user-specified destination, such as the workstation running
CNS NetFlow Collection Engine, either when the number of recently expired flows reaches a
predetermined maximum, or every second-whichever occurs first. For:
•
Version 1 datagrams, up to 24 flows can be sent in a single UDP datagram of approximately 1200
bytes.
