Expanding upon my last blog, “Cisco’s Flexible NetFlow and LEGO Blocks“, this week I’d like to show the application of FNF’s Template FlowSet configuration in your net flow collection.
Referencing Cisco Systems “NetFlow Version 9 Flow-Record Format” whitepaper, skipping to Table 6 – NetFlow Version 9 Field Type Definitions, there is a list of the fields available to build your NetFlow v9 Template FlowSet.
In the packet capture displayed below, FlowSet 1, Template Id 257, lists the fields included in the Template FlowSet. One of the fields included in this Template FlowSet is LAST_SWITCHED (21), with 21 being the value for that field. The value is an important field, as it is unique to that Field Type.
Why is the value important? In Scrutinizer, my personal favorite NetFlow collector, we translate the Field Type to a more readable field name using that value.
For example, look at the following screenshot of the Flow View report from Scrutinizer.
We are looking at Flow Template ID 1012 (as shown in the browser tab), with the following fields:
- flowDirection translated from DIRECTION (61)
- ingressInterface translated from INPUT_SNMP (10)
- interfaceDescription translated from IF_DESC (83)
- interfaceName translated from IF_NAME (82)
This is an excellent example of how you can get more than just NetFlow data from the NetFlow v9 Flexible NetFlow templates. This example provides the interface information. In a case where you do not have access to SNMP on the router, you can still get the interface name and description with the appropriate NetFlow configuration on the router.
As you prepare to configure NetFlow on your routers, check for NetFlow v9 support. Flexible NetFlow is just that – flexible! And provides even more detail to your NetFlow traffic monitoring than you ever thought possible.