After it is verified that NetFlow is working properly, data collection can begin on the NetFlow collector. Netflow verification is done by examining the information stored on the NetFlow collector. At a minimum, check the local NetFlow cache on a router to ensure that the router is collecting the data.
NetFlow was configured on router R1 as follows:
- IP address 192.168.1.1/24 on G0/1
- Ingress and egress traffic monitored by NetFlow
- NetFlow collector at 192.168.1.3/24
- NetFlow UDP capture port 2055
- NetFlow Version 5 export format
To display a summary of the NetFlow accounting statistics, as well as which protocol uses the highest volume of the traffic, and to see between which hosts this traffic flows, use the show ip cache flow command in user EXEC or privileged EXEC mode. This command is entered on R1 to verify the NetFlow configuration, as seen in Figure 1. The command output details which protocol uses the highest volume of the traffic and between which hosts this traffic flows. The table in Figure 1 describes the significant fields shown in the flow switching cache lines of the display.
The output at the top of the display confirms that the router is collecting data. The first highlighted entry lists a count of 178,617 packets monitored by NetFlow. The end of the output shows statistics about three flows, the highlighted one corresponding to an active HTTPS connection between the NetFlow collector and R1. It also shows the source port (SrcP) and destination port (DstP) in hexadecimal.
Note: Hexadecimal 01BB is equal to decimal 443, the well-known TCP port for HTTPS.
Figure 2 describes the significant fields in the flow switching cache lines of the show ip cache flow command output.
Figure 3 describes the significant fields in the activity by protocol lines of the show ip cache flow command output.
Figure 4 describes the significant fields in the NetFlow record lines of the show ip cache flow command output.
Although the output of the show ip cache flow command confirms that the router is collecting data, to ensure that NetFlow is configured on the correct interfaces in the correct directions, use the show ip flow interface command, as shown in Figure 5.
To check the configuration of the export parameters, use the show ip flow export command, shown in Figure 5. The first highlighted line shows that NetFlow is enabled with Version 5 export format. The last highlighted lines in Figure 5 show that 1764 flows have been exported in the form of 532 UDP datagrams to the NetFlow collector at 192.168.1.3 via port 2055.
Use the Syntax Checker in Figure 6 to configure and verify NetFlow on R1.