Datasheet
© 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 9 of 14
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match transport tcp flags
collect interface input snmp
collect interface output snmp
collect counter flows
collect counter bytes
collect counter packets
collect timestamp sys-uptime first
collect timestamp sys-uptime last
It can be observed how interface fields are available as nonkey fields as they are actually a computed value by the
flow post processing in the service module CPU, as explained in the "Architecture Overview" section.
Another observation is on the importance of the IP protocol field, as a way to determine the presence of IPv6 traffic
even if the network has no IPv6 configured. Endpoints running dual IPv4 and IPv6 network stacks are increasingly
being deployed in the access network, offering a potentially undisturbed field to malicious attackers who want to
exploit IPv6 vulnerabilities.
The following list explains how the preceding Flexible NetFlow fields can be used for different network
administration tasks:
●
Destination and source address at data link and IP layer, together with the interface value, define uniquely
the flow endpoints.
●
Application or service analysis can be based on the following fields: data link ethertype, IP protocol,
transport source and destination port, IP source and destination address.
●
The class of service (CoS) expressed by the “datalink dot1q priority” field and the type of service (ToS) field
can be used to validate quality-of-service (QoS) settings in the network.
●
Finally, destination IP address, Transmission Control Protocol (TCP) flags and transport destination port
can be used to monitor excessive usage of SYN bits, which is typical of a port scan caused by a malware.
The flow exporter is the Flexible NetFlow modular object where the collector IP address and User Datagram
Protocol (UDP) port are defined, together with the differentiated services code point (DSCP) and time-to-live (TTL)
value for NetFlow Data Export (NDE) traffic.
An important exporter parameter is the source interface, which is used to compute the source IP address for NDE
traffic, which identifies the switch to the collector. Typically the source interface is the management interface of the
switch. Note that at first customer ship (FCS) neither Virtual Routing and Forwarding (VRF) awareness nor IPv6
addressing is supported.
The third object is the flow monitor, which basically consists of a Flexible NetFlow profile to be attached to the
interface direction (input or output) being analyzed. It includes a flow record and one or multiple exporters.