Troubleshoot NetFlow (v9, flexible NetFlow, IPFIX)

📘CCNP Enterprise – ENARSI (300-410)

NetFlow is a Cisco technology used to monitor and analyze network traffic. It provides detailed information about who is talking to whom, how much data is being transferred, and what protocols are being used. Troubleshooting NetFlow ensures that you can accurately monitor traffic and detect issues such as traffic loss, misreporting, or configuration errors.

NetFlow has evolved over time, and for ENARSI, you should know:

  1. NetFlow v9 – a flexible, template-based version of NetFlow.
  2. Flexible NetFlow (FNF) – allows more customization of flows.
  3. IPFIX (IP Flow Information Export) – an industry-standard based on NetFlow v9.

1. NetFlow Concepts for Troubleshooting

Before diving into troubleshooting, understand these basic concepts:

a. Flow

A flow is a unidirectional sequence of packets sharing common attributes. Attributes can include:

  • Source IP
  • Destination IP
  • Source port
  • Destination port
  • Protocol
  • Type of service (ToS)

Example: All HTTP traffic from 192.168.1.10 to 10.0.0.20 is considered a single flow.

b. Flow Record

  • Defines which fields are collected about a flow.
  • Example: Source IP, destination IP, protocol, bytes, packets.

c. Flow Exporter

  • Sends the flow data to a NetFlow collector.
  • Important parameters: destination IP of collector, transport protocol (usually UDP), port, and version.

d. Flow Monitor

  • Ties everything together: flow record + exporter + traffic source.
  • Applied on interfaces to start monitoring traffic.

2. Versions of NetFlow

a. NetFlow v9

  • Template-based: Sends a template describing the flow format first, then data.
  • Flexible and allows future enhancements (used as the base for IPFIX).
  • Supports Layer 2–7 fields.

b. Flexible NetFlow (FNF)

  • More customizable than traditional NetFlow v5/v9.
  • You can choose exactly which fields to track, including IPv6 and MPLS.
  • Components: Flow Record → Flow Exporter → Flow Monitor → Interface

c. IPFIX

  • Standardized by IETF (RFC 7011).
  • Works like NetFlow v9 but is vendor-neutral, so non-Cisco devices can send IPFIX data to collectors.

3. Common NetFlow Problems

When troubleshooting NetFlow, these are the typical issues:

a. No Flows Being Exported

Possible causes:

  • Flow monitor not applied to the interface.
  • Interface is misconfigured (wrong direction: input vs output).
  • Exporter is misconfigured (wrong IP, port, or protocol).
  • Version mismatch between router and collector.

Commands to troubleshoot:

show flow monitor <name> cache
show flow exporter <name>
show flow monitor <name>

b. Inaccurate Flow Data

Possible causes:

  • Wrong flow record fields selected.
  • Misconfigured aggregation (per VLAN, per interface, per source IP).
  • Sampling misconfigured: too high, causing missing flows.

Commands:

show flow monitor <name> cache statistics
show flow exporter <name> statistics

c. Flow Exporter Errors

Possible causes:

  • Collector unreachable (network issue, firewall).
  • Transport protocol mismatch (UDP vs TCP).
  • Template mismatch (v9 vs IPFIX).

Commands:

show flow exporter <name> statistics
debug flow exporter events

d. High CPU or Memory Usage

Causes:

  • Too many flows being tracked (interfaces with high traffic).
  • Complex flow records with many fields.
  • Small cache size.

Solutions:

  • Use sampling to reduce the number of flows.
  • Increase cache size.
  • Simplify flow records.

Commands:

show processes cpu
show memory

4. Key Troubleshooting Commands

For exam purposes, these commands are critical:

a. Flow Monitor and Cache

show flow monitor <monitor_name> cache
show flow monitor <monitor_name> cache statistics

b. Flow Exporter

show flow exporter
show flow exporter <exporter_name> statistics

c. Flexible NetFlow

show flow record
show flow monitor

d. Real-time Debug

debug flow exporter events
debug flow monitor

Note: Use debug carefully in production—high traffic can overwhelm the router.

5. Exam Tips

  1. Know the Components: Record → Exporter → Monitor → Interface.
  2. Differentiate Versions: v9 vs Flexible NetFlow vs IPFIX.
  3. Understand Common Problems: No flows, wrong data, exporter issues, CPU load.
  4. Know Commands: Show commands are usually enough; debug commands are for deep troubleshooting.
  5. Cache and Templates: Always check flow cache and exporter statistics.

Summary:

  • NetFlow is used to monitor traffic.
  • Flexible NetFlow allows customization; IPFIX is standardized.
  • Troubleshooting involves checking flow records, monitors, exporters, and interfaces, using show and debug commands.
  • Common issues include no flows, wrong flows, exporter errors, and resource problems.
Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by