📘CCNP Encore (350-401-ENCORE-v1.1)
What is NetFlow? (Basic Understanding)
NetFlow is a Cisco technology used to collect and analyze IP traffic information flowing through a network device (router or switch).
NetFlow answers questions like:
- Who is using the network?
- Which applications are consuming bandwidth?
- Where is the traffic coming from and going to?
- Which protocols are being used?
- How much traffic is flowing?
This information is extremely useful for:
- Network monitoring
- Traffic analysis
- Capacity planning
- Troubleshooting
- Security analysis
What is Flexible NetFlow (FNF)?
Flexible NetFlow (FNF) is an advanced and customizable version of traditional NetFlow.
Traditional NetFlow had:
- Fixed fields
- Limited customization
- Older configuration methods
Flexible NetFlow improves this by allowing you to:
- Choose exactly what traffic information to collect
- Decide how traffic is grouped
- Control how long data is stored
- Export flow records to monitoring tools
👉 For the CCNP ENCOR exam, Flexible NetFlow is the main NetFlow version you must know.
Why Flexible NetFlow Is Important (Exam Perspective)
Flexible NetFlow helps network engineers:
- Monitor application traffic
- Detect abnormal traffic patterns
- Troubleshoot performance issues
- Optimize bandwidth usage
- Support security tools (IDS/IPS, SIEM)
Cisco exams test:
- FNF components
- Configuration steps
- Verification commands
- Basic troubleshooting understanding
Key Components of Flexible NetFlow
Flexible NetFlow has four main components.
You must understand each one clearly.
1. Flow Record
A flow record defines WHAT information is collected.
It specifies:
- Which fields are used to identify a flow (match fields)
- Which statistics are collected (collect fields)
Match Fields
Used to identify unique traffic flows:
- Source IP address
- Destination IP address
- Source port
- Destination port
- IP protocol
- Input interface
Collect Fields
Used to gather statistics:
- Number of packets
- Number of bytes
- Flow start time
- Flow end time
- TCP flags
📌 Think of a flow record as a template that describes what data to capture.
2. Flow Exporter
A flow exporter defines WHERE the flow data is sent.
It specifies:
- Destination IP address (NetFlow collector)
- Transport protocol (usually UDP)
- Destination port
- NetFlow version (v9 or IPFIX)
Common details:
- UDP port 2055 or 9995
- Export format: NetFlow v9 or IPFIX
📌 Flow exporter sends collected data to a monitoring or analysis server.
3. Flow Monitor
A flow monitor brings everything together.
It:
- Links a flow record
- Links a flow exporter
- Applies cache settings
📌 Flow monitor is what actually gets applied to an interface.
Without a flow monitor, NetFlow will not work.
4. Cache
The cache temporarily stores flow information before exporting it.
Cache controls:
- How long active flows are kept
- When inactive flows are removed
- When data is exported
Common timers:
- Active timeout
- Inactive timeout
📌 Cache tuning affects performance and accuracy.
How Flexible NetFlow Works (Step-by-Step)
- Traffic enters or leaves an interface
- Flow monitor checks traffic against the flow record
- Matching traffic is stored in the cache
- When timers expire, data is exported
- Exporter sends flow data to the collector
Configuration Order (Very Important for Exam)
Always remember this correct order:
- Create Flow Record
- Create Flow Exporter
- Create Flow Monitor
- Apply Flow Monitor to Interface
Cisco exams often test this sequence.
Basic Configuration Overview (Conceptual)
Step 1: Create a Flow Record
Defines match and collect fields.
Step 2: Create a Flow Exporter
Defines destination and export format.
Step 3: Create a Flow Monitor
Binds record and exporter together.
Step 4: Apply to Interface
Enable monitoring on ingress or egress.
📌 Flow direction:
- Ingress = traffic entering interface
- Egress = traffic leaving interface
Ingress vs Egress Monitoring
| Direction | Meaning |
|---|---|
| Ingress | Traffic entering the interface |
| Egress | Traffic leaving the interface |
Most deployments use ingress monitoring because it is more accurate and less CPU intensive.
Verification Commands (Very Important for Exam)
You must know these commands and what they show.
Verify Flow Record
show flow record
Shows:
- Match fields
- Collect fields
Verify Flow Exporter
show flow exporter
Shows:
- Destination IP
- Port
- Export statistics
Verify Flow Monitor
show flow monitor
Shows:
- Record used
- Exporter used
- Cache status
Verify Interface Configuration
show flow monitor interface
Shows:
- Which interfaces have NetFlow enabled
- Ingress or egress direction
Verify Cache Information
show flow monitor cache
Shows:
- Active flows
- Packet and byte counters
📌 If no flows appear, NetFlow is not working correctly.
Common Troubleshooting Points
For the exam, remember these common issues:
| Issue | Possible Cause |
|---|---|
| No flow data | Flow monitor not applied |
| Exporter not sending | Wrong IP or port |
| No traffic seen | Incorrect interface or direction |
| High CPU usage | Too many match fields or short timers |
NetFlow Versions to Know
NetFlow v9
- Template-based
- Flexible
- Commonly used
IPFIX
- Industry standard
- Based on NetFlow v9
- More extensible
📌 Flexible NetFlow supports both v9 and IPFIX.
Flexible NetFlow vs Traditional NetFlow (Exam Summary)
| Feature | Traditional NetFlow | Flexible NetFlow |
|---|---|---|
| Custom fields | No | Yes |
| Scalability | Limited | High |
| Performance | Lower | Optimized |
| Exam relevance | Low | High |
Why Flexible NetFlow Is Tested in CCNP ENCOR
Cisco wants engineers to:
- Understand traffic visibility
- Monitor modern applications
- Integrate with network analytics tools
- Troubleshoot enterprise networks efficiently
Exam Tips for Students
- Memorize the four components
- Remember the configuration order
- Know verification commands
- Understand ingress vs egress
- Focus on concepts, not syntax
Quick Exam Summary
- Flexible NetFlow is a traffic analysis tool
- Uses records, exporters, monitors, and cache
- Applied on interfaces
- Supports NetFlow v9 and IPFIX
- Verified using show flow commands
