Flow monitoring is a network visibility technology that captures, analyzes, and exports detailed information about network traffic patterns using protocols such as NetFlow v5, NetFlow v9, and IPFIX (IP Flow Information Export). It provides comprehensive traffic analytics by collecting metadata about network conversations including source/destination addresses, ports, protocols, packet counts, byte counts, and timing information without examining actual packet payloads. Flow monitoring enables network administrators to perform capacity planning, security analysis, application performance monitoring, and billing by providing granular insights into network utilization patterns and application behavior.
Example 1: The example below shows configuration to monitor IPv4 traffic flows based on specified match criteria and send it to a remote collector. It configures 1 monitor which associates a flow record and a flow exporter, and manage flow cache. Flow exporter contains information to send data to the remote collector with attirbutes like destination IP, source loopback, protocol, port, TTL (Time To Live), etc. The flow record defines the specifics fields to match and collect from network traffic flows.
iosxe:
devices:
- name: Device1
configuration:
flow:
exporters:
- name: exporter1
description: My exporter
destination_ip: 1.1.1.1
export_protocol: ipfix
option_application_attributes_timeout: 30
option_application_table_timeout: 40
option_interface_table_timeout: 50
option_sampler_table: true
option_vrf_table_timeout: 60
source_loopback: 123
transport_udp: 655
ttl: 64
template_data_timeout: 60
monitors:
- name: MON1
description: My monitor
exporters:
- exporter1
cache_timeout_active: 60
record: FNF1
records:
- name: FNF1
description: My flow record
match:
ipv4_source_address: true
ipv4_destination_address: true
ipv4_protocol: true
ipv4_tos: true
transport_source_port: true
transport_destination_port: true
interface_input: true
flow_direction: true
collect:
interface_output: true
counter_bytes_long: true
counter_packets_long: true
transport_tcp_flags: true
timestamp_absolute_first: true
timestamp_absolute_last: true
Example 2: Enhanced Layer 2 flow monitoring with MAC address and VLAN matching. This example demonstrates the new datalink layer visibility capabilities available on switch platforms, enabling detailed tracking of Layer 2 traffic patterns including source/destination MAC addresses and VLAN-based flow identification.
iosxe:
devices:
- name: Switch1
configuration:
flow:
exporters:
- name: L2_EXPORTER
description: Layer 2 Flow Exporter
destination_ip: 10.0.0.100
source_vlan: 100
transport_udp: 2055
template_data_timeout: 600
monitors:
- name: L2_MONITOR
description: Layer 2 Flow Monitor
exporters:
- L2_EXPORTER
cache_timeout_active: 300
cache_timeout_inactive: 15
record: L2_RECORD
records:
- name: L2_RECORD
description: Enhanced L2 flow record with MAC and VLAN tracking
match:
ipv4_source_address: true
ipv4_destination_address: true
ipv4_protocol: true
datalink_mac_source_address_input: true
datalink_mac_destination_address_input: true
datalink_vlan: input
ipv4_ttl: true
collect:
counter_bytes_long: true
counter_packets_long: true
interface_output: true
Example 3: Flow exporter with flexible source interface options. This example demonstrates the various source interface types available for flow exporters, including physical ethernet interfaces, VLAN interfaces, and port-channels, providing deployment flexibility across different network topologies.
iosxe:
devices:
- name: Router1
configuration:
flow:
exporters:
- name: EXPORTER_LOOPBACK
description: Exporter with Loopback source
destination_ip: 10.1.1.10
source_loopback: 100
transport_udp: 2055
- name: EXPORTER_GIGABIT
description: Exporter with GigabitEthernet source
destination_ip: 10.1.1.11
source_gigabit_ethernet: "1/0/1"
transport_udp: 2056
- name: EXPORTER_TENGIG
description: Exporter with TenGigabitEthernet source
destination_ip: 10.1.1.12
source_ten_gigabit_ethernet: "1/0/1"
transport_udp: 2057
records:
- name: ROUTER_RECORD
description: Router flow record with enhanced VLAN tracking
