Cisco Systems 5, NAM Understanding NetFlow Interfaces, Understanding NetFlow Flow Records

2-19

User Guide for the Cisco Network Analysis Module (NAM) Traffic Analyzer, 5.0

OL-22617-01

Chapter 2 Setting Up The NAM Traffic Analyzer

Traffic

As a consumer, the NAM can receive NetFlow packets on its management port from devices such as

Cisco routers and switches. Those records are stored in its collection database as if that traffic had

appeared on one of the NAM data ports. The NAM understands NetFlow v1, v5, v6, v7, v8, and v9.

Incoming NetFlow data is parsed by the NAM, stored in its internal database, and presented in the GUI

in the same way as traffic from other data sources.

For the NAM to receive NetFlow packets from an external switch or router, that device must be

configured by export flow records to the NAM’s IP address and the correct UDP port number. The default

port number on which the NAM listens for NetFlow packets is port 3000. This can be modified using the

NAM CLI, but the important point is that the same port must be configured on the NAM and the

exporting device(s). Depending on the external device, you may need to enable the NetFlow feature on

a per-interface basis.

See the following sections about NetFlow as a data source:

• Understanding NetFlow Interfaces, page 2-19

• Understanding NetFlow Flow Records, page 2-19

• Managing NetFlow Data Sources, page 2-20

• Configuring NetFlow on Devices, page 2-20

Understanding NetFlow Interfaces

To use a device as an NDE data source for the NAM, you must configure the device itself to export NDE

packets to UDP port 3000 on the NAM. You might need to configure the device itself on a per-interface

basis. An NDE device is identified by its IP address. In NAM Traffic Analyzer 5.0, the default UDP port

of 3000 can be changed with a NAM CLI command (see Configuring NetFlow on Devices, page 2-20).

You can define additional NDE devices by specifying the IP addresses and (optionally) the community

strings. Community strings are used to upload convenient text strings for interfaces on the managed

devices that are monitored in NetFlow records.

Remote NDE devices may export information pertaining to any or all of their individual interfaces. The

NAM keeps track of the interface associated with any flow information received from the device. On the

NDE Interface Analysis page (Analyze > Traffic > NDE Interface), you can view information for any

selected interface on the device. This page will display the interface utilization or throughput over time,

as well as show the top Applications, Hosts, and DSCP groups in both the input and output directions

for the interface.

Understanding NetFlow Flow Records

An NDE packet contains multiple flow records. Each flow record has two fields:

• Input SNMP ifIndex

• Output SNMP ifIndex

Note This information might not be available because of NDE feature incompatibility with your Cisco IOS

version, or because of an NDE flow-mask configuration.

In most cases, turning on NetFlow on an interface populates the NetFlow cache in the device with flows

that are in the input direction of the interface. As a result, the input SNMP ifIndex field in the flow record

has the ifIndex of the interface on which NetFlow was turned on. Sample NetFlow Network, Figure 2-2,

shows a sample network configuration with a NetFlow router.