NetFlow monitoring is a critical tool for network visibility, security analysis, and traffic engineering. For the CCNA 200-301 exam (objective 4.5), you must understand how to configure and verify NetFlow on Cisco IOS devices. Real-world network engineers rely on NetFlow to identify bandwidth hogs, detect anomalies, and plan capacity—skills that separate junior from senior admins. This lab walks you through configuring NetFlow on a router, verifying its operation, and exporting flow data to a collector.
Jump to a section
Imagine a busy international airport with hundreds of gates, thousands of passengers, and multiple security checkpoints. The airport authority wants to monitor passenger flow: where they come from, which gates they go to, how long they linger, and if any patterns suggest suspicious activity. Installing a full video camera at every door and recording 24/7 would generate petabytes of useless data. Instead, they deploy smart cameras at key choke points—entry doors, security lanes, and gate entrances. Each smart camera captures a 'flow record': passenger ID, entry time, exit time, number of bags, and destination gate. These records are sent to a central security office (the NetFlow collector) for analysis. The cameras don't record every step; they summarize the journey. If a passenger enters through Door A, spends 45 minutes wandering, and exits through Door B, that's one flow. The airport can later query: 'Show me all passengers who went from Door A to Gate C between 2-3 PM'—just like a network engineer queries: 'Show me all traffic from subnet 10.1.1.0/24 to server 192.168.1.100 on port 443.' The analogy holds: NetFlow is the smart camera, the flow cache is the camera's internal memory, and the export packet is the periodic report sent to the central office. Just as cameras have a limited buffer and must prioritize recording, NetFlow uses a flow cache with configurable size and timeout policies to avoid overwhelming the router's CPU.
What is NetFlow and Why Does It Exist?
NetFlow is a Cisco-proprietary network protocol (standardized as IPFIX in RFC 7011) that collects IP traffic statistics. Unlike SNMP, which polls interface counters every 5 minutes and gives you only octets/packets per interface, NetFlow provides per-flow granularity. A flow is defined as a unidirectional sequence of packets sharing the same 7-tuple: source IP, destination IP, source port, destination port, Layer 3 protocol type, ToS (Type of Service), and input interface. NetFlow answers questions like: 'Which application is consuming the most bandwidth?', 'Who is talking to whom?', and 'Is there unusual traffic at 3 AM?'
How NetFlow Works Step by Step
1. Packet Arrival: A packet arrives on an interface configured for NetFlow. 2. Flow Lookup: The router checks its flow cache (a high-speed memory table) for an existing flow matching the 7-tuple. If found, it updates the flow record: increment packet count, byte count, update timestamp. 3. New Flow Creation: If no matching flow exists, the router creates a new flow record in the cache. The record stores: source/destination IP, ports, protocol, interface, next-hop IP, AS numbers (if BGP), TCP flags, and start/end timestamps. 4. Flow Aging: The router removes flow records from the cache based on one of three aging policies: - Inactive timeout: Default 15 seconds. If no packets are seen for this flow within 15 seconds, the flow is aged out and exported. - Active timeout: Default 30 minutes. Even if the flow is still active, after 30 minutes the router exports the current record and starts a new one for continuing packets. - Cache full: When the flow cache reaches its maximum size (default 64K flows on most platforms), the router forces aging of the oldest flows. 5. Export: When a flow ages out, the router packages the flow record into a UDP packet (default destination port 2055) and sends it to the configured NetFlow collector. Export packets contain multiple flow records (up to ~30 per packet). 6. Collector Processing: The collector receives, decodes, and stores flow records in a database for analysis.
Key States, Timers, and Defaults
Flow cache size: Default 64,000 flows (configurable with ip flow-cache entries).
Inactive timeout: 15 seconds (configurable with ip flow-cache timeout inactive 15).
Active timeout: 30 minutes (configurable with ip flow-cache timeout active 30).
Export UDP port: Default 2055 (can be changed with ip flow-export destination <ip> <port>).
Export version: Version 5 (fixed-format) or Version 9 (template-based). CCNA tests Version 5 and basic Version 9.
Sampling: NetFlow can sample traffic (e.g., 1 in 100 packets) to reduce CPU load. This is configured with ip flow-sampler.
IOS CLI Verification Commands with Example Output
Show NetFlow status:
R1# show ip flow export
Flow export v5 is enabled for main cache
Export source and destination details :
VRF ID : Default
Destination(1) 192.168.1.100 (2055)
Version 5 flow records
0 flows exported in 0 udp datagrams
0 flow records failed to export
0 flow records not exported due to congestionShow NetFlow cache:
R1# show ip cache flow
IP packet size distribution (0 total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000
512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000
IP Flow Switching Cache, 278544 bytes
0 active, 0 inactive, 0 added
0 ager polls, 0 flow alloc failures
Active flows timeout in 30 minutes
Inactive flows timeout in 15 secondsShow interface NetFlow:
R1# show ip flow interface
Interface
FastEthernet0/0How NetFlow Interacts with Related Protocols
SNMP: SNMP gives aggregate interface counters; NetFlow gives per-flow details. They complement each other.
NBAR: Network-Based Application Recognition can identify applications (e.g., HTTP, VoIP) and NetFlow can export NBAR application IDs in flow records.
QoS: NetFlow can monitor QoS-marked traffic (ToS byte) to verify that priority queues are working.
ACLs: NetFlow can be applied to interfaces that also have ACLs; the ACL processes first, then NetFlow sees the allowed packets.
NetFlow Versions
Version 5: Fixed format, supports up to 30 fields. Most common for CCNA. Cannot carry variable-length fields like application ID.
Version 9: Template-based, supports flexible field definitions. Required for advanced features like NBAR or MPLS. Cisco recommends Version 9 for new deployments.
Configuration Overview
To enable NetFlow on an interface, you must:
1. Enable NetFlow on the interface with ip flow ingress (or ip flow egress for egress monitoring).
2. Define the export destination with ip flow-export destination <ip> <port>.
3. Optionally configure the export version with ip flow-export version 5 or ip flow-export version 9.
4. (Optional) Set source interface with ip flow-export source <interface>.
On the CCNA exam, you may be asked to identify the correct commands or interpret show output to verify NetFlow is working.
Configure NetFlow on Router Interfaces
First, enter global configuration mode and select the interface(s) you want to monitor. For ingress monitoring, use `ip flow ingress`; for egress, use `ip flow egress`. Usually you monitor ingress on WAN interfaces to see all incoming traffic. Example: `interface GigabitEthernet0/0` then `ip flow ingress`. Repeat for all interfaces you want to track. Remember: NetFlow consumes CPU and memory proportional to the number of flows. On a busy router, consider enabling sampling (`ip flow-sampler`) to reduce overhead.
Configure NetFlow Export Destination
Define where to send the flow records. Use `ip flow-export destination <collector-IP> <port>` in global config. The collector IP is typically a server running NetFlow analysis software (e.g., SolarWinds, PRTG). Default UDP port is 2055. Optionally set the source interface with `ip flow-export source <interface>` so the collector can identify the exporter. Example: `ip flow-export destination 192.168.1.100 2055` and `ip flow-export source Loopback0`. The source interface IP should be reachable from the collector.
Set NetFlow Export Version
Specify the NetFlow version. Use `ip flow-export version 5` for fixed-format records (simpler, adequate for basic monitoring). Use `ip flow-export version 9` for template-based records (supports more fields like application ID). The collector must support the same version. CCNA expects you to know both. Example: `ip flow-export version 5`. If you plan to export NBAR data, you need version 9.
Adjust Flow Cache Timers (Optional)
The default inactive timeout is 15 seconds and active timeout is 30 minutes. For real-time monitoring, you might shorten the active timeout to 5 minutes. Use `ip flow-cache timeout active 5` and `ip flow-cache timeout inactive 30`. Note: shorter timeouts generate more export packets and increase CPU load. The exam may ask about default values: inactive 15 sec, active 30 min. You can also change cache size with `ip flow-cache entries 100000`.
Verify NetFlow Operation
Use `show ip flow export` to confirm export settings and see if any flows have been exported. Use `show ip cache flow` to view the current flow cache (packets, bytes, etc.). Use `show ip flow interface` to list interfaces with NetFlow enabled. If no flows appear, generate traffic with `ping` or a traffic generator. Check that the collector IP is reachable and the UDP port is not blocked by ACLs. Example: `ping 192.168.1.100` then `show ip cache flow` should show flows.
Troubleshoot NetFlow Issues
Common issues: (1) No export – check `ip flow-export destination` and that the collector is listening. (2) Flows not created – verify `ip flow ingress` is on the correct interface and that ACLs aren't blocking. (3) High CPU – consider sampling. Use `show ip flow export` to see export statistics: if `0 flows exported`, the export may be misconfigured. Use `debug ip flow export` with caution in production. The exam may present a scenario where NetFlow is configured but no data appears; the answer is often a missing `ip flow ingress` command.
Configure NetFlow Sampling (Optional)
On high-speed interfaces, sampling reduces CPU impact. Define a sampler map: `sampler-map SAMPLE1` then `random 1 out-of 100` (samples 1% of packets). Then apply to interface: `ip flow ingress sampler SAMPLE1`. The exam may test that sampling is configured under a sampler-map, not directly on the interface. Sampling changes flow statistics; the collector must be aware of the sampling rate to normalize data.
In a large enterprise with a 10 Gbps internet link, the network team needs to identify which users or applications are saturating the pipe. They configure NetFlow on the border router's ingress interface (toward the internet) and export to a central collector like SolarWinds or PRTG. The collector aggregates flows and generates reports: top talkers, top applications, bandwidth usage per department. This data informs capacity planning (e.g., 'We need to upgrade the link because video conferencing traffic has doubled') and security (e.g., 'A host is sending large amounts of data to an unknown IP at 3 AM—possible data exfiltration').
Another scenario: A campus network with hundreds of switches. The team enables NetFlow on access layer switches to monitor traffic per port. They use a free collector like ntopng. When a user complains of slow performance, they can query: 'Show flows for user IP 10.1.2.3 in the last hour' and see that the user is streaming 4K video, causing congestion. They then apply QoS to limit video traffic.
Scale considerations: On a router with 100,000 flows per second, the CPU can spike. Engineers often enable NetFlow only on critical interfaces or use sampling (e.g., 1:1000). Misconfiguration: A junior admin forgot to set the export source interface; the collector received exports from a different IP, breaking the collector's device identification. Another common mistake: applying ip flow egress instead of ip flow ingress on a WAN interface, causing missing inbound traffic data. Performance impact: NetFlow can consume up to 10-15% CPU on older routers; always test in a lab first.
The CCNA 200-301 exam objective 4.5 states: 'Configure and verify NetFlow and Flexible NetFlow.' The exam focuses on:
Basic NetFlow configuration commands: ip flow ingress, ip flow-export destination, ip flow-export version.
Verification commands: show ip flow export, show ip cache flow, show ip flow interface.
Default timers: inactive timeout 15 seconds, active timeout 30 minutes.
Export version differences: Version 5 vs Version 9.
The purpose of sampling and the command sampler-map.
Common wrong answers:
1. 'NetFlow uses TCP for export' – Wrong. NetFlow export uses UDP (default port 2055). Candidates confuse it with SNMP which uses UDP 161/162.
2. '`ip flow egress` is required for inbound traffic' – Wrong. Ingress traffic is captured with ip flow ingress. Egress captures traffic leaving the interface.
3. 'NetFlow can replace SNMP' – Wrong. They serve different purposes; SNMP gives interface counters, NetFlow gives per-flow details.
4. 'The default active timeout is 15 seconds' – Wrong. That's the inactive timeout. The active timeout is 30 minutes.
Decision rule: If a question asks why no flow data appears, check: (1) Is ip flow ingress configured on the correct interface? (2) Is the export destination reachable? (3) Is the collector listening on the correct port? (4) Are there ACLs blocking the export packets? The most common missing piece is the ip flow ingress command.
For scenario-based questions: If the collector receives no data, but show ip flow export shows '0 flows exported', suspect export destination misconfiguration. If show ip cache flow shows many flows but export count is 0, the export destination is unreachable or the port is wrong.
NetFlow is unidirectional; configure `ip flow ingress` on the interface where traffic enters.
Default export UDP port is 2055; use `ip flow-export destination <ip> <port>`.
Default inactive timeout: 15 seconds; active timeout: 30 minutes.
Use `show ip cache flow` to view flow records; `show ip flow export` to verify export.
Version 5 is fixed format; Version 9 is template-based and supports more fields.
Sampling reduces CPU load; configured with `sampler-map` and applied with `ip flow ingress sampler`.
NetFlow complements SNMP; it provides per-flow data, not aggregate interface statistics.
These come up on the exam all the time. Here's how to tell them apart.
NetFlow Version 5
Fixed format; all fields in same order.
Supports up to 30 fields.
Cannot carry variable-length fields (e.g., application ID).
Simpler to configure and process.
Legacy, but still widely used.
NetFlow Version 9
Template-based; collector learns field definitions dynamically.
Supports unlimited fields (up to 65535).
Can carry application ID, MPLS labels, IPv6 addresses.
Required for NBAR and Flexible NetFlow.
More flexible but slightly more complex.
Mistake
NetFlow uses TCP to export flow records to the collector.
Correct
NetFlow export uses UDP (default port 2055). The collector must listen on that UDP port. TCP is not used because flow export is loss-tolerant; a few lost packets are acceptable.
Candidates often associate reliable transport with TCP, but NetFlow prioritizes low overhead over reliability.
Mistake
`ip flow egress` captures inbound traffic on an interface.
Correct
`ip flow egress` captures traffic leaving the interface (outbound). To capture inbound traffic, use `ip flow ingress`. Both can be configured on the same interface.
The terms 'ingress' and 'egress' are often confused; candidates think 'egress' means entering the network.
Mistake
NetFlow can replace SNMP for bandwidth monitoring.
Correct
SNMP polls interface counters and gives total bytes/packets per interface. NetFlow gives per-flow details (source/destination IP, ports, protocol). They are complementary; SNMP shows overall link utilization, NetFlow shows which flows contribute.
Both are monitoring tools, but their outputs are different. Candidates oversimplify.
Mistake
The default active timeout is 15 seconds.
Correct
The default active timeout is 30 minutes. The inactive timeout is 15 seconds. Active timeout forces export of long-lived flows; inactive timeout exports flows that have stopped.
Candidates mix up the two timers because both are 'timeouts'.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The default UDP port for NetFlow export is 2055. However, many collectors use port 9995 or 9996 for historical reasons. Always verify the collector's configuration. You can change the port with `ip flow-export destination <ip> <port>`. On the exam, remember the default is 2055.
Yes, many Cisco switches support NetFlow (e.g., Catalyst 2960-X, 3650, 3850). The configuration is similar: `ip flow ingress` on the interface. However, some older switches may not support NetFlow; check the platform. For CCNA, assume it works on routers and higher-end switches.
Flexible NetFlow (FnF) is an evolution of traditional NetFlow that allows custom flow definitions (e.g., match on MAC address or VLAN). It uses version 9 export. Traditional NetFlow uses a fixed 7-tuple. The CCNA exam covers both, but focuses on basic NetFlow configuration. FnF is configured with `flow record`, `flow exporter`, and `flow monitor` commands.
Use `show ip flow export`. Look for '0 flows exported' – if zero, the export destination may be unreachable or the collector not listening. Also check `show ip cache flow` – if flows are present but export count is zero, the export is broken. You can also use `debug ip flow export` but be cautious in production.
When the flow cache reaches its maximum size (default 64K entries), the router forces aging of the oldest flows to make room. This is called 'cache full' aging. It exports those flows and then creates new entries. This can cause some flow records to be exported prematurely. To avoid this, increase cache size with `ip flow-cache entries` or enable sampling.
Yes, NetFlow supports IPv6. You need to configure `ipv6 flow ingress` on the interface (or `ip flow ingress` for IPv4). The export version should be 9 to carry IPv6 addresses. The collector must also support IPv6 flow records.
This command sets the source IP address of the NetFlow export packets. Without it, the router uses the IP of the egress interface. Setting a loopback interface as the source ensures that the collector always sees the same source IP, even if the physical interface goes down. This simplifies collector configuration.
You've just covered Lab: Configure NetFlow Monitoring — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?