NetFlow is a Cisco-proprietary network monitoring protocol that provides visibility into IP traffic flows traversing a router or switch. For the CCNA 200-301 exam, understanding NetFlow fundamentals (objective 4.5) is essential because it enables network engineers to perform traffic analysis, capacity planning, and security monitoring. In real-world networks, NetFlow data helps identify bandwidth hogs, detect anomalies, and justify infrastructure upgrades — making it a core tool for any network engineer.
Jump to a section
Imagine a highway with a toll booth that records every vehicle passing through. The toll booth doesn't stop every car; instead, it uses cameras to capture license plates, vehicle type, speed, and timestamp for each car. This data is then sent to a central office for analysis — how many cars used the highway, which destinations are most common, and which time of day has the highest traffic. In NetFlow terms, the toll booth is a NetFlow-enabled router or switch, the camera captures flow records (source/destination IP, ports, protocol, packet/byte counts), and the central office is a NetFlow collector. Just as the toll booth can aggregate data (e.g., total cars per hour), NetFlow aggregates flow information for export. The key difference: a toll booth sees every car individually, but NetFlow samples or caches flows to reduce overhead. The toll booth analogy is mechanistic: flows are like car trips with a start (first packet) and end (idle timeout), and the collector is like the traffic analysis center that generates reports. Misconfiguring the export interval or missing flows is like a faulty camera losing data — you get incomplete traffic insights.
What is NetFlow?
NetFlow is a Cisco IOS feature that captures metadata about IP traffic flows passing through a network device. A flow is defined as a unidirectional sequence of packets sharing the same 7 key fields: Source IP address, Destination IP address, Source port, Destination port, Layer 3 protocol type, ToS byte (DSCP), and Input interface. NetFlow caches these flows in memory and exports flow records to a collector (typically a server running software like SolarWinds, PRTG, or ntop) using UDP packets. The collector analyzes the data for traffic accounting, usage-based billing, network monitoring, and security analysis.
How NetFlow Works – Step by Step
1. Packet Arrival: A packet arrives on a NetFlow-enabled interface. The router examines the packet's header fields. 2. Flow Lookup: The router checks its NetFlow cache (a hash table) for an existing flow matching the 7 key fields. If a match is found, the router updates the flow record – incrementing packet and byte counters, updating the timestamp of the last packet seen. 3. New Flow Creation: If no match exists, the router creates a new flow entry in the cache. It records the first packet's timestamp, the key fields, and initializes counters to 1 packet and the packet's byte count. 4. Flow Expiration: A flow entry remains in the cache until one of these events occurs: - Idle timeout: No packets for the flow within 15 seconds (default). The flow is considered inactive and is exported. - Active timeout: The flow has been active for 30 minutes (default). The flow is exported even if still active, and the cache entry is reset (or a new flow continues). - Cache full: If the flow cache reaches its maximum size (default varies by platform, often 64K entries), the router applies an aging algorithm (e.g., oldest or largest flows) to evict and export flows. - TCP FIN/RST: For TCP flows, the router exports the flow immediately upon seeing a FIN or RST flag. 5. Export: The router sends the expired flow record(s) to the configured NetFlow collector using UDP (default port 2055). The export packet contains one or more flow records, each with fields like source/destination IP, ports, protocol, packet/byte counts, timestamps, and ToS.
NetFlow Versions
Cisco supports multiple NetFlow versions. For CCNA, the key versions are: - NetFlow v5: Most common legacy version. Supports IPv4 only, fixed format, 7 key fields. Uses UDP. Cannot carry MPLS or IPv6 information. - NetFlow v9: Template-based, flexible format. Supports IPv4, IPv6, MPLS, and BGP next-hop. Templates allow new field types to be added. The collector must understand templates. This version is the basis for IPFIX. - IPFIX (NetFlow v10): IETF standard (RFC 7011-7015), based on NetFlow v9. Cisco supports IPFIX as an export format. It uses variable-length templates and supports enterprise-specific fields.
Key Timers and Defaults
Active Timer: 30 minutes (configurable from 1 to 60 minutes).
Inactive Timer: 15 seconds (configurable from 10 to 600 seconds).
Sampling Rate: Not enabled by default. If sampling is used, the router only captures 1 out of N packets, reducing CPU load but losing accuracy.
Cache Size: Default varies (e.g., 64K flows). Configurable with ip flow-cache entries.
Export UDP Port: Default 2055 (configurable).
IOS CLI Verification Commands
To verify NetFlow configuration and operation on a Cisco router or switch:
show ip flow exportExample output:
Flow export v5 is enabled for main cache
Exporting flows to 10.1.1.100 (2055)
Exporting using source IP 192.168.1.1
Version 5 flow records
11 flows exported in 2 udp datagrams
0 flows failed due to lack of export packet
0 export packets were sent up to process level
0 export packets were dropped due to no fib
0 export packets were dropped due to adjacency issues
0 export packets were dropped due to fragmentation failures
0 export packets were dropped due to encapsulation fixup failuresshow ip flow cacheExample output:
IP packet size distribution (0 total packets):
...
Flow Cache Max: 4096 entries
Active Flows: 45
Inactive Flows: 12
...
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
Gi0/0 10.1.1.1 Gi0/1 10.2.2.2 06 1234 80 15
Gi0/0 10.1.1.2 Gi0/1 10.2.2.3 11 53 12345 8show ip flow top-talkers(Requires prior configuration of ip flow-top-talkers.)
Interaction with Related Protocols
NetFlow is often used alongside SNMP for monitoring. SNMP provides device-level metrics (CPU, memory, interface counters), while NetFlow provides per-flow granularity. Together, they give a complete picture. NetFlow can also be integrated with NBAR (Network-Based Application Recognition) for application-level visibility. NetFlow data can be sent to a collector that correlates with syslog or firewall logs for security analysis.
Enable NetFlow on an interface
First, enter global configuration mode and select the interface you want to monitor. Use the command `ip flow ingress` (or `ip flow egress` for outbound flows). For example: `interface GigabitEthernet0/0` then `ip flow ingress`. This enables NetFlow on inbound packets. You can enable both directions by adding `ip flow egress` as well. Note: On switches, you may need to use `ip flow monitor` under interface configuration if using Flexible NetFlow.
Configure the NetFlow export destination
Specify where to send the flow records using `ip flow-export destination <ip-address> <udp-port>`. Example: `ip flow-export destination 10.1.1.100 2055`. You can also set the source interface for export packets with `ip flow-export source <interface>`. This ensures the collector sees a consistent source IP. Optionally, configure the NetFlow version: `ip flow-export version 5` (or 9).
Verify NetFlow is operational
Use `show ip flow export` to confirm that flows are being exported to the collector. Look for incrementing counters for exported flows. Use `show ip flow cache` to see active flows in the cache. If no flows appear, generate traffic (e.g., ping or web request) and re-check. Verify that the collector is receiving packets (e.g., using tcpdump on the collector).
Tune NetFlow timers and cache size
Adjust the active and inactive timers to balance accuracy and resource usage. Use `ip flow-cache timeout active 1` (sets active timeout to 1 minute) and `ip flow-cache timeout inactive 30` (inactive timeout to 30 seconds). Increase cache size with `ip flow-cache entries 100000` if needed. Be aware: shorter active timeouts export more frequently, increasing CPU and network overhead but providing near-real-time data.
Enable NetFlow sampling (optional)
On high-traffic links, enable sampling to reduce CPU load. Use `ip flow-sampler sampler-name` under interface configuration. First, define a sampler: `sampler sampler-name mode random 1-out-of 100`. Then apply it: `ip flow ingress sampler sampler-name`. This captures only 1% of packets, reducing accuracy but preserving router performance.
Monitor and analyze NetFlow data
On the collector, use software to visualize traffic patterns. Common analyses: top talkers (by bandwidth), application breakdown, and traffic over time. For CCNA, you may need to interpret NetFlow data from a CLI perspective. Use `show ip flow top-talkers` (if configured) to see top flows. Example output shows source/destination IP, ports, protocol, and packet counts. Use this to identify bandwidth hogs or suspicious traffic.
Enterprise Network Traffic Accounting
A large enterprise with multiple branch offices uses NetFlow to track bandwidth usage per department. By enabling NetFlow on the WAN routers and exporting to a collector, the network team can generate reports showing which departments consume the most bandwidth. This data is used for chargeback billing – each department pays based on actual usage. The deployment requires careful planning: the collector must have enough storage to handle flow records (e.g., 1 million flows per day per router), and the export UDP packets must not be dropped by firewalls. A common misconfiguration is forgetting to set the source interface for export, causing the collector to see different source IPs and potentially drop flows due to access control.
Security Incident Detection
A security analyst uses NetFlow to detect a DDoS attack. By monitoring flow records, they notice a sudden spike in traffic to a single destination IP from many source IPs, all using the same destination port (e.g., UDP 53 for DNS amplification). The analyst can quickly identify the target and the attack magnitude, then apply ACLs or RTBH (Remotely Triggered Black Hole) routing to mitigate. NetFlow provides the historical baseline to distinguish normal traffic from anomalies. Performance consideration: during an attack, the flow cache may fill rapidly, causing legitimate flows to be evicted. Tuning cache size and using sampling can help, but may reduce visibility.
Capacity Planning and Link Upgrades
A growing company uses NetFlow data over six months to justify upgrading a 100 Mbps link to 1 Gbps. The NetFlow collector shows that peak utilization consistently exceeds 80% during business hours, and top applications include video conferencing and cloud storage sync. The network engineer exports NetFlow v9 records to a tool like SolarWinds NetFlow Traffic Analyzer, which generates trend graphs. Without NetFlow, they would rely on SNMP interface counters, which only show aggregate bandwidth – not which applications are driving growth. A misconfigured active timeout (e.g., set to 60 minutes) would smooth out peaks, making the upgrade seem unnecessary.
What the 200-301 Exam Tests
The CCNA exam objective 4.5 ("Describe network monitoring technologies") includes NetFlow as one of the key technologies. Candidates must understand:
The purpose of NetFlow (traffic monitoring, accounting, security analysis)
How a flow is defined (7 key fields: source/destination IP, source/destination port, protocol, ToS, input interface)
The difference between NetFlow v5 and v9 (v5 fixed, v9 template-based)
Default timers (active 30 min, inactive 15 sec)
The role of the collector and the export protocol (UDP, default port 2055)
How to verify NetFlow operation with show ip flow export and show ip flow cache
Common Wrong Answers and Why
"NetFlow captures full packet payloads." Wrong. NetFlow only captures metadata (headers and counters), not payload. Candidates confuse it with packet capture tools like Wireshark.
"NetFlow uses TCP for export." Wrong. NetFlow export uses UDP (port 2055 by default). TCP would add overhead and is not used because loss of a few export packets is acceptable.
"NetFlow v9 is the only version that supports IPv6." Partially true – v5 does not support IPv6, but v9 and IPFIX do. However, the exam may ask which version supports templates (v9).
"The active timer default is 15 seconds." Wrong. The inactive timer is 15 seconds; the active timer is 30 minutes. Candidates often swap them.
Specific Values and Commands
Default export port: 2055 (UDP)
Default active timeout: 30 minutes (1800 seconds)
Default inactive timeout: 15 seconds
Key show commands: show ip flow export, show ip flow cache, show ip flow top-talkers
Configuration: ip flow ingress, ip flow-export destination, ip flow-export version
Decision Rule for Scenario Questions
When a question asks which technology provides per-flow traffic analysis, NetFlow is the answer. If the question mentions "application visibility" or "NBAR", that is a different technology (NBAR). If the question asks about "real-time" vs "historical" data, NetFlow is typically historical (exported every 15 sec to 30 min). For real-time, think SNMP polling or IP SLA.
NetFlow exports flow records via UDP to a collector, default port 2055.
A flow is defined by 7 key fields: src/dst IP, src/dst port, protocol, ToS, input interface.
Default active timeout: 30 minutes; default inactive timeout: 15 seconds.
NetFlow v5 is fixed-format, IPv4-only; NetFlow v9 is template-based, supports IPv6 and MPLS.
Enable NetFlow on an interface with `ip flow ingress` (or egress).
Verify export with `show ip flow export` and active flows with `show ip flow cache`.
NetFlow is used for traffic accounting, capacity planning, and security monitoring.
Sampling reduces CPU load but decreases accuracy; configured with `ip flow-sampler`.
NetFlow does not capture packet payloads – only metadata.
The collector must be reachable via UDP; firewalls must allow port 2055.
These come up on the exam all the time. Here's how to tell them apart.
NetFlow
Provides per-flow granularity (source/destination IP, ports, protocol).
Exports flow records via UDP to a collector (default port 2055).
Used for traffic analysis, capacity planning, and security monitoring.
Historical data – flows are exported after timeout (15 sec to 30 min).
Requires NetFlow-enabled devices and a collector server.
SNMP
Provides device-level metrics (CPU, memory, interface counters).
Uses UDP (port 161) for polling and traps (port 162).
Used for fault management, performance monitoring, and device health.
Near real-time polling (typical interval 5 minutes).
Works with any SNMP-enabled device; no collector needed (but NMS is typical).
Mistake
NetFlow captures the full packet payload.
Correct
NetFlow only captures packet metadata (headers and counters), not the payload. It records fields like IP addresses, ports, protocol, and byte counts, but does not store the data content.
Candidates often confuse NetFlow with full packet capture tools like Wireshark because both are used for monitoring.
Mistake
NetFlow export uses TCP to ensure reliable delivery.
Correct
NetFlow export uses UDP (default port 2055). Loss of a few export packets is acceptable because the data is statistical and not critical for real-time operations.
Many assume that monitoring data requires reliable transport, but NetFlow prioritizes low overhead over guaranteed delivery.
Mistake
The active timeout default is 15 seconds.
Correct
The active timeout default is 30 minutes (1800 seconds). The inactive timeout defaults to 15 seconds. These are commonly swapped in exam questions.
The word 'active' might intuitively seem shorter, but active timeout is longer to avoid exporting too many flow records for long-lived flows.
Mistake
NetFlow v5 supports IPv6 and MPLS.
Correct
NetFlow v5 is IPv4-only and does not support MPLS. NetFlow v9 (or IPFIX) is required for IPv6 and MPLS support.
Candidates may assume all versions support newer protocols, but v5 is legacy and limited.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
NetFlow v5 is a fixed-format export protocol that supports only IPv4 flows. It has a predefined set of fields (e.g., source/dest IP, ports, protocol, ToS, input interface). NetFlow v9 is template-based, meaning the exporter sends a template that defines the fields in the flow records. This allows v9 to support IPv6, MPLS, BGP next-hop, and other extended fields. v9 is also the basis for IPFIX (NetFlow v10). For the CCNA exam, know that v5 is legacy and v9 is more flexible.
A flow ends (and is exported) based on several conditions: (1) Inactive timeout – no packets for the flow within the configured idle time (default 15 seconds). (2) Active timeout – the flow has been active for the maximum duration (default 30 minutes), even if packets are still flowing. (3) TCP FIN or RST flag – for TCP flows, the router exports the flow immediately upon seeing a FIN or RST. (4) Cache full – if the flow cache is full, the router may evict older flows. Exam tip: Know the default timers: active 30 min, inactive 15 sec.
NetFlow is not truly real-time because flows are cached and exported only after a timeout (minimum inactive timeout is 10 seconds, default 15 seconds). For near-real-time visibility, you can reduce the active timeout to 1 minute, but this increases export traffic and CPU usage. For real-time monitoring, consider using SNMP or IP SLA. NetFlow is best for historical analysis and trending.
The NetFlow collector is a server (or software) that receives flow export packets from NetFlow-enabled devices. It processes, stores, and analyzes the flow records, presenting them in a user-friendly interface (dashboards, reports). The collector can aggregate data from multiple devices, perform traffic accounting, and detect anomalies. Without a collector, flow records are just dropped by the router after export.
On a Cisco switch (e.g., Catalyst 3750), NetFlow configuration may differ from routers. For traditional NetFlow, use `ip flow ingress` under interface configuration. On newer switches with Flexible NetFlow, you must create a flow monitor and apply it to the interface. Example: `flow monitor MONITOR` then `record netflow ipv4` then `exporter EXPORTER` then `interface Gi1/0/1` and `ip flow monitor MONITOR input`. Check the switch model and IOS version for exact syntax.
NetFlow can be CPU- and memory-intensive, especially on routers with high traffic volumes. Each flow consumes memory in the cache, and the process of creating/updating flows uses CPU. To mitigate, use sampling (e.g., 1 out of 100 packets) on high-speed interfaces. Also, increase cache size if flows are being dropped. For the exam, know that sampling reduces accuracy but preserves router performance.
IPFIX (Internet Protocol Flow Information Export) is the IETF standard (RFC 7011-7015) based on NetFlow v9. Cisco supports IPFIX as NetFlow v10. The main difference is that IPFIX is vendor-neutral and uses standard definitions for fields, while NetFlow v9 uses Cisco-proprietary field definitions. Both use templates. For CCNA, you can treat IPFIX as an enhanced version of NetFlow v9.
You've just covered NetFlow Fundamentals — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?