Flexible netflow is used for metering process. With flexible netflow you can now define something called flow monitor. Flow monitor is simply the netflow cache. So you can define many different netflow caches for different purposes for the same traffic! Maybe you want to monitor SYN Flag for security like its in the picture.

The picture above shows typical examples of using the netflow. You can have just one exporter for monitor or many exporters. Or even you dont have to export the flow and use the netflow just for troubleshooting.

In the next pictures you can see the logic behind configuration of flexible netflow.

In first step you define the IP address of the collectors, i.e. where you want to export your flows. In the second step you match your key and non-key fields you want to record. Match keyword is for key fields and collect key word is for non-key fields. In the third step you tie it together and specify the structure of cache in your memory. Then you just apply it to interface.

In flexible netflow you have plenty of fields to choose from to specify flow records. For key fields you can specify everything from IPv4 and IPv6 packet. You can specify MAC addresses, VLANs and also you can see in which QoS queue the specific flow is. You can specify routing information, VRF, multicast or even application ID (app ID is from NBAR).

You have also many non-key fields you can choose from. I will not list them. However one thing you must remember. For non-key fields you can also choose from any of the key-fields however it will have value ONLY from the first packet in the flow. This is very important! For example the IGP next hop address should it be key field? It depends! When you for example use load balancing and one packet goes one way and second goes second way if this is the key field it will recognize every load balance as a specificy flow. However if you specify it as a non-key field it will understand it as a one flow even if it is loadbalanced.