I posted NetFlow version 5 (traditional NetFlow) using my Cisco 871w home router a few years back but it's now considered a "legacy" NetFlow. The trend nowadays is to use Flexible NetFlow (FNF) or NetFlow version 9. It looks complicated at first but its modular approach makes it practical and gives more flexibility on which data to collect and analyze. This short video describes all the steps on how to configure FNF on a router.
I was asked to configure FNF on one of our CE router in order to monitor and provide trending reports on client's network traffic. These are 4 major steps in configuring FNF. I named everything as MyNetflow for convenience sake.
Step 1: Create a Flow Record
You first define which flows or packets to be matched and collected on the router.
flow record MyNetflow
match routing vrf input
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
collect transport tcp flags
collect interface input
collect interface output
collect counter bytes long
collect counter packets long
collect timestamp sys-uptime first
collect timestamp sys-uptime last
collect application name
Step 2: Create a Flow Exporter
You specify where to send the NetFlow data. This is usually sent to a NetFlow Traffic Analyzer (NTA).
flow exporter MyNetflow
destination 10.111.0.71 vrf MGMT // FNF CAN BE EXPORTED TO UNLIMITED EXPORTERS; NETFLOW V5 IS ONLY LIMITED TO 2
source GigabitEthernet0/0.273
transport udp 2055
template data timeout 60
option application-table timeout 60
option application-attributes timeout 300
Step 3: Create a Flow Monitor
You tie together the Flow Record and Flow Exporter created earlier in Steps 1 and 2. You can also specify how frequent the NetFlow data will be exported.
flow monitor MyNetflow
exporter MyNetflow // CREATED IN STEP 2
cache timeout inactive 30
cache timeout active 60
record MyNetflow // CREATED IN STEP 1
Step 3: Apply the configured 'Monitor' to an interface
Finally, you apply the Flow Monitor configured in Step 3 to an interface where you want to collect NetFlow data.
interface GigabitEthernet0/1.1
encapsulation dot1Q 1 native
ip address 10.254.160.146 255.255.255.248
no ip redirects
ip flow monitor MyNetflow input // INGRESS FLOW
ip flow monitor MyNetflow output // EGRESS FLOW
ip nat outside
Router#ping vrf MGMT 10.111.0.71 source GigabitEthernet0/0.273
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.111.0.71, timeout is 2 seconds:
Packet sent with a source address of 10.116.253.145
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1184/1300/1436 ms
Router#show flow exporter statistics
Flow Exporter MyNetflow:
Packet send statistics (last cleared 10:07:22 ago):
Successfully sent: 49748 (67661999 bytes)
Client send statistics:
Client: Option options application-name
Records added: 57570
- sent: 57570
Bytes added: 4778310
- sent: 4778310
Client: Option options application-attributes
Records added: 0
Bytes added: 0
Client: Flow Monitor MyNetflow
Records added: 1089322
- sent: 1089303
Bytes added: 59912710
- sent: 59911665
Below is the NetFlow Traffic Analyzer (NTA) data collected in Solarwinds NPM (NetFlow module).
I was asked to configure FNF on one of our CE router in order to monitor and provide trending reports on client's network traffic. These are 4 major steps in configuring FNF. I named everything as MyNetflow for convenience sake.
Step 1: Create a Flow Record
You first define which flows or packets to be matched and collected on the router.
flow record MyNetflow
match routing vrf input
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
collect transport tcp flags
collect interface input
collect interface output
collect counter bytes long
collect counter packets long
collect timestamp sys-uptime first
collect timestamp sys-uptime last
collect application name
Step 2: Create a Flow Exporter
You specify where to send the NetFlow data. This is usually sent to a NetFlow Traffic Analyzer (NTA).
flow exporter MyNetflow
destination 10.111.0.71 vrf MGMT // FNF CAN BE EXPORTED TO UNLIMITED EXPORTERS; NETFLOW V5 IS ONLY LIMITED TO 2
source GigabitEthernet0/0.273
transport udp 2055
template data timeout 60
option application-table timeout 60
option application-attributes timeout 300
Step 3: Create a Flow Monitor
You tie together the Flow Record and Flow Exporter created earlier in Steps 1 and 2. You can also specify how frequent the NetFlow data will be exported.
flow monitor MyNetflow
exporter MyNetflow // CREATED IN STEP 2
cache timeout inactive 30
cache timeout active 60
record MyNetflow // CREATED IN STEP 1
Step 3: Apply the configured 'Monitor' to an interface
Finally, you apply the Flow Monitor configured in Step 3 to an interface where you want to collect NetFlow data.
interface GigabitEthernet0/1.1
encapsulation dot1Q 1 native
ip address 10.254.160.146 255.255.255.248
no ip redirects
ip flow monitor MyNetflow input // INGRESS FLOW
ip flow monitor MyNetflow output // EGRESS FLOW
ip nat outside
Router#ping vrf MGMT 10.111.0.71 source GigabitEthernet0/0.273
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.111.0.71, timeout is 2 seconds:
Packet sent with a source address of 10.116.253.145
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1184/1300/1436 ms
Router#show flow exporter statistics
Flow Exporter MyNetflow:
Packet send statistics (last cleared 10:07:22 ago):
Successfully sent: 49748 (67661999 bytes)
Client send statistics:
Client: Option options application-name
Records added: 57570
- sent: 57570
Bytes added: 4778310
- sent: 4778310
Client: Option options application-attributes
Records added: 0
Bytes added: 0
Client: Flow Monitor MyNetflow
Records added: 1089322
- sent: 1089303
Bytes added: 59912710
- sent: 59911665
Below is the NetFlow Traffic Analyzer (NTA) data collected in Solarwinds NPM (NetFlow module).
Thanks a lot for posting this. Was of great help!.
ReplyDelete