Here we present an example of how to configure the NetFlow export to a Netflow Collector Storage, as well as a selection of configurations to apply on devices.
For other vendor devices, we suggest you contact your supplier or system integrator so that they can tell you how to configure.
Configuration example
The configuration below is an example and may not be suitable for your device.
Connect to the network device on which NetFlow is to be activated and perform these steps to configure NetFlow and NetFlow Data Export.
Below is an example configuration for a CISCO Switch/Router using the export format of version 9:
-
enable
-
terminal configuration
-
ip flow-export destination {ip-address | hostname} udp-port
-
Repeat Step 3 once to configure a second NetFlow export destination.
-
ip flow-export version 9
-
interface interface-type interface-number
-
ip flow {ingress | egress}
-
exit
-
Repeat Steps 6 through 8 to enable NetFlow on other interfaces
-
end
Details of the steps
| Step | Command or action | Aim | ||
| Step 1 | activate
Example:
|
(Required) Enters the required EXEC mode.
|
||
| Step 2 | configure the terminal
Example:
|
(Required) Allows access to the global configuration mode. | ||
| Step 3 | ip flow-export destination { ip-address | hostname } udp-port
Example:
|
IP address or hostname of the Netflow Collector Storage and UDP listening port. | ||
| Step 4 | Repeat step 3 once to configure a second NetFlow export destination. | (Optional) You can configure a maximum of two export destinations for NetFlow. | ||
| Step 5 | ip flow-export version 9
Example:
|
(Optional) Enables the export of information in NetFlow cache entries.
|
||
| Step 6 | interface interface number interface type
Example:
|
(Required) Specifies the interface on which you want to enable NetFlow and enters interface configuration mode. | ||
| Step 7 | ip flow { ingress | egress }
Example:
|
(Required) Enables NetFlow on the interface.
|
||
| Step 8 | exit
Example:
|
(Optional) Exits interface configuration mode and returns to global configuration mode.
|
||
| Step 9 | Repeat steps 6 to 8 to enable NetFlow on other interfaces. | (Optional) - | ||
| Step 10 | end
Example:
|
(Required) Exits current configuration mode and returns to execution mode. |
Checking NetFlow operation and displaying NetFlow statistics
Verify that NetFlow is properly configured.
Use the command show ip flow interface to display the NetFlow configuration for an interface. Here is an example output of this command:
|
Use the command show ip cache flow to verify that NetFlow is operational and to display a summary of NetFlow statistics. Here's example output from this command:
Router# show ip cache flow
IP packet size distribution (1103746 total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.249 .694 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000
512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.000 .000 .027 .000 .027 .000 .000 .000 .000 .000 .000
IP Flow Switching Cache, 278544 bytes
35 active, 4061 inactive, 980 added
2921778 ager polls, 0 flow alloc failures
Active flows timeout in 30 minutes
Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 21640 bytes
0 active, 1024 inactive, 0 added, 0 added to flow
0 alloc failures, 0 force free
1 chunk, 1 chunk added
last clearing of statistics never
Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)
--- Flows /Sec /Flow /Pkt /Sec /Flow
TCP-FTP 108 0.0 1133 40 2.4 1799.6 0.9
TCP-FTPD 108 0.0 1133 40 2.4 1799.6 0.9
TCP-WWW 54 0.0 1133 40 1.2 1799.6 0.8
TCP-SMTP 54 0.0 1133 40 1.2 1799.6 0.8
Checking that NetFlow data export is operational
Verify that NetFlow data export is operational by displaying NetFlow data export statistics.
Use the command show ip flow export to display NetFlow data export statistics, such as ip/port udp of the Netflow collector storage and the statistics of the main cache and all other active caches. Here's example output from this command:
Router# show ip flow export
Flow export v9 is enabled for main cache
Exporting flows to 172.16.10.2 (9995) (ip/port udp of the Netflow collector storage)
Exporting using source interface Ethernet0/0
Version 9 flow records
0 flows exported in 0 udp datagrams
0 flows failed due to lack of export packet
0 export packets were sent up to process level
0 export packets were dropped due to no fib
0 export packets were dropped due to adjacency issues
0 export packets were dropped due to fragmentation failures
0 export packets were dropped due to encapsulation fixup failures
Cisco
- Cisco Catalyst 2960-X
- Cisco Catalyst 3750
- Cisco Catalyst 4500
- Cisco Catalyst 4510
- Cisco Catalyst 6500/6000
- Cisco Nexus Series 1000
- Cisco Nexus Series 7000
Cisco Catalyst 2960-X
Configuring the Cisco 2960-X
NetFlow-Lite: The 2960x uses stream sampling without any form of packet capture. There are two types of NetFlow Lite sampling configurations available on the 2960x:
-
-
- Deterministic sampling
- Random Sampling
-
Deterministic sampling
Deterministic samplers sample packets exactly as specified (i.e., the first stream out of 100 streams). Deterministic samplers can only be applied to a maximum of 4 interfaces. For this reason, we prefer random sampling.
Random Sampling
Random sampling samples a random stream from all X streams. The maximum sampling rate for deterministic and random is 1 in 32. Unlike deterministic sampling it is not limited to 4 interfaces.Here's an example of a random sampling configuration:
step 1: create a flow record
flow record flows
match datalink mac source address input
match datalink mac destination address input
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
source-port match
match transport destination-port
collect transport tcp flags
collect interface input
collect flow sampler
! below I specified 'long' because the 2960x supports 64 bit counters
collect counter bytes long
collect counter packets long
collect timestamp sys-uptime first
collect timestamp sys-uptime last
!
!
! step 2: create a flow exporter
flow export-to-inside
flexible description NF v9
destination 10.1.1.1
source Vlan7
transport udp 2055
template data timeout 60
!
! lets export some cool option templates
interface-table option
export-stats option
sampler-table option
!
!
! step 3: create a flow monitor
flow monitor nftest
record flows
export export-to-inside
cache timeout active 60
statistics packet protocol
!Below was used for the deterministic sampling configuration
! that I didn't like because of the 4 interface limitation
! sampler full
! deterministic mode 1 out-of 32
!
! below is the random sampler configuration that I replaced
! the above with.
sampler my-random-sampler
!
!
!
! step 4: apply the flow monitor 'nftest' to each interface with
! the defined sampler 'my-random-sampler' !
! input is for ingress. Egress was not supported in this release...
GigabitEthernet interface1/0/1
ip flow monitor nftest sampler my-random-sampler inputmode random 1 out-of 100
Cisco Catalyst 3750
Configuration of the Cisco 3750-X
Catalyst configuration Cisco 3750-X requires the implementation of the 3KX module that supports NetFlow v9 and Flexible NetFlow
Here is an example of a flow recording for the 3KX network module:flow record NetFlow
match datalink mac source-address
match datalink mac destination-address
match ipv4 tos
match ipv4 ttl
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
source-port match
match transport destination-port
collect interface input snmp interface
collect interface output snmp
collect counter bytes
collect counter packets
collect timestamp sys-uptime first
collect timestamp sys-uptime lastOn interfaces:TenGigabitEthernet1/1/1
switchport trunk encapsulation dot1q
switchport mode trunk
ip flow monitor NetFlow input
ip flow monitor NetFlow outputinterface TenGigabitEthernet1/1/2
switchport trunk encapsulation dot1q
switchport mode trunk
ip flow monitor NetFlow input
ip flow monitor NetFlow output
Cisco Catalyst 4500
Configuring the Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide, 12.2(25)EW
Cisco Catalyst 4510 Switch IOS XE 3.6
Configuring the Cisco Catalyst 4510Here is a sample configuration:
FLOW RECORD
flow record RECORD-IN
IPv4 NetFlow description
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match mac destination-address
match mac source-address
source-port match
match transport destination-port
input interface match
collect interface output
collect counter bytes long
collect counter packets long
!
!
flow record RECORD-OUT
IPv4 NetFlow description
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
source-port match
match transport destination-port
match interface output
collect interface input
collect counter bytes long
collect counter packets long
!
!
flow export NETFLOW COLLECTOR
description xxxxx NETFLOW COLLECTOR
IP destination
Loopback0 source
transport udp 2055
!
!
flow monitor MONITOR_IN
description xxxx
export Scrutinizer
cache timeout active 60
RECORD-IN record
!
!
flow monitor MONITOR_OUT
description xxxxxxxx
export Scrutinizer
cache timeout active 60
RECORD-OUT record
GigabitEthernet3/2 interface
description xxxxx
no switchport
bandwidth 40960
ip flow monitor MONITOR_IN layer2-switched input
Cisco Catalyst 6500/6000
Catalyst 6500 Release 12.2SXF and Rebuilds Software Configuration Guide
Cisco Catalyst 6500/6000 Series Switch
Configuring the Cisco Catalyst 6509
ip flow-export source (insert interface name here)
ip flow-export version 9
ip flow-export destination (netflow collector ip address) (port to export flows to)
ip flow ingress layer2-switched vlan (insert vlans X,Y,X)ip flow-cache timeout active 1mls nde sender version 9
mls flow ip interface-full
mls nde interface
mls aging long 64
mls aging normal 64Configuring the interface:ip route-cache flowip flow ingress
Cisco Nexus Series 1000
Configuring the Cisco Nexus Series 10000
