You can find on this page an example of NetFlow export configuration to a Netflow Collector Storage, as well as a selection of configurations to implement on the devices.
For all other equipment, we invite you to contact your supplier or equipment integrator so that he can tell you what elements to implement.
Example of configuration
The configuration below is an example and may not be suitable for your device.
Connect to the network device on which NetFlow is to be activated and perform these steps to configure NetFlow and NetFlow Data Export.
Below is an example of a configuration for a CISCO Switch/Router using the version 9 export format:
-
enable
-
configure terminal
-
ip flow-export destination {ip-address | hostname} udp-port
-
Repeat Step 3 once to configure a second NetFlow export destination.
-
ip flow-export version 9
-
interface interface-type interface-number
-
ip flow {ingress | egress}
-
exit
-
Repeat Steps 6 through 8 to enable NetFlow on other interfaces
-
end
Details of the steps
| Step | Order or action | Objective | ||
| Step 1 | activate
Example:
|
(Required) Enables the privileged EXEC mode.
|
||
| Step 2 | configure the terminal
Example:
|
(Required) Enters the global configuration mode. | ||
| Step 3 | ip flow-export destination { ip-address | hostname } udp-port
Example:
|
IP address or host name of the Netflow Collector Storage the UDP listening port. | ||
| Step 4 | Repeat step 3 once to configure a second NetFlow export destination. | (Optional) You can configure up to two export destinations for NetFlow. | ||
| Step 5 | ip flow-export version 9
Example:
|
(Optional) Enables export of information in NetFlow cache entries.
|
||
| Step 6 | interface interface number interface type
Example:
|
(Required) Specifies the interface on which you want to enable NetFlow and enters interface configuration mode. | ||
| Step 7 | ip flow { ingress | egress }
Example:
|
(Required) Enable NetFlow on the interface.
|
||
| Step 8 | exit
Example:
|
(Optional) Exits interface configuration mode and returns to global configuration mode.
|
||
| Step 9 | Repeat steps 6 through 8 to enable NetFlow on other interfaces. | (Optional) - | ||
| Step 10 | end
Example:
|
(Required) Exits the current configuration mode and returns to the preferred execution mode |
Checking NetFlow operation and viewing NetFlow statistics
Check that NetFlow is correctly configured.
Use the command show ip flow interface to display the NetFlow configuration for an interface. Here is an example of the output of this command:
|
Use the command show ip cache flow command to verify that NetFlow is running and to display a summary of NetFlow statistics. Here is an example of the output of this command:
Router# show ip cache flow
IP packet size distribution (1103746 total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.249 .694 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000
512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.000 .000 .027 .000 .027 .000 .000 .000 .000 .000 .000
IP Flow Switching Cache, 278544 bytes
35 active, 4061 inactive, 980 added
2921778 ager polls, 0 flow alloc failures
Active flows timeout in 30 minutes
Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 21640 bytes
0 active, 1024 inactive, 0 added, 0 added to flow
0 alloc failures, 0 force free
1 chunk, 1 chunk added
last clearing of statistics never
Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)
--- Flows /Sec /Flow /Pkt /Sec /Flow /Flow
TCP-FTP 108 0.0 1133 40 2.4 1799.6 0.9
TCP-FTPD 108 0.0 1133 40 2.4 1799.6 0.9
TCP-WWW 54 0.0 1133 40 1.2 1799.6 0.8
TCP-SMTP 54 0.0 1133 40 1.2 1799.6 0.8
Verification that NetFlow data export is operational
Verify that the NetFlow data export is operational by viewing the NetFlow data export statistics.
Use the command show ip flow export to view NetFlow data export statistics, including ip/port udp of the Netflow collector storage and the statistics of the main cache and all other enabled caches. Here is an example of the output of this command:
Router# show ip flow export
Flow export v9 is enabled for main cache
Exporting flows to 172.16.10.2 (9995) (ip/port udp of the Netflow collector storage)
Exporting using source interface Ethernet0/0
Version 9 flow records
0 flows exported in 0 udp datagrams
0 flows failed due to lack of export packet
0 export packets were sent up to process level
0 export packets were dropped due to no fib
0 export packets were dropped due to adjacency issues
0 export packets were dropped due to fragmentation failures
0 export packets were dropped due to encapsulation fixup failures
Cisco
- Cisco Catalyst 2960-X
- Cisco Catalyst 3750
- Cisco Catalyst 4500
- Cisco Catalyst 4510
- Cisco Catalyst 6500/6000
- Cisco Nexus Series 1000
- Cisco Nexus Series 7000
Cisco Catalyst 2960-X
Configuring the Cisco 2960-X
NetFlow-Lite: The 2960x uses stream sampling without any form of packet capture. There are two types of NetFlow Lite sampling configurations possible on the 2960x:
-
-
- Deterministic sampling
- Random sampling
-
Deterministic sampling
Deterministic samplers sample packets exactly as specified (i.e. the first of 100 streams). Deterministic samplers can only be applied to a maximum of 4 interfaces. For this reason, we decided to set up random sampling.
Random sampling
Random sampling samples one random stream from all streams X. The maximum sampling rate for deterministic and random is 1 in 32. It is not limited to 4 interfaces, such as deterministic sampling.Here is an example of a configuration with random sampling:
step 1: create a flow record
flow record flows
match datalink mac source address input
match datalink mac destination address input
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
source-port transport match
match transport destination-port
collect transport tcp flags
collect interface input
collect flow sampler
! below I specified 'long' because the 2960x supports 64 bit counters
collect counter bytes long
collect counter packets long
collect timestamp sys-uptime first
collect timestamp sys-uptime last
!
!
! step 2: create a flow exporter
flow exporter export-to-inside
description flexible NF v9
destination 10.1.1.1
source Vlan7
transport udp 2055
template data timeout 60
!
! lets export some cool option templates
interface-table option
option export-stats
option sampler-table
!
!
! step 3: create a flow monitor
flow monitor nftest
record flows
export export-to-inside
cache timeout active 60
statistics packet protocol!Below was used for the deterministic sampling configuration
! that I didn't like because of the 4 interface limitation
! full sampler
! mode deterministic 1 out-of 32
!
! below is the random sampler configuration that I replaced
! the above with.
sampler my-random-sampler
!
!
!
! step 4: apply the flow monitor 'nftest' to each interface with
! the defined sampler 'my-random-sampler'.
! input is for ingress. Egress was not supported in this release...
GigabitEthernet1/0/1 interface
ip flow monitor nftest sampler my-random-sampler inputmode random 1 out-of 100
Cisco Catalyst 3750
Configuration of the Cisco 3750-X
The Catalyst configuration Cisco 3750-X requires the 3KX module implementation that supports NetFlow v9 and Flexible NetFlow
Here is an example of a flow recording for the 3KX network module:flow record NetFlow
match datalink mac source-address
match datalink mac destination-address
match ipv4 tos
match ipv4 ttl
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
source-port transport match
match transport destination-port
collect interface input snmp
collect interface output snmp
collect counter bytes
collect counter packets
collect timestamp sys-uptime first
collect timestamp sys-uptime lastOn interfaces:TenGigabitEthernet1/1
switchport trunk encapsulation dot1q
switchport mode trunk
ip flow monitor NetFlow input
ip flow monitor NetFlow outputinterface TenGigabitEthernet1/1/2
switchport trunk encapsulation dot1q
switchport mode trunk
ip flow monitor NetFlow input
ip flow monitor NetFlow output
Cisco Catalyst 4500
Configuring the Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide, 12.2(25)EW
Cisco Catalyst 4510 Switch IOS XE 3.6
Configuring the Cisco Catalyst 4510Here is a sample configuration:
FLOW RECORD
flow record RECORD-IN
IPv4 NetFlow description
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match mac destination-address
match mac source-address
source-port transport match
match transport destination-port
match interface input
collect interface output
collect counter bytes long
collect counter packets long
!
!
flow record RECORD-OUT
IPv4 NetFlow description
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
source-port transport match
match transport destination-port
match interface output
collect interface input
collect counter bytes long
collect counter packets long
!
!
flow export NETFLOW COLLECTOR
description xxxxx NETFLOW COLLECTOR
IP destination
source Loopback0
transport udp 2055
!
!
flow monitor MONITOR_IN
description xxxx
export Scrutinizer
cache timeout active 60
record RECORD-IN
!
!
flow monitor MONITOR_OUT
description xxxxxx
export Scrutinizer
cache timeout active 60
record RECORD-OUT
GigabitEthernet3/2 interface
description xxxxx
no switchport
bandwidth 40960
ip flow monitor MONITOR_IN layer2-switched input
Cisco Catalyst 6500/6000
Catalyst 6500 Release 12.2SXF and Rebuilds Software Configuration Guide
Cisco Catalyst 6500/6000 Series Switch
Configuring the Cisco Catalyst 6509
ip flow-export source (insert interface name here)
ip flow-export version 9
ip flow-export destination (netflow collector ip address) (port to export flows to)
ip flow ingress layer2-switched vlan (insert vlans X,Y,X)ip flow-cache timeout active 1mls nde sender version 9
mls flow ip interface-full
mls nde interface
mls aging long 64
mls aging normal 64Interface configuration:ip route-cache flowip flow ingress
Cisco Nexus Series 1000
Configuring the Cisco Nexus Series 10000
