top of page
This site was designed with the
.com
website builder. Create your website today.Start Now

NET FLOW

Configuring Netflow on ISR 4300 series router

  • Cisco 4300 supports only Flexible Netlfow, which means you have to configure all three components:

    • 1. Record

      2. Exporter

      3. Monitor

       

      an apply the Monitor to given interface.

       

       

      We are using following configuration in our lab,

       

      1) configure the record with following commands:

       

      flow record NTA

       

      description config for NTA

       

      match ipv4 tos

       

      match ipv4 protocol

       

      match ipv4 source address

       

      match ipv4 destination address

       

      match transport source-port

       

      match transport destination-port

       

      collect transport tcp flags

       

      collect interface input

       

      collect counter bytes long

       

      collect counter packets long

       

      collect timestamp sys-uptime first

       

      collect timestamp sys-uptime last

       

       

      2) configure the exporter with following commands:

       

      flow exporter NTA

       

      description Exporter for NTA

       

      source Loopback0

       

      destination 10.1.141.90

       

      transport udp 2055

       

      export-protocol ipfix

       

      template data timeout 60

       

       

      3) configure the monitor with following commands

       

      flow monitor NTA

       

      exporter NTA

       

      record NTA

       

      cache timeout active 60

       

       

       

      interface GigabitEtherent 0/0/1

       

      ip flow monitor NTA input

       

      ip flow monitor NTA output

       

       

      Use only input/output or both of them according you Netflow monitoring topology.

Add Netflow

​

# ip flow-export source GigabitEthernet (customer lan)

# ip flow-export version 5

# ip flow-export destination 10.69.0.224 2055

​

# interface GigabitEthernet (customer Lan)

# ip flow ingress

# ip flow egress

Add Netflow HVPN

​

# flow exporter FNFexp

# destination 10.69.0.224

# source GigabitEthernet (customer lan)

#  output-features

#  transport udp 2055

 # export-protocol netflow-v5

!

!

# flow monitor FNFexp-Ingress

# record netflow ipv4 original-input

# exporter FNFexp

# cache timeout active 1

!

!

# flow monitor FNFexp-Egress

# record netflow ipv4 original-output

# exporter FNFexp

# cache timeout active 1

!

# interface GigabitEthernet (customer lan)

 

# ip flow monitor FNFexp-Ingress input

# ip flow monitor FNFexp-Egress output

Configuring NetFlow and NetFlow Data Export Using the Version 9 Export Format

 

Perform this task to configure NetFlow and NetFlow Data Export using the Version 9 export format.

SUMMARY STEPS

1.    enable

2.    configure terminal

3.    ip flow-export destination {ip-address | hostname} udp-port

4.    Repeat Step 3 once to configure a second NetFlow export destination.

5.    ip flow-export version 9

6.    interface interface-type interface-number

7.    ip flow {ingress | egress}

8.    exit

9.    Repeat Steps 6 through 8 to enable NetFlow on other interfaces

10.    end

DETAILED STEPS

 Command or ActionPurpose

 

Step 1

​

Router> enable

 

Step 2

Router# configure terminal

 

Step 3

ip flow-export destination {ip-address | hostname} udp-port


Example:

Router(config)# ip flow-export destination 172.16.10.2 99

 

(Optional) IP address or hostname of the workstation to which you want to send the NetFlow information and the number of the UDP port on which the workstation is listening for this input.

 

Note   

The workstation is running an application such as NetFlow Collection Engine (NFC) that is used to analyze the exported data.

 

Step 4

Repeat Step 3

 

once to configure a second NetFlow export destination.  

(Optional) You can configure a maximum of two export destinations for NetFlow.

 

Step 5

 

ip flow-export version 9


Example:

Router(config)# ip flow-export version 9

 

(Optional) Enables the export of information in NetFlow cache entries.

​

  • The version 9

  • keyword specifies that the export packet uses the Version 9 format.

 

Caution   

Entering this command on a Cisco 12000 Series Internet Router causes packet forwarding to stop for a few seconds while NetFlow reloads the route processor and line card CEF tables. To avoid interruption of service to a live network, apply this command during a change window, or include it in the startup-config file to be executed during a router reboot.

​

 Step 6

interface interface-type interface-number


Example:

Router(config)# interface ethernet 0/0

 

(Required) Specifies the interface that you want to enable NetFlow on and enters interface configuration mode.

​

 Step 7

ip flow {ingress | egress}


Example:

Router(config-if)# ip flow ingress

 

(Required) Enables NetFlow on the interface.

  • ingress --Captures traffic that is being received by the interface.

  • egress --Captures traffic that is being transmitted by the interface.

 Step 8exit
 

​

 

 Step 9

Repeat Steps 6 through 8 to enable NetFlow on other interfaces  

​

​

 

​

 

Verifying That NetFlow Is Operational and View NetFlow Statistics

 

To verify that NetFlow is working properly, perform this optional task.

SUMMARY STEPS

1.    show ip flow interface

2.    show ip cache flow

3.    show ip cache verbose flow


DETAILED STEPS

Step 1  show ip flow interface

​

Use this command to display the NetFlow configuration for an interface. The following is sample output from this command:



Example:

Router# show ip flow interface

 

Ethernet0/0

ip flow ingress

​

Step 2  show ip cache flow

​

Use this command to verify that NetFlow is operational and to display a summary of the NetFlow statistics. The following is sample output from this command:



Example:

Router# show ip cache flow

 

IP packet size distribution (1103746 total packets): 1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480 .249 .694 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 512 544 576 1024 1536 2048 2560 3072 3584 4096 4608 .000 .000 .027 .000 .027 .000 .000 .000 .000 .000 .000 IP Flow Switching Cache, 278544 bytes 35 active, 4061 inactive, 980 added 2921778 ager polls, 0 flow alloc failures Active flows timeout in 30 minutes Inactive flows timeout in 15 seconds IP Sub Flow Cache, 21640 bytes 0 active, 1024 inactive, 0 added, 0 added to flow 0 alloc failures, 0 force free 1 chunk, 1 chunk added last clearing of statistics never Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec) -------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow TCP-FTP 108 0.0 1133 40 2.4 1799.6 0.9 TCP-FTPD 108 0.0 1133 40 2.4 1799.6 0.9 TCP-WWW 54 0.0 1133 40 1.2 1799.6 0.8 TCP-SMTP 54 0.0 1133 40 1.2 1799.6 0.8 TCP-BGP 27 0.0 1133 40 0.6 1799.6 0.7 TCP-NNTP 27 0.0 1133 40 0.6 1799.6 0.7 TCP-other 297 0.0 1133 40 6.8 1799.7 0.8 UDP-TFTP 27 0.0 1133 28 0.6 1799.6 1.0 UDP-other 108 0.0 1417 28 3.1 1799.6 0.9 ICMP 135 0.0 1133 427 3.1 1799.6 0.8 Total: 945 0.0 1166 91 22.4 1799.6 0.8 SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts Et0/0 192.168.67.6 Et1/0.1 172.16.10.200 01 0000 0C01 51 Et0/0 10.10.18.1 Null 172.16.11.5 11 0043 0043 51 Et0/0 10.10.18.1 Null 172.16.11.5 11 0045 0045 51 Et0/0 10.234.53.1 Et1/0.1 172.16.10.2 01 0000 0800 51 Et0/0 10.10.19.1 Null 172.16.11.6 11 0044 0044 51 Et0/0 10.10.19.1 Null 172.16.11.6 11 00A2 00A2 51 Et0/0 192.168.87.200 Et1/0.1 172.16.10.2 06 0014 0014 50 Et0/0 192.168.87.200 Et1/0.1 172.16.10.2 06 0015 0015 52 . . . Et0/0 172.16.1.84 Et1/0.1 172.16.10.19 06 0087 0087 50 Et0/0 172.16.1.84 Et1/0.1 172.16.10.19 06 0050 0050 51 Et0/0 172.16.1.85 Et1/0.1 172.16.10.20 06 0089 0089 49 Et0/0 172.16.1.85 Et1/0.1 172.16.10.20 06 0050 0050 50 Et0/0 10.251.10.1 Et1/0.1 172.16.10.2 01 0000 0800 51 Et0/0 10.162.37.71 Null 172.16.11.3 06 027C 027C 49

​

Step 3  show ip cache verbose flow

​

Use this command to verify that NetFlow is operational and to display a detailed summary of the NetFlow statistics. The following is sample output from this command:



Example:

Router# show ip cache verbose flow

 

IP packet size distribution (1130681 total packets): 1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480 .249 .694 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 512 544 576 1024 1536 2048 2560 3072 3584 4096 4608 .000 .000 .027 .000 .027 .000 .000 .000 .000 .000 .000 IP Flow Switching Cache, 278544 bytes 35 active, 4061 inactive, 980 added 2992518 ager polls, 0 flow alloc failures Active flows timeout in 30 minutes Inactive flows timeout in 15 seconds IP Sub Flow Cache, 21640 bytes 0 active, 1024 inactive, 0 added, 0 added to flow 0 alloc failures, 0 force free 1 chunk, 1 chunk added last clearing of statistics never Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec) -------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow TCP-FTP 108 0.0 1133 40 2.4 1799.6 0.9 TCP-FTPD 108 0.0 1133 40 2.4 1799.6 0.9 TCP-WWW 54 0.0 1133 40 1.2 1799.6 0.8 TCP-SMTP 54 0.0 1133 40 1.2 1799.6 0.8 TCP-BGP 27 0.0 1133 40 0.6 1799.6 0.7 TCP-NNTP 27 0.0 1133 40 0.6 1799.6 0.7 TCP-other 297 0.0 1133 40 6.6 1799.7 0.8 UDP-TFTP 27 0.0 1133 28 0.6 1799.6 1.0 UDP-other 108 0.0 1417 28 3.0 1799.6 0.9 ICMP 135 0.0 1133 427 3.0 1799.6 0.8 Total: 945 0.0 1166 91 21.9 1799.6 0.8 SrcIf SrcIPaddress DstIf DstIPaddress Pr TOS Flgs Pkts Port Msk AS Port Msk AS NextHop B/Pk Active Et0/0 192.168.67.6 Et1/0.1 172.16.10.200 01 00 10 799 0000 /0 0 0C01 /0 0 0.0.0.0 28 1258.1 Et0/0 10.10.18.1 Null 172.16.11.5 11 00 10 799 0043 /0 0 0043 /0 0 0.0.0.0 28 1258.0 Et0/0 10.10.18.1 Null 172.16.11.5 11 00 10 799 0045 /0 0 0045 /0 0 0.0.0.0 28 1258.0 Et0/0 10.234.53.1 Et1/0.1 172.16.10.2 01 00 10 799 0000 /0 0 0800 /0 0 0.0.0.0 28 1258.1 Et0/0 10.10.19.1 Null 172.16.11.6 11 00 10 799 0044 /0 0 0044 /0 0 0.0.0.0 28 1258.1 . . . Et0/0 172.16.1.84 Et1/0.1 172.16.10.19 06 00 00 799 0087 /0 0 0087 /0 0 0.0.0.0 40 1258.1 Et0/0 172.16.1.84 Et1/0.1 172.16.10.19 06 00 00 799 0050 /0 0 0050 /0 0 0.0.0.0 40 1258.0 Et0/0 172.16.1.85 Et1/0.1 172.16.10.20 06 00 00 798 0089 /0 0 0089 /0 0 0.0.0.0 40 1256.5 Et0/0 172.16.1.85 Et1/0.1 172.16.10.20 06 00 00 799 0050 /0 0 0050 /0 0 0.0.0.0 40 1258.0 Et0/0 10.251.10.1 Et1/0.1 172.16.10.2 01 00 10 799 0000 /0 0 0800 /0 0 0.0.0.0 1500 1258.1 Et0/0 10.162.37.71 Null 172.16.11.3 06 00 00 798 027C /0 0 027C /0 0 0.0.0.0 40 1256.4

​

​

​

Verifying That NetFlow Data Export Is Operational

 

To verify that NetFlow data export is operational and to view the statistics for NetFlow data export perform the step in this optional task.

​

SUMMARY STEPS

​

1.    show ip flow export


DETAILED STEPSshow ip flow export

​

Use this command to display the statistics for the NetFlow data export, including statistics for the main cache and for all other enabled caches. The following is sample output from this command:



Example:

​

Router# show ip flow export Flow export v9

 

is enabled for main cache Exporting flows to 172.16.10.2 (99) Exporting using source interface Ethernet0/0 Version 9 flow records 0 flows exported in 0 udp datagrams 0 flows failed due to lack of export packet 0 export packets were sent up to process level 0 export packets were dropped due to no fib 0 export packets were dropped due to adjacency issues 0 export packets were dropped due to fragmentation failures 0 export packets were dropped due to encapsulation fixup failures

Lets Connect The World

Subscribe to CCIE topics

Mohammed Anwarul Islam

bottom of page