menu
Webinar: Top Tips for Effective Cyber Threat Hunting Watch Now
FlowTraq > Blog > Tech Thoughts > Configuring Flexible NetFlow Export on Cisco Routers

Configuring Flexible NetFlow Export on Cisco Routers

Dr. John Murphy
By | April 30, 2014


Facebooktwitterlinkedin
Click to request Free Trial of FlowTraq

Try FlowTraq Today!

Cisco’s Flexible NetFlow technology is a powerful but sometimes complicated way to customize your flow collection. Here are some tips how to configure Cisco routers for NetFlow export.  It can take a little bit of time to understand and set up, but is well worth the effort.

There are three basic objects that need to be understood in order to make sense of Flexible NetFlow:

  • Records
  • Exporters
  • Monitors

The terms aren’t necessarily obvious in their meaning. One can think of a Cisco device as an inspection station, with packets going by from one interface to another. Inspectors examine the packets and produce reports to send outside. There may be multiple inspectors, each of whom might send a couple different reports to a couple different places depending on the kind of packets they see. In order for them to perform their tasks, a few things need to be defined:

  • The forms they fill out and send as the reports. The forms will have required fields and optional fields; if a given packet doesn’t have the information needed to fill out a required field, that form doesn’t get filled out. The form fields have standardized names so that the end reader of the form knows exactly how to treat the contents.
  • An envelope format with standardized address labels to match to completed forms and send on their way, detailing everything needed to deliver a form to a specific destination, as well as any special instructions.
  • A set of standing orders: Watch this set of packets (an interface). Fill out these forms. Send them in these envelopes.

Such a form is called a Record, and constitutes a NetFlow 9 or IPFIX template. The envelope is an Exporter, and gives the details of the host receiving NetFlow records. The set of standing orders describes a Monitor, a process on your router that collects and sends NetFlow records and templates.

Below follows the process of assembling records, exporters, and monitors, and show the commands needed to enter them into your Cisco device running an IOS version in the 15 Family, IOS 12.4T, or IOS 12.2. As with previous NetFlow export configurations for Cisco routers, one of the following must be enabled on your router and on any monitored interfaces: Cisco Express Forwarding (CEF), distributed Express Forwarding (dCEF) or their IPv6 equivalents.

RECORDS

The Record is a description of a NetFlow 9 template. This template will be sent periodically to a collector (such as FlowTraq) so that it knows how to interpret the NetFlow datagrams that describe network sessions. There are two primary commands: match and collect. Match denotes a key, or mandatory, field; if there is not sufficient data in the session to fill it out, then that session is not recorded using that record. A common match field is IPv4 address; an IPv6 packet does not contain an IPv4 address, therefore the match fails and no record is generated. Collect denotes an optional, non-key, field such as VLAN. A space will be reserved for collect fields, but they will simply be left as ‘0’ if not present.

Cisco provides a number of pre-defined records, however we outline the steps taken to define a custom record. Each of the command sets below is performed in global configuration mode.

! First create a name to define the flow record
flow record ipv4_record
! Having entered that, we’re in flow monitor configuration mode
! Start with the match commands, which really define what we’re getting
match ipv4 source address
match ipv4 destination address
match ipv4 protocol
match transport source-port
match transport destination-port
! Now the rest of the flow record
collect interface input
collect interface output
collect counter packets
collect counter bytes
collect timestamp sys-uptime first
collect timestamp sys-uptime last
collect transport tcp source-port
collect transport tcp destination-port
collect ipv4 tos
collect transport tcp flags
collect routing source as
collect routing destination as
collect ipv4 source mask
collect ipv4 destination mask
collect flow direction
! exit flow monitor configuration mode
exit

Many of these items are specific to IPv4. This is due to the length specifications in the NetFlow datagram: a Record is specifying which data goes in which field, how long the field is and how to interpret it. IPv6 and IPv4 addresses, being such different lengths, must be dealt with differently, which requires separate forms. Internally, this data is broken down according to a logical tree structure — once a packet is identified as being IPv6, then all of the IPv4 fields will be blank. The configuration must therefore switch everything (protocol, masks, etc) to read out of the v6 tree.

! Create an IPv6-specific name
flow record ipv6_record
! Note that several fields not directly related to IP version change
match ipv6 source address
match ipv6 destination address
match ipv6 protocol
match flow direction
match transport source-port
match transport destination-port
collect interface input
collect interface output
collect counter packets
collect counter bytes
collect timestamp sys-uptime first
collect timestamp sys-uptime last
collect transport tcp source-port
collect transport tcp destination-port
collect ipv6 tos
collect transport tcp flags
collect routing source as
collect routing destination as
collect ipv6 source mask
collect ipv6 destination mask
! exit flow monitor configuration mode
exit

You may wish to skip this step, and use one of the pre-defined templates (see the Monitor section below on how to do this), however, you are still required to define an Exporter.

EXPORTER

The Exporter is a description of a destination for flow records, which is the collector. At this stage we are not specifying what is being sent, instead we are just crafting the envelope. This also determines how often to send templates — 5 minutes in the configuration below, which will reduce bandwidth overhead slightly, but will result in a delay of 5 minutes after any reconfiguration. Official recommendations range from templates resends once a minute to resending twice an hour.

! create a name for the exporter configuration and enter exporter configuration mode
flow exporter my_flow_collector
destination [IP address of your flow collector]
! The ‘source’ is the “return address” and will determine the IP address used to identify this device to the collector
source [name of an interface]
! Define the port number and protocol; most flow collectors use the default NetFlow port, 2055/UDP
transport udp 2055
export-protocol netflow-v9
! Send a template every 5 minutes
template data timeout 300
! exit flow exporter configuration mode
exit

MONITOR

The final stage is setting up the Monitor itself. Having already done the heavy definition work, this bit goes fast, in two parts. First, define the monitor:

! Give it a name that you’ll recognize later in the interface configurations
flow monitor main_monitor
! Tell it what forms to fill out; we’re using a named Record, so the command is simple:
record ipv4_record
! Tell it what collector to send them to
exporter my_flow_collector
! You can add more here if you need to
exporter my_second_flow_collector
! Tell it how often to time out its cache — a lower number of seconds
! will send more flow updates (potentially a strain on collector processing power for some collectors)
! while a longer timeout risks loss of sessions through cache overflow

cache timeout active 30
exit

Remember that different Records for IPv4 and IPv6 traffic were created; each needs a separate Monitor:

flow monitor main_monitor_v6
record ipv6_record
exporter my_flow_collector
cache timeout active 30
exit

You may wish to use a pre-defined Flexible NetFlow “NetFlow IPv4/IPv6 original input” template instead, substitute an alternate record command:

record netflow ipv4 original-input

or

record netflow ipv6 original-input

Finally, deploy the monitor by selecting the desired interface(s) and attaching it:

interface InternalNetwork/0
ip flow monitor main_monitor input
exit
interface InternalNetwork/1
ip flow monitor main_monitor input
exit

If your network carries both IPv4 and IPv6 traffic, you may need to apply a monitor to an IPv6 interface as well:

interface InternalNetwork/1
ip flow monitor main_monitor input
ipv6 flow monitor main_monitor_v6 input
exit

In most situations, you will be applying a monitor to each interface. In such a case, that “input” line will be sufficient — all bases are covered by monitoring each interface’s Ingress traffic. If you choose not to monitor all interfaces, you may need to add an output monitor as well so that both Ingress and Egress traffic are covered:

interface InternalNetwork/1
ip flow monitor main_monitor input
ip flow monitor main_monitor output
exit

FINISHING UP

At this point the Cisco device is configured and exporting NetFlow. Depending on the configured timeouts, it could take some minutes for session traffic to start arriving and being processed. If traffic fails to arrive at your collector, there are a few things check:

First, make sure that your NetFlow collector is listening on the correct port (UDP 2055 above) and that any firewalls in between (particularly on the host running the collector) allow the NetFlow packets to pass.

Second, double-check the Exporter configuration and ensure the collector IP address listed is correct and routable. You can verify the flow of session records using a packet capture utility such as Wireshark or TCPdump.

Third, make sure the configuration includes all the data needed to store full network session records: typically, collectors require IP addresses, protocol, port numbers, and byte and packet counts.

Finally, if none of the above troubleshooting methods worked, contact your vendor’s support.

This document applies to multiple versions of Cisco IOS, starting with the IOS Release 12.2 family. Wherever possible, devices are listed according to the latest release of IOS supported, organized according to version. This includes the following more recent versions in particular:

Cisco IOS versions 15.3M and 15.3T, which is run by:

  • Cisco 800 Series Routers
    • Cisco 812G, Cisco 812G-CIFI
    • Cisco 819G
    • Cisco 819H, Cisco 819HG, Cisco 819HGW, Cisco 819HW
    • Cisco 861
    • Cisco 866VAE
    • Cisco 867VAE
    • Cisco 881, Cisco 881G, Cisco 881GW, Cisco 881SRST, Cisco 881W, Cisco 881WD, Cisco 881-CUBE
    • Cisco 886VA, Cisco 886VAG, Cisco 886VAJ, Cisco 886VA-W, Cisco 886-CUBE
    • Cisco 887VA, Cisco 887VAG, Cisco 887VAGW, Cisco 887VAMG, Cisco 887VA-M, Cisco 887VA-W, Cisco 887VA-WD, Cisco 887VAM-W, Cisco 887-CUBE
    • Cisco 888, Cisco 888E, Cisco 888EA, Cisco 888EG, Cisco 888SRST, Cisco 888-CUBE
      (Cisco 888EA is supported in Cisco IOS Release 15.2(2)T and later releases)
    • Cisco 891, Cisco 891F, Cisco 891FW-A, Cisco 891FW-E
    • Cisco 892, Cisco 892FSP, Cisco 892F-CUBE
    • Cisco 898EA
  • Cisco 1900 Series Integrated Services Routers
    • Cisco 1905
    • Cisco 1906C
    • Cisco 1921
    • Cisco 1941
    • Cisco 1941W
  • Cisco 2900 Series Integrated Services Routers
    • Cisco 2901
    • Cisco 2911
    • Cisco 2921
    • Cisco 2951
  • Cisco 3900 Series Integrated Services Routers
    • Cisco 3925
    • Cisco 3925E
    • Cisco 3945
    • Cisco 3945E
  • Cisco Connected Grid Router 2000 Series
    • Cisco Connected Grid Router 2010
  • Cisco Analog Voice Gateways
    • Cisco VG202XM
    • Cisco VG204XM
  • Cisco High Density Analog Voice Gateways
    • Cisco VG350 High Density Voice over IP Analog Gateway

Cisco IOS Version 15.3S, which is run by:

  • Cisco 7600 series routers
    • Cisco 7603-S
    • Cisco 7604
    • Cisco 7606
    • Cisco 7606-S
    • Cisco 7609
    • Cisco 7609-S
    • Cisco 7613
    • Cisco ASR 901 router
    • Cisco ASR 901 10G router
    • Cisco ME 3600X switch
    • Cisco ME 3600X-24CX switch
    • Cisco ME 3800X switch
    • Cisco RSP720-10GE
    • Cisco Supervisor Engine 32, Supervisor Engine 720, Route Switch Processor 720

Cisco IOS Version 15.2S, which is run by:

  • Cisco ME 3600X switch (IOS Release 15.2(2)S)
  • Cisco ME 3600X 24CX (IOS Release 15.2(2)S1)
  • Cisco ME 3800X switch (IOS Release 15.2(2)S)
  • Cisco RSP720-10GE
  • Cisco Supervisor Engine 32, Supervisor Engine 720, Route Switch Processor 720
  • Cisco 7200 router (supported in Cisco IOS Release 15.2(4)S)
  • Cisco 7301 router (supported in Cisco IOS Release 15.2(4)S)

Devices running Cisco IOS Version 15.2 M&T

Devices running Cisco IOS version 15.1S

Devices running Cisco IOS Version 15.0M

Devices running Cisco IOS Version 15.0S

Cisco Catalyst 6500 Switches running Supervisor Engine 2T or Supervisor Engine 720

Devices running Cisco IOS Version 12.4T

 

Read other FlowTraq technical tips about configuring network traffic export from Cisco and Juniper Routers:

  1. Flexible Netflow Export from Cisco Routers

  2. Simple Netflow Export from Recent Cisco Routers

  3. Netflow Export from Older Cisco Routers

  4. Configuring J-Flow Export from  Juniper SRX Series Routers