Cisco’s Flexible NetFlow technology is a powerful but sometimes complicated way to customize your flow collection. Here are some tips how to configure Cisco routers for NetFlow export. It can take a little bit of time to understand and set up, but is well worth the effort.
There are three basic objects that need to be understood in order to make sense of Flexible NetFlow:
The terms aren’t necessarily obvious in their meaning. One can think of a Cisco device as an inspection station, with packets going by from one interface to another. Inspectors examine the packets and produce reports to send outside. There may be multiple inspectors, each of whom might send a couple different reports to a couple different places depending on the kind of packets they see. In order for them to perform their tasks, a few things need to be defined:
Such a form is called a Record, and constitutes a NetFlow 9 or IPFIX template. The envelope is an Exporter, and gives the details of the host receiving NetFlow records. The set of standing orders describes a Monitor, a process on your router that collects and sends NetFlow records and templates.
Below follows the process of assembling records, exporters, and monitors, and show the commands needed to enter them into your Cisco device running an IOS version in the 15 Family, IOS 12.4T, or IOS 12.2. As with previous NetFlow export configurations for Cisco routers, one of the following must be enabled on your router and on any monitored interfaces: Cisco Express Forwarding (CEF), distributed Express Forwarding (dCEF) or their IPv6 equivalents.
The Record is a description of a NetFlow 9 template. This template will be sent periodically to a collector (such as FlowTraq) so that it knows how to interpret the NetFlow datagrams that describe network sessions. There are two primary commands: match and collect. Match denotes a key, or mandatory, field; if there is not sufficient data in the session to fill it out, then that session is not recorded using that record. A common match field is IPv4 address; an IPv6 packet does not contain an IPv4 address, therefore the match fails and no record is generated. Collect denotes an optional, non-key, field such as VLAN. A space will be reserved for collect fields, but they will simply be left as ‘0’ if not present.
Cisco provides a number of pre-defined records, however we outline the steps taken to define a custom record. Each of the command sets below is performed in global configuration mode.
Many of these items are specific to IPv4. This is due to the length specifications in the NetFlow datagram: a Record is specifying which data goes in which field, how long the field is and how to interpret it. IPv6 and IPv4 addresses, being such different lengths, must be dealt with differently, which requires separate forms. Internally, this data is broken down according to a logical tree structure — once a packet is identified as being IPv6, then all of the IPv4 fields will be blank. The configuration must therefore switch everything (protocol, masks, etc) to read out of the v6 tree.
You may wish to skip this step, and use one of the pre-defined templates (see the Monitor section below on how to do this), however, you are still required to define an Exporter.
The Exporter is a description of a destination for flow records, which is the collector. At this stage we are not specifying what is being sent, instead we are just crafting the envelope. This also determines how often to send templates — 5 minutes in the configuration below, which will reduce bandwidth overhead slightly, but will result in a delay of 5 minutes after any reconfiguration. Official recommendations range from templates resends once a minute to resending twice an hour.
The final stage is setting up the Monitor itself. Having already done the heavy definition work, this bit goes fast, in two parts. First, define the monitor:
Remember that different Records for IPv4 and IPv6 traffic were created; each needs a separate Monitor:
You may wish to use a pre-defined Flexible NetFlow “NetFlow IPv4/IPv6 original input” template instead, substitute an alternate record command:
Finally, deploy the monitor by selecting the desired interface(s) and attaching it:
If your network carries both IPv4 and IPv6 traffic, you may need to apply a monitor to an IPv6 interface as well:
In most situations, you will be applying a monitor to each interface. In such a case, that “input” line will be sufficient — all bases are covered by monitoring each interface’s Ingress traffic. If you choose not to monitor all interfaces, you may need to add an output monitor as well so that both Ingress and Egress traffic are covered:
At this point the Cisco device is configured and exporting NetFlow. Depending on the configured timeouts, it could take some minutes for session traffic to start arriving and being processed. If traffic fails to arrive at your collector, there are a few things check:
First, make sure that your NetFlow collector is listening on the correct port (UDP 2055 above) and that any firewalls in between (particularly on the host running the collector) allow the NetFlow packets to pass.
Second, double-check the Exporter configuration and ensure the collector IP address listed is correct and routable. You can verify the flow of session records using a packet capture utility such as Wireshark or TCPdump.
Third, make sure the configuration includes all the data needed to store full network session records: typically, collectors require IP addresses, protocol, port numbers, and byte and packet counts.
Finally, if none of the above troubleshooting methods worked, contact your vendor’s support.
This document applies to multiple versions of Cisco IOS, starting with the IOS Release 12.2 family. Wherever possible, devices are listed according to the latest release of IOS supported, organized according to version. This includes the following more recent versions in particular:
Cisco IOS versions 15.3M and 15.3T, which is run by:
Cisco IOS Version 15.3S, which is run by:
Cisco IOS Version 15.2S, which is run by:
Devices running Cisco IOS Version 15.2 M&T
Devices running Cisco IOS version 15.1S
Devices running Cisco IOS Version 15.0M
Devices running Cisco IOS Version 15.0S
Cisco Catalyst 6500 Switches running Supervisor Engine 2T or Supervisor Engine 720
Devices running Cisco IOS Version 12.4T