menu
Webinar: Top Tips for Effective Cyber Threat Hunting Watch Now
FlowTraq > Uncategorized > Configuring NetFlow Export on Older Cisco Routers

Configuring NetFlow Export on Older Cisco Routers

Dr. John Murphy
By | April 29, 2014


Facebooktwitterlinkedin

network1This document is for Cisco IOS Releases prior to 12.2(14)S, 12.0(22)S, or 12.2(15)T.

For simple pre-defined NetFlow output, most Cisco devices offer a fast and straight-forward monitoring solution. The specific commands required depend on your version of IOS, however:

Note: Depending on device, interfaces to be configured for NetFlow export may need to be first configured for one of:

  • Cisco Express Forwarding (CEF)
  • Fast Switching
  • Cisco distributed Express Forwarding (dCEF)

Enter global configuration mode (in EXEC mode, type “configure terminal”), and enable flow export on all the interfaces. The exact interface selection command varies by device, depending on whether you are selecting “slot/port” (e.g. for Cisco 7200 series routers) or “slot/port-adapter/port” (e.g. for Cisco 7500 series routers). Enter configuration mode for each interface and add the line, “ip route-cache flow” and then exit back to global configuration mode:

# interface FastEthernet0/0
# ip route-cache flow
# exit
# interface FastEthernet0/1
# ip route-cache flow
# exit
IMPORTANT: if the ip route-cache flow command fails, you may be running a later version of IOS, in which case this post may be of use to you. If neither command succeeds, check the documentation to make sure NetFlow export is supported on your device and for that version of IOS.

It is important to configure all of the interfaces because only Ingress traffic will be reported with this configuration — if you skip an interface, then all traffic entering that way gets discarded, regardless of which interface it exits. If you are uninterested in traffic entering or exiting a specific interface, it is better to filter it out when viewing and analyzing the traffic.

Once all of the interfaces are configured to collect NetFlow statistics, configure the NetFlow export destination:

# ip flow-export destination [IP address of your NetFlow collector] [2055]
# ip flow-export source FastEthernet0/0
# ip flow-export version 9

You may use “version 5” for NetFlow v5, but this is not recommended. NetFlow v5 is not IPv6 compatible.

At this point NetFlow export has been configured. Exit global config mode and execute the ‘write’ command to save the configuration. The following additional commands are recommended. Your Cisco device exports flows according to an internal schedule depending on whether network connections are considered active (packets are still flowing for that connection) or inactive (some number of seconds have passed since the last packets; when a flow is marked ‘inactive’ it is reported and then removed from the list).

# ip flow-cache timeout active 1

This command command configures the exporting of active connections once per minute. This adds to the CPU load on your Cisco device, but ensures the timely reporting of updates for your flow analysis tools.

# ip flow-cache timeout inactive 15

This command sets the definition of ‘inactive’ to “no new packets for 15 seconds”. A lower value here reduces the load on your Cisco device CPU, but increases NetFlow export traffic on your network. A value of 15 is a good compromise between those considerations, ensuring that very short sessions are quickly taken care of.

There is an additional command, “ip flow-cache entries [number]” in order to directly change the size of the flow cache from the default to up to 524,288 entries. Cisco discourages use of this command as changes in RAM footprint can impact vital router tasks, but under certain circumstances it may be better to make a modest increase to this value in environments with very heavy flow traffic in order to ensure full fidelity reporting at minimal CPU load. The command “no ip flow-cache entries” will reset this value to the device-dependent default setting (65,536 on Cisco 7500 routers).

In order to verify and inspect the collected flow stats, the following command may be executed in EXEC mode:

# show ip cache flow

Important note: any changes made to these settings after initially configuring NetFlow export, will not take effect until you either reboot your device or disable flow export on all interfaces.

IOS 12.2 PRIOR TO 12.2(14)


IOS 12.4
Cisco 830 Series routers


Cisco 3800 series
Cisco 3845 Integrated Services Router
Cisco 3825 Integrated Services Router


Cisco 2800 series
Cisco 2851 Integrated Services Router
Cisco 2821 Integrated Services Router
Cisco 2811 Integrated Services Router
Cisco 2801 Integrated Services Router
Cisco 1841 Integrated Services Router

 

Read other FlowTraq technical tips about configuring network traffic export from Cisco and Juniper Routers:

  1. Flexible Netflow Export from Cisco Routers

  2. Simple Netflow Export from Recent Cisco Routers

  3. Netflow Export from Older Cisco Routers

  4. Configuring J-Flow Export from  Juniper SRX Series Routers


Ready to experience FlowTraq for yourself?

Request a product demonstration or start your free trial now! Your security will never be the same.