For simple pre-defined NetFlow output, most Cisco devices offer a fast and straight-forward monitoring solution. The specific commands required depend on your version of IOS, however:
Note: Depending on device, interfaces to be configured for NetFlow export may need to be first configured for one of:
Enter global configuration mode (in EXEC mode, type “configure terminal”), and enable flow export on all the interfaces. The exact interface selection command varies by device, depending on whether you are selecting “slot/port” (e.g. for Cisco 7200 series routers) or “slot/port-adapter/port” (e.g. for Cisco 7500 series routers). Enter configuration mode for each interface and add the line, “ip route-cache flow” and then exit back to global configuration mode:
It is important to configure all of the interfaces because only Ingress traffic will be reported with this configuration — if you skip an interface, then all traffic entering that way gets discarded, regardless of which interface it exits. If you are uninterested in traffic entering or exiting a specific interface, it is better to filter it out when viewing and analyzing the traffic.
Once all of the interfaces are configured to collect NetFlow statistics, configure the NetFlow export destination:
You may use “version 5” for NetFlow v5, but this is not recommended. NetFlow v5 is not IPv6 compatible.
At this point NetFlow export has been configured. Exit global config mode and execute the ‘write’ command to save the configuration. The following additional commands are recommended. Your Cisco device exports flows according to an internal schedule depending on whether network connections are considered active (packets are still flowing for that connection) or inactive (some number of seconds have passed since the last packets; when a flow is marked ‘inactive’ it is reported and then removed from the list).
This command command configures the exporting of active connections once per minute. This adds to the CPU load on your Cisco device, but ensures the timely reporting of updates for your flow analysis tools.
This command sets the definition of ‘inactive’ to “no new packets for 15 seconds”. A lower value here reduces the load on your Cisco device CPU, but increases NetFlow export traffic on your network. A value of 15 is a good compromise between those considerations, ensuring that very short sessions are quickly taken care of.
There is an additional command, “ip flow-cache entries [number]” in order to directly change the size of the flow cache from the default to up to 524,288 entries. Cisco discourages use of this command as changes in RAM footprint can impact vital router tasks, but under certain circumstances it may be better to make a modest increase to this value in environments with very heavy flow traffic in order to ensure full fidelity reporting at minimal CPU load. The command “no ip flow-cache entries” will reset this value to the device-dependent default setting (65,536 on Cisco 7500 routers).
In order to verify and inspect the collected flow stats, the following command may be executed in EXEC mode:
Important note: any changes made to these settings after initially configuring NetFlow export, will not take effect until you either reboot your device or disable flow export on all interfaces.
IOS 12.2 PRIOR TO 12.2(14)
Cisco 830 Series routers
Cisco 3800 series
Cisco 3845 Integrated Services Router
Cisco 3825 Integrated Services Router
Cisco 2800 series
Cisco 2851 Integrated Services Router
Cisco 2821 Integrated Services Router
Cisco 2811 Integrated Services Router
Cisco 2801 Integrated Services Router
Cisco 1841 Integrated Services Router