menu
Webinar: Top Tips for Effective Cyber Threat Hunting Watch Now
FlowTraq > Blog > Tech Thoughts > Configuring Simple NetFlow Export on Recent Cisco Routers

Configuring Simple NetFlow Export on Recent Cisco Routers

Dr. John Murphy
By | April 29, 2014


Facebooktwitterlinkedin

For simple pre-defined NetFlow output, most Cisco devices offer a fast and straight-forward monitoring solution. The specific commands required depend on your version of IOS, however: This document is for Cisco IOS Releases 12.2(14)S, 12.0(22)S, 12.2(15)T, or later. Many of these devices offer the option of Flexible NetFlow configuration instead, using the ip flow command to add a configured flow monitor.

(The primary exception is Cisco Catalyst 6500 series switches running Supervisor Engines 2T or 720 — see the Flexible NetFlow configuration page for those devices) In fact, the primary change from the old method of configuring NetFlow export is the switch to the “ip flow” command, which is used by both this method and Flexible NetFlow.

Note: Interfaces to be configured for NetFlow export using this method may need to be first configured for one of:

  • Cisco Express Forwarding (CEF)
  • Fast Switching
  • Cisco distributed Express Forwarding (dCEF)

In global configuration mode (in EXEC mode, type “configure terminal”), go through the list of interfaces enabling flow export. The exact interface selection command varies by device and whether you are configuring an interface or sub-interface. Enter configuration mode for each interface and add the line, “ip flow ingress” and then exit back to global configuration mode:

# interface FastEthernet0/0
# ip flow ingress
# exit
# interface FastEthernet0/1
# ip flow ingress
# exit

It is important to configure all of the interfaces because only Ingress traffic will be reported with this configuration — if you skip an interface, then all traffic entering that way gets discarded, regardless of which interface it exits. If you are uninterested in traffic entering or exiting a specific interface, it is better to filter it out when viewing and analyzing the traffic.

Once all of the interfaces are configured to collect NetFlow statistics, configure the NetFlow export destination:

# ip flow-export destination [IP address of your NetFlow collector] [2055]
# ip flow-export source FastEthernet0/0
# ip flow-export version 9

You may use “version 5” for NetFlow v5, but this is not recommended. NetFlow v5 is not IPv6 compatible.

At this point NetFlow export has been configured. Exit global config mode and execute the ‘write’ command to save the configuration. The following additional commands are recommended. Your Cisco device exports flows according to an internal schedule depending on whether they are considered active (packets are still flowing for that connection) or inactive (some number of seconds have passed since the last packets; when a flow is marked ‘inactive’ it is reported and then removed from the list).

# ip flow-cache timeout active 1

This command command configures the exporting of active connections once per minute. This adds to the CPU load on your Cisco device, but ensures the timely reporting of updates for your flow analysis tools.

# ip flow-cache timeout inactive 15

This command sets the definition of ‘inactive’ to “no new packets for 15 seconds”. A lower value here reduces the load on your Cisco device CPU, but increases NetFlow export traffic on your network. A value of 15 is a good compromise between those considerations, ensuring that very short sessions are quickly taken care of.

There is an additional command, “ip flow-cache entries [number]” in order to directly change the size of the flow cache from the default to up to 524,288 entries. Cisco discourages use of this command as changes in RAM footprint can impact vital router tasks, but under certain circumstances it may be better to make a modest increase to this value in environments with very heavy flow traffic in order to ensure full fidelity. The command “no ip flow-cache entries” will reset this value to the device-dependent default setting (65,536 on Cisco 7500 routers).

In order to verify and inspect the collected flow stats, the following command may be executed in EXEC mode:

# show ip cache flow

Important note: any changes made to these settings after initially configuring NetFlow export, will not take effect until you either reboot your device or disable flow export on all interfaces.

Notes from Cisco:
If your router is running a version earlier than Cisco IOS Release 12.4(20)T, and your router does not have a VPN Service Adapter (VSA)-enabled interface, enabling the ip flow ingress command will result in the ingress traffic being accounted for twice by the router.

If your router is running a version earlier than Cisco IOS Release 12.4(20)T, and your router has a VSA-enabled interface, enabling the ip flow ingress command will result in the encrypted ingress traffic being accounted for only once.

If your router is running a version of Cisco IOS Release12.4(20)T or later, enabling the ip flow ingress command will result in the encrypted ingress traffic being accounted for only once.

Read other FlowTraq technical tips about configuring network traffic export from Cisco and Juniper Routers:

  1. Flexible Netflow Export from Cisco Routers

  2. Simple Netflow Export from Recent Cisco Routers

  3. Netflow Export from Older Cisco Routers

  4. Configuring J-Flow Export from  Juniper SRX Series Routers