27. Appendix 2 – Configuring NetFlow Data Export¶
This appendix is a brief guide to setting up the NetFlow data export (NDE) on Cisco and Juniper routers or intelligent Cisco Layer 2/Layer 3/Layer 4 switches. If you have problems with the configuration, contact your network administrator or consultant. For devices that run hybrid mode on a Supervisor Engine (Catalyst 65xx series), it is recommended to configure IOS NDE on the MSFC card and CatOS NDE on the Supervisor Engine. For more information about setting up NetFlow on Cisco, please visit http://www.cisco.com/go/netflow.
27.1. Configuring NDE on older IOS Devices¶
In the configuration mode on the router or MSFC, issue the following to start NetFlow Export.
First, enable Cisco Express Forwarding:
router(config)# ip cef
router(config)# ip cef distributed
Turn on flow accounting for each input interface with the interface command:
interface
ip route-cache flow
For example:
interface FastEthernet0
ip route-cache flow
interface Serial2/1
ip route-cache flow
It is necessary to enable NetFlow on all interfaces through which traffic (you are interested in) will flow. Now, verify that the router (or switch) is generating flow stats – try command ‘show ip cache flow’. Note that for routers with distributed switching (GSR’s, 75XX’s) the RP cli will only show flows that made it up to the RP. To see flows on the individual line cards use the ‘attach’ or ‘if-con’ command and issue the ‘sh ip ca fl’ on each LC.
Enable the exports of these flows with the global commands:
router(config)# ip flow-export version 5
router(config)# ip flow-export destination <ip_address> 2000
router(config)# ip flow-export source FastEthernet0
Use the IP address of the server running the Flow Sensor and the configured listening port. UDP port 2000 is used as an example. The ‘ip flow-export source’ command is used to set up the source IP address of the exports sent by the equipment.
If your router uses the BGP protocol, you can configure AS to be included in exports with command:
router(config)# ip flow-export version 5 [peer-as | origin-as]
The following commands break up flows into shorter segments: 1 minute for active traffic and 30 seconds for inactive traffic. Flow Sensor drops flows older than 5 minutes!
router(config)# ip flow-cache timeout active 1
router(config)# ip flow-cache timeout inactive 30
In enable mode you can see current NetFlow configuration and state.
router# show ip flow export
router# show ip cache flow
router# show ip cache verbose flow
27.2. Configuring NDE on a CatOS Device¶
In privileged mode on the Supervisor Engine enable NDE:
switch> (enable) set mls nde <ip_address> 2000
Use the IP address of the server running the Flow Sensor and the configured listening port. UDP port 2000 is used only as an example.
switch> (enable) set mls nde version 5
The following command is required to set up flow mask to full flows.
switch> (enable) set mls flow full
The following commands break up flows into shorter segments: ~1 minute for active flows and ~ 30 seconds for inactive flows. Flow Sensor drops flows older than 5 minutes!
switch> (enable) set mls agingtime long 8
switch> (enable) set mls agingtime 4
If you want to account all traffic within the specified VLANs rather than inter VLAN traffic use CatOS 7.2 or higher and issue the following command:
switch> (enable) set mls bridged-flow-statistics enable
Enable NDE:
switch> (enable) set mls nde enable
To see current NetFlow configuration and state issue the following commands:
switch> (enable) show mls nde
switch> (enable) show mls debug
27.3. Configuring NDE on a Native IOS Device¶
To configure NDE use the same commands as for the IOS device. In the enable mode on the Supervisor Engine, issue the following to set up the NetFlow export version 5.
switch(config)# mls nde sender version 5
The following commands break up flows into shorter segments: ~1 minute for active flows and ~ 30 seconds for inactive flows. Flow Sensor drops flows older than 5 minutes!
switch(config)# mls aging long 8
switch(config)# mls aging normal 4
On the Supervisor Engine 1 issue the following to put full flows into the NetFlow exports:
switch(config)# mls flow ip full
If you have a Supervisor Engine 2 or 720 running IOS version 12.1.13(E) or higher, issue the following commands instead:
switch(config)# mls flow ip interface-full
switch(config)# mls nde interface
27.4. Configuring NDE on a 4000 Series Switch¶
Configure the switch the same as an IOS device, but instead of command ‘ip route cache flow’ use command ‘ip route-cache flow infer-fields’. This series requires a Supervisor IV with a NetFlow Services daughter card to support NDE.
27.5. Configuring NDE on IOS XE¶
Traditional NetFlow is being replaced with flexible NetFlow on newer IOS versions.
conf t
flow exporter WGFlowSensor
destination <ip_address>
source gi0/0/1
transport udp 9991
export-protocol netflow-v5
flow monitor WGFlowSensor
record netflow ipv4 original-input
exporter WGFlowSensor
cache timeout active 120 #in seconds
exit
int gi0/0/2
ip flow monitor WGFlowSensor input
exit
exit
wr mem
27.6. Configuring NDE on IOS XR¶
A sample configuration for IOS XR:
flow exporter-map wanguard
version v9
options interface-table timeout 300
options vrf-table timeout 300
options sampler-table timeout 300
!
transport udp <port>
source Loopback8648
destination <ip_address>
!
flow monitor-map IPV4-FMM
record ipv4
exporter wanguard
cache entries 16384
cache timeout active 60
cache timeout inactive 30
!
flow monitor-map IPV6-FMM
record ipv6
exporter wanguard
cache entries 16384
cache timeout active 60
cache timeout inactive 30
!
sampler-map 1-of-128
random 1 out-of 128
interface TenGigE0/0/2/1
description Upstream Interface
...
flow ipv4 monitor IPV4-FMM sampler 1-of-128 ingress
flow ipv4 monitor IPV4-FMM sampler 1-of-128 egress
flow ipv6 monitor IPV6-FMM sampler 1-of-128 ingress
flow ipv6 monitor IPV6-FMM sampler 1-of-128 egress
!
27.7. Configuring NDE on IOS-XE Everest¶
flow record v4r2
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface input
match flow sampler
collect routing next-hop address ipv4
collect ipv4 source mask
collect ipv4 destination mask
collect transport tcp flags
collect interface output
collect counter bytes
collect counter packets
collect timestamp sys-uptime first
collect timestamp sys-uptime last
collect routing source as 4-octet
collect routing destination as 4-octet
!
flow exporter exporter1
description "exported to external"
destination x.x.x.x
source Loopback0
transport udp 2000
flow monitor v4r2
exporter external1
cache timeout active 120
record v4r2
sampler external1
mode random 1 out-of 1000
interface GigabitEthernet0/0/0
ip flow monitor v4r2 sampler external1 input
27.8. Configuring NDE on a Juniper Router (non-MX)¶
Juniper supports flow exports by the routing engine sampling packet headers and aggregating them into flows. Packet sampling is done by defining a firewall filter to accept and sample all traffic, applying that rule to the interface and then configuring the sampling forwarding option.
interfaces {
ge-0/1/0 {
unit 0 {
family inet {
filter {
input all;
output all;
}
address 192.168.1.1/24;
}
}
}
}
firewall {
filter all {
term all {
then {
sample;
accept;
}
}
}
}
forwarding-options {
sampling {
input {
family inet {
rate 100;
}
}
output {
cflowd 192.168.1.100 {
port 2000;
version 5;
}
}
}
}
27.9. Configuring NDE on a Juniper MX Router¶
Sample configuration for an inactive-timeout/active-timeout of 10 seconds. For these routers it’s very important to set the Flow Timeout(s) parameter from the Flow Sensor configuration.
set services flow-monitoring version9 template AS65535-v4 flow-active-timeout 10
set services flow-monitoring version9 template AS65535-v4 flow-inactive-timeout 10
set services flow-monitoring version9 template AS65535-v4 ipv4-template
set services flow-monitoring version9 template AS65535-v6 flow-active-timeout 10
set services flow-monitoring version9 template AS65535-v6 flow-inactive-timeout 10
set services flow-monitoring version9 template AS65535-v6 ipv6-template
set forwarding-options sampling instance AS65535-sample input rate 512
set forwarding-options sampling instance AS65535-sample input run-length 0
set forwarding-options sampling instance AS65535-sample input max-packets-per-second 5000
set forwarding-options sampling instance AS65535-sample family inet output flow-server 192.0.2.1 port 9196
set forwarding-options sampling instance AS65535-sample family inet output flow-server 192.0.2.1 autonomous-system-type origin
set forwarding-options sampling instance AS65535-sample family inet output flow-server 192.0.2.1 no-local-dump
set forwarding-options sampling instance AS65535-sample family inet output flow-server 192.0.2.1 version9 template AS65535-v4
set forwarding-options sampling instance AS65535-sample family inet output inline-jflow source-address 192.0.2.99
set forwarding-options sampling instance AS65535-sample family inet6 output flow-server 192.0.2.1 port 9196
set forwarding-options sampling instance AS65535-sample family inet6 output flow-server 192.0.2.1 autonomous-system-type origin
set forwarding-options sampling instance AS65535-sample family inet6 output flow-server 192.0.2.1 no-local-dump
set forwarding-options sampling instance AS65535-sample family inet6 output flow-server 192.0.2.1 version9 template AS65535-v6
set forwarding-options sampling instance AS65535-sample family inet6 output inline-jflow source-address 192.0.2.99
set interfaces xe-0/1/0 unit 0 family inet sampling input
set interfaces xe-0/1/0 unit 0 family inet sampling output
set interfaces xe-0/1/0 unit 0 family inet6 sampling input
set interfaces xe-0/1/0 unit 0 family inet6 sampling output