The following is a set of commands issued on a Cisco router to enable NetFlow version 9 on the FastEthernet 0/1 interface and export to the machine 192.168.9.101 (IP Address of NetFlow Analyzer server) on port 9996 (UDP port to export NetFlow packets).
router#configure terminal
router-2621(config)#interface FastEthernet 0/1
router-2621(config-if)#ip route-cache flow //Apply this command on all interfaces of your device
To use the NetFlow feature on a Cisco Catalyst 4000/4500 series switches, you must have either a Supervisor Engine IV or a Supervisor Engine V along with a NetFlow Services Card (WS-F4531). If you have a Supervisor Engine V-10GE, the NetFlow functionality is embedded in it.
The recommended configuration for the device is as follows:
switch>(enable)ip flow-export destination 192.168.9.101 9996 \\ Replace 192.168.9.101 with the IP Address of your NetFlow Analyzer server
switch>(enable)ip flow-export version 7
switch>(enable)ip flow-export source Loopback 1 \\ Any interface that can take NetFlow packets to your NetFlow Analyzer server
switch>(enable)ip flow-cache timeout active 1
switch>(enable)ip flow ingress layer2-switched
switch>(enable)ip flow ingress infer-fields \\ If your IOS does not support this command, use the 'ip route-cache flow infer-fields' command
Following is the configuration if you are using a Native IOS on your Cisco switch. Kindly use the following commands in sequence to configure NetFlow data export. Go to config mode and execute the following commands:
mls netflow // This enables NetFlow on the Supervisor. mls nde sender version 7 mls aging long 64 // This breaks up long-lived flows into (roughly) one-minute segments. mls aging normal 32 // This ensures that flows that have finished are exported in a timely manner.
If you have Supervisor Engine 720, you need to execute the below two commands to put the interface information in the netflow packets.
mls flow ip interface-full mls nde interface
The next two commands will help to enable NetFlow data export for bridged traffic. You can specify the list of VLANs here to enable bridged traffic.
ip flow ingress layer2-switched vlan (10,20,100) // Use the vlan numbers of your device ip flow export layer2-switched vlan (10,20,100) // Use the vlan numbers of your device
You can also find more information about these commands in the following Cisco link:
Apart from this, please configure the routing module (MSFC) to enable netflow data export using the below commands.
ip route-cache flow // This command has to be applied on all interfaces. ip flow-export destination {hostname|ip_address} 9996 // The hostname or IP address of the server where NetFlow Analyzer is installed ip flow-export source {interface} // The interface through which NetFlow packets are exported. eg: Loopback 1 ip flow-export version 5 ip flow-cache timeout active 1< ip flow-cache timeout inactive 15 snmp-server ifindex persist
Note: Switch ports connected to a etherchannel or a trunk cannot be configured to export netflow data.
Please visit the following link to view additional information about configuring the IOS for NetFlow:
Please read the following for the configuration of your 6509 which runs a Hybrid IOS.
A Layer3 switch running CatOS appears as two devices: The MSFC and the CatOS. The MSFC can be configured to export NetFlow information on all the packets it routes by following the instructions for configuring an IOS.
For the CatOS, issue the following commands in privileged mode on the Supervisor Engine, to enable NDE: (Please execute the commands in the same order)
set system name {name} // This sets the name of your switch.Even if the prompt has been set to the name of the switch this command is still needed. set mls nde {IP_Address} 9996 // Specifies to which IP Address the packets are sent. Here, the IP Address of your NetFlow Analyzer server should be used. set mls nde version 7 // This command is used to set the version of NetFlow packets to be exported. set mls agingtime long 64 // This breaks up long-lived flows into (roughly) one-minute segments. set mls agingtime 32 // This ensures that flows that have finished are exported in a timely manner. set mls flow full // This sets the flow mask to full flows. This is required to get useful information from the switch.
The following command enables NDE for all traffic within the specified VLANs rather than just inter-VLAN traffic. CatOS 7.(2) or higher is required for this. set mls bridged-flow-statistics enable (10,20,100) set mls nde enable // This enables NDE on your switch.
Following is the configuration for Cisco 7600 series router. Kindly use the following commands in sequence to configure NetFlow data export. Go to config mode and execute the following commands:
mls netflow // This enables NetFlow on the Supervisor. mls nde sender version 7
mls aging long 64 // This breaks up long-lived flows into (roughly) one-minute segments. mls aging normal 32 // This ensures that flows that have finished are exported in a timely manner.
If you have Supervisor Engine 720, you need to execute the below two commands to put the interface information in the netflow packets.
mls flow ip interface-full mls nde interface
The next two commands will help to enable NetFlow data export for bridged traffic which is optional. You can specify the list of VLANs here to enable bridged traffic.
ip flow ingress layer2-switched vlan <vlanlist> ip flow export layer2-switched vlan <vlanlist>
Apart from this, please configure the routing module (MSFC) to enable netflow data export using the below commands.
ip route-cache flow // This command has to be applied on all interfaces. ip flow-export destination {hostname|ip_address} 9996 // The hostname or IP address of the server where NetFlow Analyzer is installed ip flow-export source {interface} // The interface through which NetFlow packets are exported. eg: Loopback 1 ip flow-export version 5 ip flow-cache timeout active 1 ip flow-cache timeout inactive 15 snmp-server ifindex persist
Note: Switch ports connected to a etherchannel or a trunk cannot be configured to export netflow data.
Please visit the following link to view additional information about configuring the IOS for NetFlow:
Flexible NetFlow (FNF) requires the creation of a flow exporter, flow record and flow monitor. The flow exporter defines the export aspects of the flow data like destination, UDP port for NetFlow, export interface and so on. The flow record defines the key and non-key fields to be captured from traffic and included in the flows. Both the exporter and record are associated with a flow monitor, which in turn has to be associated with every L3 interface of the router to start NetFlow capture and export.
To make transition from NetFlow v5 to Flexible NetFlow easier, Cisco has included default flow records called "netflow-original" and "netflow ipv4". We will use "netflow-original" in the example configuration. For information on how to create your own custom flow records, check the link below: http://www.cisco.com/en/US/docs/ios/fnetflow/configuration/guide/cust_fnflow_rec_mon.html
CREATING FLOW MONITOR AND ASSOCIATING THE EXPORTER AND RECORD:
cisco_281(config)#flow monitor FNFmon cisco_281(config-flow-monitor)#exporter FNFexp cisco_281(config-flow-monitor)#record record-original \\ Use your custom record if you have created one cisco_281(config-flow-monitor)#cache timeout active 1 cisco_281(config-flow-monitor)#cache timeout inactive 15
NOTE: We are not creating a flow record as we will be using the default flow record called netflow-original
Nexus(config)# feature netflow
Nexus(config)# flow exporter NFAexporter Nexus(config-flow-exporter)# destination 192.16.1.82// IP Address of NetFlow Analyzer server Nexus(config-flow-exporter)# source Loopback1 // Interface through which NetFlow packets are exported Nexus(config-flow-exporter)# transport udp 9996 // UDP port for sending NetFlow packets Nexus(config-flow-exporter)# dscp 8 // Sets priority for the exported NetFlow. Skip this if you are not sure on the priority to provide. Nexus(config-flow-exporter)# version 9 // This takes you to the export version config submode. Nexus(config-flow-exporter-version-9)# exit // There are optional commands that can be added, but default values are sufficient.
Nexus(config)# flow monitor NFAmonitorNexus(config-flow-monitor)# exporter NFAexporterNexus(config-flow-monitor)# record netflow-original // In case you have a custom record, use that instead of netflow-original Nexus(config-flow-monitor)# exit Nexus(config)#flow timeout active 60 Nexus(config)#flow timeout inactive 15
Nexus(config)# interface ethernet 2/1 Nexus(config-if)# ip flow monitor NFAmonitor input [sampler name] // Sets the flow monitor to capture IN traffic. Enter sampler name if used. Apply this common Nexus(config-if)# copy running-config startup-config
CheckPoint Firewall NetFlow Configuration:CheckPoint IPSO v6.2 onwards supports NetFlow
To enable using User Interface:
Click "Configuration"->"Traffic Management" -> NetFlow to access the NetFlow Configuration page. IPSO exports information about flows in flow records. To gather and analyze flow records, you must export them to a NetFlow Analyzer.
To enable using CLI
set netflow
active-timeout seconds //Recommended active time-out: 60 seconds.
collector ip ip_address port port_number //Replace ip_address with the IP address of your NFA server and port_number with 9996.
enable-acl (on | off) //Recommended value:off, to disable ACL metering mode.
enable-flows (on | off) //Recommended value:on, to enable flow metering mode.
export-format (NetFlow_V5 | NetFlow_V9 | None) // Specifies the format of the export flow records. Both these formats are supported by NetFlow Analyzer.
To enable ITM on a specific interface, enter the interface configuration mode from the Global configuration mode and use one of the two following commands: (config-interface)#ip flow ingress (config-interface)#ip flow egress
Enable NetFlow on each type of interface on the switch. For example:
set netflow port fe.*.* enable set netflow port ge.*.* enable set netflow port tg.*.* enable set netflow port lag.*.* enable set netflow cache enable set netflow export-version 9 set netflow template refresh-rate 50 timeout 1
sample to enable netflow for Enterasys: netflow set interval 1 netflow set memory 8000 netflow set ports all-ports netflow set source 10.66.96.1 netflow set collector 10.66.6.10 flow-destination-port 2055
To enable the flow statistics feature on a switch, use the following command:
enable flowstats
The flow statistics feature is disabled by default.
To disable the flow statistics feature on a switch, use the following command:
disable flowstats
To enable the flow statistics function on the specified port, use the following command:
enable flowstats ports <portlist>
The flow statistics function is disabled by default.
To disable the flow statistics function on the specified port, use the following command:
disable flowstats ports <portlist>
A single port can distribute statistics across multiple groups of flow-collector devices. This NetFlow distribution capability makes it possible to create a collection architecture that scales to accommodate high volumes of exported data. It also offers a health-checking function that improves the reliability of the collection architecture by ensuring that only responsive flow-collector devices are included in active export distribution lists. The distribution algorithm also ensures that all the ingress flow records for a given flow are exported to the same collector.
NetFlow distribution is enabled by configuring export distribution groups that identify the addresses of multiple flow-collector devices. You can configure up to 32 export distribution groups on a BlackDiamond 6800 series switch, and each group can contain as many as eight flow-collector devices.
To configure the export groups and flow-collector devices to which NetFlow datagrams are exported, use the following command:
The group# parameter is an integer in the range from 1 through 32 that identifies the specific group for which the destination is being configured.
You can use the add and delete keywords to add or delete flow-collector destinations.
To export NetFlow datagrams to a group, you must configure at least one flow-collector destination. By default, no flow-collector destinations are configured. To configure a flow-collector destination, use either an IP address and UDP port number pair or a hostname and UDP port number pair to identify the flow-collector device to which NetFlow export datagrams are to be transmitted. You can configure up to eight flow-collector destinations for each group. When multiple flow-collectors are configured as members of the same group, the exported NetFlow datagrams are distributed across the available destinations.
To configure the IP address that is to be used as the source IP address for NetFlow datagrams to be exported, use the following command:
config flowstats source <ipaddress>
By default, flow records are exported with the VLAN interface address that has a route to the configured flow-collector device. Depending on how it is configured, a flow-collector device can use the source IP address of received NetFlow datagrams to identify the switch that sent the information.
The following command example specifies that the IP address 192.168.100.1 is to be used as the source IP address for exported NetFlow datagrams.
config flowstats source 192.168.100.1
Flow records are exported on an age basis. If the age of the flow record is greater than the configured time-out, the record is exported.
To configure the time-out value for flow records on the specified port, use the following command:
The time-out value is the number of minutes to use in deciding when to export flow records. The default time-out is 5 minutes.
The following command example specifies a 10-minute time-out for exported NetFlow datagrams on port 1 of the Ethernet module installed in slot 8 of the BlackDiamond switch.
config flowstats timeout 10 ports 8:1
To reset the flow statistics configuration parameters for a specified Ethernet port to their default values, use the following command:
unconfig flowstats ports <portlist>
To display status information for the flow statistics function, use the following command:
show flowstats {detail | group <group#> | ports <portlist>}
where:
detail
Use this optional keyword to display detailed NetFlow configuration information.
group#
Use this optional parameter with the group keyword to display status information for a specific export group.
portlist
Use this optional parameter to specify one or more ports or slots and ports for which status information is to be displayed.
If you enter the show flowstats command with none of the optional keywords or parameters, the command displays a summary of status information for all ports.
The summary status display for a port shows the values for all flow statistics configuration parameters for the port.
The summary status display for an export group includes the following information:
Values for all configuration parameters
Status of each export destination device
The detailed status display for an export group includes the summary information, plus the following management information:
Counts of the number of times each flow collector destination has been taken out of service due to health-check (ping check) failures
To enable NetFlow on a MikroTik router follow the instructions given below:
Enable Traffic-Flow on the router:
[admin@MikroTik] ip traffic-flow> set enabled=yes
[admin@MikroTik] ip traffic-flow> print
enabled: yes
interfaces: all
cache-entries: 1k
active-flow-timeout: 30m
inactive-flow-timeout: 15s
[admin@MikroTik] ip traffic-flow>
Specify IP address and port of the host, which will receive Traffic-Flow packets:
[admin@MikroTik] ip traffic-flow target>
add address=192.168.0.2:2055 \
\... version=9
[admin@MikroTik] ip traffic-flow target> print
Flags: X - disabled
# ADDRESS VERSION
0 192.168.0.2:2055 9
[admin@MikroTik] ip traffic-flow target>
Juniper supports flow exports by sampling packet headers with the routing engine and aggregating them into flows. Packet sampling is acheived by defining a firewall filter to accept and sample all traffic, applying that rule to an interface, and then configuring the sampling forwarding option.
interfaces {
ge-0/1/0 {
unit 0 {
family inet {
filter {
input all;
output all;
}
address <network>/<mask>(<- This is in binary notation)
}
}
}
}
firewall {
filter all {
term all {
then {
sample;
accept;
}
}
}
}
forwarding-options {
sampling {
input {
family inet {
rate 100;
}
}
output {
cflowd {
port <port>;
version <version_number>;
}
}
}
}
sflow receiver 1 name address udp-port packet-size 1400 version 5 timeout 0
Receiver Name can be set to any one-word string you want (e.g.NetFlow Analyzer). Port should be set to 2055 by default. Packet-size should be set to 1400, version should be 5, and timeout should be 0.
Next, configure a sampler on all desired interfaces:
set sflow receiver 1 owner analyzer1 timeout 180000 set sflow receiver 1 ip 192.168.9.101 #configure packet sampling instances on ports 1 through 12 #assign to sFlow Collector 1 set sflow port ge.1.1-12 sampler 1 set sflow port ge.1.1-12 sampler maxheadersize 128 set sflow port ge.1.1-12 sampler rate 2048 #configure counter poller instances on ports 1 through 12 #assign to sFlow Collector 1 set sflow port ge.1.1-12 poller 1 set sflow port ge.1.1-12 poller interval 20
For more information please visit the Enterasys website
The following commands configure a Force10 switch/router with IP address 192.168.10.102 to sample at 1-in-512 and send the sFlow packets to NetFlow Analyzer server with IP address 192.168.9.101 over UDP port 9996: Force10(conf)#sflow collector 192.168.9.101 agent-addr 192.168.10.102 Force10(conf)#sflow sample-rate 512 Force10(conf)#sflow enable
sFlow must then be enabled on every interface that should be sampled: Force10(conf-if-gi-0/0)#sflow enable
sFlow must then be enabled on every interface that should be sampled: Force10(conf-if-gi-0/0)#sflow enable
This section gives the steps to configure cflowd/J-Flow export on Juniper devices.To enable sampling and to export the flow records to specific destination address, follow the below command:
The following configuration enables sFlow monitoring of all interfaces on a Juniper EX3200 switch, sampling packets at 1-in-500, polling counters every 30 seconds and sending the sFlow to an analyzer (10.0.0.50) on UDP port 6343 (the default sFlow port).
NetFlow Analyzer is a NetFlow, sFlow, JFLow (and more) collector and analyzing engine integrated together. NetFlow analyzer is a software (for windows and linux), does not require any hardware probes, which can be downloaded, used in your network environment and can be evaluated for 30 days. Go through the following useful links for better understanding of how NetFlow Analyzer can help you in understanding your network traffic and bandwidth utilization.
