Cisco IOS device
Enabling NetFlow Export - Sample Configuration
The following is a set of commands issued on a Cisco router to enable NetFlow version 9 on the FastEthernet 0/1 interface and export to the machine 192.168.9.101 (IP Address of NetFlow Analyzer server) on port 9996 (UDP port to export NetFlow packets).
router#configure terminal
router-2621(config)#interface FastEthernet 0/1
router-2621(config-if)#ip route-cache flow //Apply this command on all interfaces of your device
router-2621(config-if)#exit
router-2621(config)#ip flow-export destination 192.168.9.101 9996
router-2621(config)#ip flow-export source Loopback 1
router-2621(config)#ip flow-export version 9
router-2621(config)#ip flow-cache timeout active 1
router-2621(config)#ip flow-cache timeout inactive 15
router-2621(config)#snmp-server ifindex persist
router-2621(config)#^Z
router#write
Verify NetFlow configuration using the commands given below:
router#show ip flow export
router#show ip cache flow
Cisco ASA Firewall
Cisco ASA supports NetFlow export from IOS versions 8.2 onwards. Enabling NetFlow on Cisco ASA can be done through CLI or ASDM.
1. CLI
Note: The following commands must be included in your global service policy for NetFlow export to function.
(config)# flow-export destination inside NetFlow Analyzer server IP address 9996
(config)# flow-export template timeout-rate 1
(config)# flow-export delay flow-create 60
(config)# logging flow-export syslogs disable
(config)# access-list netflow-export extended permit ip any any
(config)# class-map netflow-export-class
(config-cmap)#match access-list netflow-export
(config)# policy-map netflow-export-policy
(config-pmap)# class netflow-export-class
(config-pmap-c)# flow-export event-type any destination NetFlow Analyzer server IP
(config)#service-policy netflow_export_policy global
2. ASDM
For enabling NetFlow on Cisco ASA through ASDM, refer the link given below:
https://blogs.manageengine.com/netflowanalyzer/2010/07/22/configuring-cisco-asa-netflow-via-asdm
Catalyst 3750 Switches
Catalyst 4000/4500 Switches
To use the NetFlow feature on a Cisco Catalyst 4000/4500 series switches, you must have either a Supervisor Engine IV or a Supervisor Engine V along with a NetFlow Services Card (WS-F4531). If you have a Supervisor Engine V-10GE, the NetFlow functionality is embedded in it.
The recommended configuration for the device is as follows:
switch>(enable)ip flow-export destination 192.168.9.101 9996
\\ Replace 192.168.9.101 with the IP Address of your NetFlow Analyzer server
switch>(enable)ip flow-export version 7
switch>(enable)ip flow-export source Loopback 1
\\ Any interface that can take NetFlow packets to your NetFlow Analyzer server
switch>(enable)ip flow-cache timeout active 1
switch>(enable)ip flow ingress layer2-switched
switch>(enable)ip flow ingress infer-fields
\\ If your IOS does not support this command, use the 'ip route-cache flow infer-fields' command
Catalyst 6000/6500 Switches
The NetFlow configuration on a Cisco 6000/6500 series switch depends on whether it is running a Native IOS or Hybrid OS.
Native IOS
Native IOS
Following is the configuration if you are using a Native IOS on your Cisco switch. Kindly use the following commands in sequence to configure NetFlow data export. Go to config mode and execute the following commands:
mls netflow // This enables NetFlow on the Supervisor.
mls nde sender version 7
mls aging long 64 // This breaks up long-lived flows into (roughly) one-minute segments.
mls aging normal 32 // This ensures that flows that have finished are exported in a timely manner.
If you have Supervisor Engine 720, you need to execute the below two commands to put the interface information in the netflow packets.
mls flow ip interface-full
mls nde interface
The next two commands will help to enable NetFlow data export for bridged traffic. You can specify the list of VLANs here to enable bridged traffic.
ip flow ingress layer2-switched vlan (10,20,100)
// Use the vlan numbers of your device
ip flow export layer2-switched vlan (10,20,100)
// Use the vlan numbers of your device
You can also find more information about these commands in the following Cisco link:
Configuration Guide
Product Configuration Example
Apart from this, please configure the routing module (MSFC) to enable netflow data export using the below commands.
ip route-cache flow
// This command has to be applied on all interfaces.
ip flow-export destination {hostname|ip_address} 9996
// The hostname or IP address of the server where NetFlow Analyzer is installed
ip flow-export source {interface}
// The interface through which NetFlow packets are exported. eg: Loopback 1
ip flow-export version 5
ip flow-cache timeout active 1<
ip flow-cache timeout inactive 15
snmp-server ifindex persist
Note: Switch ports connected to a etherchannel or a trunk cannot be configured to export netflow data.
Please visit the following link to view additional information about configuring the IOS for NetFlow:
http://manageenginecom/products/netflow/help/cisco-netflow/cisco-ios-netflow.html
Hybrid OS
Please read the following for the configuration of your 6509 which runs a Hybrid IOS.
A Layer3 switch running CatOS appears as two devices: The MSFC and the CatOS. The MSFC can be configured to export NetFlow information on all the packets it routes by following the instructions for configuring an IOS.
For the CatOS, issue the following commands in privileged mode on the Supervisor Engine, to enable NDE: (Please execute the commands in the same order)
set system name {name} // This sets the name of your switch.Even if the prompt has been set to the name of the switch this command is still needed.
set mls nde {IP_Address} 9996 // Specifies to which IP Address the packets are sent. Here, the IP Address of your NetFlow Analyzer server should be used.
set mls nde version 7 // This command is used to set the version of NetFlow packets to be exported.
set mls agingtime long 64 // This breaks up long-lived flows into (roughly) one-minute segments.
set mls agingtime 32 // This ensures that flows that have finished are exported in a timely manner.
set mls flow full // This sets the flow mask to full flows. This is required to get useful information from the switch.
The following command enables NDE for all traffic within the specified VLANs rather than just inter-VLAN traffic.
CatOS 7.(2) or higher is required for this.
set mls bridged-flow-statistics enable (10,20,100)
set mls nde enable // This enables NDE on your switch.
Please visit the following link to view information regarding the above commands:
Product Configuration example
The following two commands can help debug your NDE configuration.
show mls nde
show mls debug
Cisco 7600 series router
Following is the configuration for Cisco 7600 series router. Kindly use the following commands in sequence to configure NetFlow data export. Go to config mode and execute the following commands:
mls netflow // This enables NetFlow on the Supervisor.
mls nde sender version 7
mls aging long 64 // This breaks up long-lived flows into (roughly) one-minute segments.
mls aging normal 32 // This ensures that flows that have finished are exported in a timely manner.
If you have Supervisor Engine 720, you need to execute the below two commands to put the interface information in the netflow packets.
mls flow ip interface-full
mls nde interface
The next two commands will help to enable NetFlow data export for bridged traffic which is optional. You can specify the list of VLANs here to enable bridged traffic.
ip flow ingress layer2-switched vlan <vlanlist>
ip flow export layer2-switched vlan <vlanlist>
You can also find more information about these commands in the following Cisco link:
Product Configuration Guide
Product Configuration example
Apart from this, please configure the routing module (MSFC) to enable netflow data export using the below commands.
ip route-cache flow
// This command has to be applied on all interfaces.
ip flow-export destination {hostname|ip_address} 9996
// The hostname or IP address of the server where NetFlow Analyzer is installed
ip flow-export source {interface}
// The interface through which NetFlow packets are exported. eg: Loopback 1
ip flow-export version 5
ip flow-cache timeout active 1
ip flow-cache timeout inactive 15
snmp-server ifindex persist
Note: Switch ports connected to a etherchannel or a trunk cannot be configured to export netflow data.
Please visit the following link to view additional information about configuring the IOS for NetFlow:
http://manageenginecom/products/netflow/help/cisco-netflow/cisco-ios-netflow.html
Flexible NetFlow - Cisco XR 12000, Cisco ASR Series routers, New Cisco IOS Devices
Flexible NetFlow (FNF) requires the creation of a flow exporter, flow record and flow monitor. The flow exporter defines the export aspects of the flow data like destination, UDP port for NetFlow, export interface and so on. The flow record defines the key and non-key fields to be captured from traffic and included in the flows. Both the exporter and record are associated with a flow monitor, which in turn has to be associated with every L3 interface of the router to start NetFlow capture and export.
CREATING FLOW EXPORTER:
cisco_281(config)#flow exporter FNFexp
cisco_281(config-flow-exporter)#destination 192.168.116.80
cisco_281(config-flow-exporter)#source Loopback1
cisco_281(config-flow-exporter)#transport udp 9996
cisco_281(config-flow-exporter)#export-protocol netflow-v9
cisco_281(config-flow-exporter)#output-features
CREATING FLOW RECORD:
To make transition from NetFlow v5 to Flexible NetFlow easier, Cisco has included default flow records called "netflow-original" and "netflow ipv4". We will use "netflow-original" in the example configuration. For information on how to create your own custom flow records, check the link below:
http://www.cisco.com/en/US/docs/ios/fnetflow/configuration/guide/cust_fnflow_rec_mon.html
CREATING FLOW MONITOR AND ASSOCIATING THE EXPORTER AND RECORD:
cisco_281(config)#flow monitor FNFmon
cisco_281(config-flow-monitor)#exporter FNFexp
cisco_281(config-flow-monitor)#record record-original
\\ Use your custom record if you have created one
cisco_281(config-flow-monitor)#cache timeout active 1
cisco_281(config-flow-monitor)#cache timeout inactive 15
ASSOCIATING MONITOR TO INTERFACE:
cisco_281(config)#int FastEthernet 0/0
cisco_281(config-if)#ip flow monitor FNFmon input
cisco_281(config)#int FastEthernet 0/1
cisco_281(config-if)#ip flow monitor FNFmon input
Check the links below to view the custom records we created for NBAR monitoring and IPv6 reporting:
NBAR collection via Flexible NetFlow:
http://blogs.manageengine.com/netflowanalyzer/2010/06/10/nbar-report-via-flexible-netflow-configuration-and-reporting
IPv6 conversations via Flexible NetFlow:
http://blogs.manageengine.com/netflowanalyzer/2011/04/13/ipv6-and-netflow-netflow-analyzer-ipv6-data-reporting
Cisco Nexus
We suggest reading the Flexible NetFlow Configuration to have a better understanding about the Nexus configuration.
NOTE: We are not creating a flow record as we will be using the default flow record called netflow-original
Nexus(config)# feature netflow
Nexus(config)# flow exporter NFAexporter
Nexus(config-flow-exporter)# destination 192.16.1.82// IP Address of NetFlow Analyzer server
Nexus(config-flow-exporter)# source Loopback1 // Interface through which NetFlow packets are exported
Nexus(config-flow-exporter)# transport udp 9996
// UDP port for sending NetFlow packets
Nexus(config-flow-exporter)# dscp 8
// Sets priority for the exported NetFlow. Skip this if you are not sure on the priority to provide.
Nexus(config-flow-exporter)# version 9
// This takes you to the export version config submode.
Nexus(config-flow-exporter-version-9)# exit
// There are optional commands that can be added, but default values are sufficient.
Nexus(config)# flow monitor NFAmonitor Nexus(config-flow-monitor)# exporter NFAexporter Nexus(config-flow-monitor)# record netflow-original
// In case you have a custom record, use that instead of netflow-original Nexus(config-flow-monitor)# exit
Nexus(config)#flow timeout active 60
Nexus(config)#flow timeout inactive 15
Nexus(config)# interface ethernet 2/1
Nexus(config-if)# ip flow monitor NFAmonitor input [sampler name]
// Sets the flow monitor to capture IN traffic. Enter sampler name if used. Apply this common
Nexus(config-if)# copy running-config startup-config
Check the blog on Cisco Nexus for details.
http://blogs.manageengine.com/netflowanalyzer/2010/05/06/cisco-nexus-and-netflow-analyzer-bandwidth-monitoring.html
CheckPoint Firewall NetFlow Configuration:CheckPoint IPSO v6.2 onwards supports NetFlow
To enable using User Interface:
Click "Configuration"->"Traffic Management" -> NetFlow to access the NetFlow Configuration page. IPSO exports information about flows in flow records. To gather and analyze flow records, you must export them to a NetFlow Analyzer.
To enable using CLI
set netflow
active-timeout seconds //Recommended active time-out: 60 seconds.
collector ip ip_address port port_number //Replace ip_address with the IP address of your NFA server and port_number with 9996.
enable-acl (on | off) //Recommended value:off, to disable ACL metering mode.
enable-flows (on | off) //Recommended value:on, to enable flow metering mode.
export-format (NetFlow_V5 | NetFlow_V9 | None) // Specifies the format of the export flow records. Both these formats are supported by NetFlow Analyzer.
inactive-timeout seconds //Recommended inactive time-out: 15 seconds
srcaddr ip_address // Use the IP address of the interface which can take traffic from the checkpoint to the NFA server.
show netflow
all
active-timeout
collector
enable-acl
enable-flows
export-format
inactive-timeout
srcaddr
To enable ITM on a specific interface, enter the interface configuration mode from the Global configuration mode and use one of the two following commands:
(config-interface)#ip flow ingress
(config-interface)#ip flow egress
Enable NetFlow on each type of interface on the switch. For example:
set netflow port fe.*.* enable
set netflow port ge.*.* enable
set netflow port tg.*.* enable
set netflow port lag.*.* enable
set netflow cache enable
set netflow export-version 9
set netflow template refresh-rate 50 timeout 1
sample to enable netflow for Enterasys:
netflow set interval 1
netflow set memory 8000
netflow set ports all-ports
netflow set source 10.66.96.1
netflow set collector 10.66.6.10 flow-destination-port 2055
To enable the flow statistics feature on a switch, use the following command:
enable flowstats
The flow statistics feature is disabled by default.
To disable the flow statistics feature on a switch, use the following command:
disable flowstats
To enable the flow statistics function on the specified port, use the following command:
enable flowstats ports <portlist>
The flow statistics function is disabled by default.
To disable the flow statistics function on the specified port, use the following command:
disable flowstats ports <portlist>
A single port can distribute statistics across multiple groups of flow-collector devices. This NetFlow distribution capability makes it possible to create a collection architecture that scales to accommodate high volumes of exported data. It also offers a health-checking function that improves the reliability of the collection architecture by ensuring that only responsive flow-collector devices are included in active export distribution lists. The distribution algorithm also ensures that all the ingress flow records for a given flow are exported to the same collector.
NetFlow distribution is enabled by configuring export distribution groups that identify the addresses of multiple flow-collector devices. You can configure up to 32 export distribution groups on a BlackDiamond 6800 series switch, and each group can contain as many as eight flow-collector devices.
To configure the export groups and flow-collector devices to which NetFlow datagrams are exported, use the following command:
config flowstats export <group#> [add | delete] [<ipaddress> | <hostname>] port <udp_port>
The group# parameter is an integer in the range from 1 through 32 that identifies the specific group for which the destination is being configured.
You can use the add and delete keywords to add or delete flow-collector destinations.
To export NetFlow datagrams to a group, you must configure at least one flow-collector destination. By default, no flow-collector destinations are configured. To configure a flow-collector destination, use either an IP address and UDP port number pair or a hostname and UDP port number pair to identify the flow-collector device to which NetFlow export datagrams are to be transmitted. You can configure up to eight flow-collector destinations for each group. When multiple flow-collectors are configured as members of the same group, the exported NetFlow datagrams are distributed across the available destinations.
To configure the IP address that is to be used as the source IP address for NetFlow datagrams to be exported, use the following command:
config flowstats source <ipaddress>
By default, flow records are exported with the VLAN interface address that has a route to the configured flow-collector device. Depending on how it is configured, a flow-collector device can use the source IP address of received NetFlow datagrams to identify the switch that sent the information.
The following command example specifies that the IP address 192.168.100.1 is to be used as the source IP address for exported NetFlow datagrams.
config flowstats source 192.168.100.1
Flow records are exported on an age basis. If the age of the flow record is greater than the configured time-out, the record is exported.
To configure the time-out value for flow records on the specified port, use the following command:
config flowstats timeout <minutes> ports [<portlist> | any]
The time-out value is the number of minutes to use in deciding when to export flow records. The default time-out is 5 minutes.
The following command example specifies a 10-minute time-out for exported NetFlow datagrams on port 1 of the Ethernet module installed in slot 8 of the BlackDiamond switch.
config flowstats timeout 10 ports 8:1
To reset the flow statistics configuration parameters for a specified Ethernet port to their default values, use the following command:
unconfig flowstats ports <portlist>
To display status information for the flow statistics function, use the following command:
show flowstats {detail | group <group#> | ports <portlist>}
where:
| detail |
Use this optional keyword to display detailed NetFlow configuration information. |
| group# |
Use this optional parameter with the group keyword to display status information for a specific export group. |
| portlist |
Use this optional parameter to specify one or more ports or slots and ports for which status information is to be displayed. |
If you enter the show flowstats command with none of the optional keywords or parameters, the command displays a summary of status information for all ports.
The summary status display for a port shows the values for all flow statistics configuration parameters for the port.
The summary status display for an export group includes the following information:
- Values for all configuration parameters
- Status of each export destination device
The detailed status display for an export group includes the summary information, plus the following management information:
- Counts of the number of times each flow collector destination has been taken out of service due to health-check (ping check) failures
- The source IP address configuration information
For more information, please refer to Extreme Networks documentation and support at http://www.extremenetworks.com
enable flowstats
The flow statistics feature is disabled by default.
To disable the flow statistics feature on a switch, use the following command:
disable flowstats
To enable the flow statistics function on the specified port, use the following command:
To enable NetFlow on a MikroTik router follow the instructions given below:
- Enable Traffic-Flow on the router:
[admin@MikroTik] ip traffic-flow> set enabled=yes
[admin@MikroTik] ip traffic-flow> print
enabled: yes
interfaces: all
cache-entries: 1k
active-flow-timeout: 30m
inactive-flow-timeout: 15s
[admin@MikroTik] ip traffic-flow>
- Specify IP address and port of the host, which will receive Traffic-Flow packets:
[admin@MikroTik] ip traffic-flow target>
add address=192.168.0.2:2055 \
\... version=9
[admin@MikroTik] ip traffic-flow target> print
Flags: X - disabled
# ADDRESS VERSION
0 192.168.0.2:2055 9
[admin@MikroTik] ip traffic-flow target>
Enabling NetFlow in Riverbed Steelhead
- Click Setup tab to view the Setup menu
- Click Advanced networking, which will expand Advanced networking menu
- Click NetFlow and start configuring by following steps given below:
(config)# ip flow-export destination interface
(config)# ip flow-export enable
Juniper supports flow exports by sampling packet headers with the routing engine and aggregating them into flows. Packet sampling is acheived by defining a firewall filter to accept and sample all traffic, applying that rule to an interface, and then configuring the sampling forwarding option.
interfaces {
ge-0/1/0 {
unit 0 {
family inet {
filter {
input all;
output all;
}
address <network>/<mask> (<- This is in binary notation)
}
}
}
}
firewall {
filter all {
term all {
then {
sample;
accept;
}
}
}
}
forwarding-options {
sampling {
input {
family inet {
rate 100;
}
}
output {
cflowd {
port <port>;
version <version_number>;
}
}
}
}
For more information on configuring Juniper routers, refer to: http://www.juniper.net
Configuration
system { accounting { interface (ifname){ (eg: interface eth0, eth1) sampling-rate 1024 } timeout { expiry-interval 60 flow-generic 3600 icmp 300 max-active-life 604800 tcp-fin 300 tcp-generic3600 tcp-rst 120 udp 300 } } sflow { agentid (u32) server NetFlow Analyzer IP { port 9996 (UDP 9996 default listener port) } }
