Depending on the Cisco device you are using, there may be additional steps required to successfully collect ingress and egress flow data.
However, in general, there are four basic steps to capturing flow data using Flexible NetFlow: create a flow record, create a flow exporter, create a flow monitor, and apply the flow monitor to interfaces.
After you've logged into the router, go into global configuration mode by typing config t.
Now create the flow record. For the purposes of this demo, we'll name it "NTA record," but you can use any name you like.
Enter
flow record NTArecord.
Next, you'll define match and collect statements to capture fields to include in the flow record.
To collect both endpoints of the conversation, enter match ipv4 source address and then match ipv4 destination address.
To collect protocol information, enter match ipv4 protocol.
For application port data, type match transport source-port and match transport destination-port.
To collect type of service data, type match ipv4 tos.
To collect the ingress interface data, enter match interface input.
To collect the egress interface data, type collect interface output.
Complete your flow record configuration by entering the following commands:
collect counter bytescollect counter packetscollect timestamp sys-uptime firstcollect timestamp sys-uptime lastIf your device supports Cisco NBAR2 or Next Generation NBAR, add the collect application name command to the flow record.
If you're using Border Gateway Protocol (or BGP) in your environment, add the following commands to collect AS information:
collect routing source as and
collect routing destination as.
The next step is to create the flow exporter.
The flow exporter stores information for export, such as the IP address of your flow analyzer tool in SolarWinds® NetFlow Traffic Analyzer, the UDP port for export, and so on.
Enter the command,
flow exporter NTAExport. Again, you can name the exporter whatever you want.
The IP address specifies your SolarWinds NetFlow Traffic Analyzer server. So for this example, type destination 10.199.15.103.
Next, you'll need to identify the interface that's used to export NetFlow packets from the router. The command is source gigabitEthernet 0/1.
Make sure your interface has a path to your NTA server.
Next, add the port number. We will type transport UDP 2055 because that's the default port used by SolarWinds NetFlow Traffic Analyzer to listen for network packets.
Next, add the flow protocol type and/or version: export-protocol netflow-v9.
For Flexible NetFlow or NetFlow v9, the template and flow data are exported in two separate packets. By default, the template is exported every 30 minutes. To process the data, the template needs to be available to prevent any gaps in data if the server reboots or the NetFlow service is restarted.
You can avoid this problem by adding the command template data timeout 60 to set the template to export every minute.If your device supports Cisco NBAR2 or Next Generation NBAR, and you added
collect application name in the flow record, add the following commands to the flow exporter:
option application-table timeout 60option application-attributes timeout 300Creating a flow monitor or NetFlow cache is pretty easy. We will call it NTAMonitor.
Enter the command flow monitor NTAMonitor.
Next, associate the flow record and exporter to the flow monitor we created earlier.
Enter the command record NTArecord followed by exporter NTAexport.
To prevent gaps and spikes in your data, set the cache timeout values. This tells the router how frequently flow record information is exported to your analyzer tool. The default setting is 30 minutes. If you use the default setting, your flow data will be delayed, and you will miss link saturation.
To help ensure that the data is normalized and to avoid high peaks, set the cache timeout value to 60 seconds: cache timeout active 60.
To export all expired IP conversations, set cache timeout inactive to 15 seconds: cache timeout inactive 15.
The final step is to select the interfaces that will collect the NetFlow data. Let's say we need to enable NetFlow on a gigabit Ethernet interface. We'll type in interface gigabitEthernet 0/1.
And then, we'll use the command ip flow monitor NTAMonitor and add the key phrase
input. This applies the monitor that we created to the interface and captures all incoming traffic for that interface.
Remember, if your device is not configured properly, you can duplicate your data. That's why it's important to understand the following rule:
When you collect NetFlow data on only one device interface and you want to display your data in both directions, set the following commands on the interface:
ip flow monitor NTAMonitor inputip flow monitor NTAMonitor outputIf you're collecting NetFlow data on multiple interfaces, enter only the input command line. Since each PDU contains the input and output interface, data will be collected in both directions even though you're only enabling the input command. These configuration settings are important because flows can look the same to NTA even though the data is coming from different interfaces.
To exit configuration mode, type exit and wr mem to save the configuration to the router.
This NetFlow record works with most flow monitoring tools, including SolarWinds® Network Traffic Analyzer.
This video will show you how to configure a Cisco® router to export NetFlow data using NetFlow version 9, also known as Flexible NetFlow.
Now that you've configured NetFlow on your devices, you can start monitoring your network using NetFlow Traffic Analyzer and Network Performance Monitor to gain even more visibility into your network traffic.