Example Cisco NetFlow Config – Standard version 5

The configuration detailed in this article applies to standard Cisco routers from which you would like to export flow data. This shows what entries are required for a basic NetFlow v5 device config.

Environment

  • Cisco router
  • All NTA versions

Detail

Command

Purpose

ip flow-export destination {hostname|ip_address} 2055 Exports the NetFlow cache entries to the specified IP address. Use the IP address of the Orion Netflow Traffic Analysis server  and the. The default port is 2055.
ip flow-export source {interface} {interface_number} Sets the source IP address of the NetFlow exports sent by the device to the specified IP address o f the NetFlow Collector. NOTE: Must be a layer 3 interface and does not have to be an interface that is enabled to collect flow data.  Only used in the packet header as the source
ip flow-export version 5 [peer-as | origin-as] Sets the NetFlow export version to version 5. NetFlow Analyzer supports only versions 1 5, or version 9.  If BGP AS information would like to be collected set the [peer-as or origin-as]
ip flow-cache timeout active 1 Breaks up long-lived flows into 1-minute fragments . You can choose any number of minutes between 1 and 60. If you leave it at the default of 30 minutes your traffic reports will have spikes.

Setting  this value to 1 will normalize the data

ip flow-cache timeout inactive 15 Ensures that flows that have finished are periodically exported. The default value is 15 seconds. You can choose any number of seconds between 10 and 600. However, if you choose a value greater than 250 seconds, NetFlow Analyzer may report traffic levels that are too low.
snmp-server ifindex persist Enables ifIndex persistence (interface names) globally. This ensures that the ifIndex values are persisted during device reboots.

Enables flow data to be collected on layer 3 interfaces, configure this command on all interfaces interested in collecting Netflow data on

router-2621(config)#interface FastEthernet 0/0 

router-2621(config-if)# ip flow ingress and ip flow egress ( the rule of thumb is:  If only one interface is enables to capture Netflow data the both commands should be configured.  If there is more than one interface enabled to capture Netflow data then only “ip flow ingress” should be used on all the interface.

 

Final configuration

ip flow-export source FastEthernet2/1 ( this is the interface used to export the Netflow data to the collector)

ip flow-export version 5

ip flow-export destination 1.1.1.1 2055

ip flow-cache timeout active 1

ip flow-cache timeout inactive 15

!

snmp-server ifindex persist

!

Interface FastEthernet0/0 ( This is the interface where the Netflow data will be collected on when traffic flows through this interface)

Ip flow ingress

Ip flow egress

 

How to verify data is being exported

router#show ip flow export
router#show ip cache flow

Source

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s