A core piece of functionality for making a flow-based collection platform like StealthWatch function is, as you may imagine, configuring various flow-capable exporters (routers, switches, toaster ovens) to actually send that telemetry to a flow collector. Here at Lancope, we love all kinds of flow, but we recognize that not all flow is created equal. Our favorite tends to be Cisco’s NetFlow, mostly due to its rich dataset and ease of proper configuration.
For those StealthWatch customers who have been around for a while, you may have seen the extremely handy NetFlow Configuration Cliffnotes document that we have circulated in the past. This blog post is basically a summarization of that document. In some cases it’s a blatant plagiarization – why mess with success?
Before we begin, we should take stock of some gotchas. Not all Cisco devices are the same. We have standard IOS devices, Nexus devices, ASR/ISRs, ASAs, and others. For the purposes of this blog, we’ll mostly focus on standard IOS devices. Nexus devices, 6500/7600-series, 4500/3850s will be covered separately. ASAs are a special snowflake that will also be covered separately.
No matter what type of device we’re configuring on, there are some best practices that we’ll want to keep in mind to ensure proper functionality:
In configuration mode, issue the following commands to enable NetFlow export:
ip flow-export destination <FlowCollector_IP_address> 2055ip flow-export source <interface> -> (e.g. use a Loopback interface)ip flow-export version 9 -> (if version 9 does not take, use version 5)ip flow-cache timeout active 1ip flow-cache timeout inactive 15snmp-server ifindex persist
Next, enable n NetFlow on each Layer-3 interface for which you are interested in monitoring traffic for (hopefully all of them):
interface <interface> ip flow ingress
ip flow-export version 9 origin-as -> (to include BGP origin AS) ip flow-capture mac-addresses -> do we also want MAC addresses? (may not always be accurate) ip flow-capture vlan-id -> do we want VLAN IDs?
NOTE on IOS versions:
If your router is running a version of Cisco IOS prior to releases 12.2(14)S, 12.0(22)S, or 12.2(15)T, the ip route-cache flow command is used to enable NetFlow on an interface. If your router is running Cisco IOS release 12.2(14)S, 12.0(22)S, 12.2(15)T or later, the ip flow ingress command is used to enable NetFlow on an interface
show ip cache flow show ip flow export show ip flow interface show ip flow export template
For further reference on configuring NetFlow on Cisco IOS devices, reference the Cisco Configuration Guide: http://www.cisco.com/en/US/docs/ios/netflow/configuration/guide/12_2sr/nf_12_2sr_book.html.
Look for additional blog posts in the future on configuring NetFlow on various devices. In the meantime, if you have specific questions about configuration in your environment, contact the Lancope Customer Support department at email@example.com if you are an existing customer, or your Lancope account team for additional information on trying StealthWatch in your environment.