How to Configure NetFlow on Cisco Routers: Generic IOS
A core piece of functionality for making a flow-based collection platform like StealthWatch function is, as you may imagine, configuring various flow-capable exporters (routers, switches, toaster ovens) to actually send that telemetry to a flow collector. Here at Lancope, we love all kinds of flow, but we recognize that not all flow is created equal. Our favorite tends to be Cisco’s NetFlow, mostly due to its rich dataset and ease of proper configuration.
For those StealthWatch customers who have been around for a while, you may have seen the extremely handy NetFlow Configuration Cliffnotes document that we have circulated in the past. This blog post is basically a summarization of that document. In some cases it’s a blatant plagiarization – why mess with success?
Before we begin, we should take stock of some gotchas. Not all Cisco devices are the same. We have standard IOS devices, Nexus devices, ASR/ISRs, ASAs, and others. For the purposes of this blog, we’ll mostly focus on standard IOS devices. Nexus devices, 6500/7600-series, 4500/3850s will be covered separately. ASAs are a special snowflake that will also be covered separately.
Rules of the Road
No matter what type of device we’re configuring on, there are some best practices that we’ll want to keep in mind to ensure proper functionality:
- NetFlow configuration varies slightly per hardware model.
- Active timeouts should ALWAYS be set to 1-minute intervals (60 seconds in MLS and NX-OS). This value is the amount of time the device will flush the cache of any information pertaining to active flow conversations, and will ensure accurate trend and alarm information.
- NetFlow should be enabled for ingress traffic at the interface only; providing both ingress and egress statistics will effectively double the amount of reported bandwidth for an existing flow and is unnecessary in most cases.
- NetFlow is based on 7 key fields (7-tuple). If one of these fields is difference, a new flow record is created in the flow cache table:
o Source IP address
o Destination IP address
o Source port number
o Destination port number
o Layer-3 protocol type (ex., TCP, UDP)
o ToS (type of service) byte
o Input logical interface
- Enable NetFlow on EVERY layer-3 interface for complete visibility.
- It is best to source NetFlow export from an interface that will never go down, such as Loopback0.
Cisco IOS NetFlow Configuration
In configuration mode, issue the following commands to enable NetFlow export:
ip flow-export destination <FlowCollector_IP_address> 2055
ip flow-export source <interface> -> (e.g. use a Loopback interface)
ip flow-export version 9 -> (if version 9 does not take, use version 5)
ip flow-cache timeout active 1
ip flow-cache timeout inactive 15
snmp-server ifindex persist
Next, enable n NetFlow on each Layer-3 interface for which you are interested in monitoring traffic for (hopefully all of them):
ip flow ingress
ip flow-export version 9 origin-as -> (to include BGP origin AS)
ip flow-capture mac-addresses -> do we also want MAC addresses? (may not always be accurate)
ip flow-capture vlan-id -> do we want VLAN IDs?
NOTE on IOS versions:
If your router is running a version of Cisco IOS prior to releases 12.2(14)S, 12.0(22)S, or 12.2(15)T, the ip route-cache flow command is used to enable NetFlow on an interface. If your router is running Cisco IOS release 12.2(14)S, 12.0(22)S, 12.2(15)T or later, the ip flow ingress command is used to enable NetFlow on an interface
show ip cache flow
show ip flow export
show ip flow interface
show ip flow export template
For further reference on configuring NetFlow on Cisco IOS devices, reference the Cisco Configuration Guide: http://www.cisco.com/en/US/docs/ios/netflow/configuration/guide/12_2sr/nf_12_2sr_book.html.
Look for additional blog posts in the future on configuring NetFlow on various devices. In the meantime, if you have specific questions about configuration in your environment, contact the Lancope Customer Support department at firstname.lastname@example.org if you are an existing customer, or your Lancope account team for additional information on trying StealthWatch in your environment.