Lancope is now part of Cisco Learn MoreLancope Arrow About Cisco
Cisco iOS

How to Configure NetFlow on Cisco Routers

David Brooks

A core piece of functionality for making a flow-based collection platform like StealthWatch work is, as you may imagine, configuring various flow-capable exporters (routers, switches, toaster ovens) to actually send that telemetry to a flow collector. Here at Lancope, we love all kinds of flow, but we recognize that not all flow is created equal. Our favorite tends to be Cisco’s NetFlow, mostly due to its rich dataset and ease of proper configuration.

For those StealthWatch customers who have been around for a while, you may have seen the extremely handy NetFlow Configuration Cliffnotes document that we have circulated in the past. This blog post is basically a summarization of that document. In some cases it’s a blatant plagiarization – why mess with success?

To learn more about using NetFlow for threat detection and performance monitoring, read the white paper 14 Ways to Leverage NetFlow for Network Performance & Security.

Before we begin, we should take stock of some gotchas. Not all Cisco devices are the same. We have standard IOS devices, Nexus devices, ASR/ISRs, ASAs, and others. For the purposes of this blog, we’ll mostly focus on standard IOS devices. Nexus devices, 6500/7600-series, 4500/3850s will be covered separately. ASAs are a special snowflake that will also be covered separately.

Rules of the Road

No matter what type of device we’re configuring on, there are some best practices that we’ll want to keep in mind to ensure proper functionality:

  • NetFlow configuration varies slightly per hardware model.
  • Active timeouts should ALWAYS be set to 1-minute intervals (60 seconds in MLS and NX-OS). This value is the amount of time the device will flush the cache of any information pertaining to active flow conversations, and will ensure accurate trend and alarm information.
  • NetFlow should be enabled for ingress traffic at the interface only; providing both ingress and egress statistics will effectively double the amount of reported bandwidth for an existing flow and is unnecessary in most cases.
  • NetFlow is based on 7 key fields (7-tuple). If one of these fields is difference, a new flow record is created in the flow cache table:
         o   Source IP address
         o   Destination IP address
         o   Source port number
         o   Destination port number
         o   Layer-3 protocol type (ex., TCP, UDP)
         o   ToS (type of service) byte
         o   Input logical interface
  • Enable NetFlow on EVERY layer-3 interface for complete visibility.
  • It is best to source NetFlow export from an interface that will never go down, such as Loopback0.

Cisco IOS NetFlow Configuration

In configuration mode, issue the following commands to enable NetFlow export:

ip flow-export destination <FlowCollector_IP_address> 2055
ip flow-export source <interface>       -> (e.g. use a Loopback interface)
ip flow-export version 9                       -> (if version 9 does not take, use version 5)
ip flow-cache timeout active 1
ip flow-cache timeout inactive 15
snmp-server ifindex persist

Next, enable n NetFlow on each Layer-3 interface for which you are interested in monitoring traffic for (hopefully all of them):

               interface <interface>
               ip flow ingress


               ip flow-export version 9 origin-as    -> (to include BGP origin AS)
               ip flow-capture mac-addresses       -> do we also want MAC addresses? (may not always be accurate)
               ip flow-capture vlan-id                    -> do we want VLAN IDs?

NOTE on IOS versions:

If your router is running a version of Cisco IOS prior to releases 12.2(14)S, 12.0(22)S, or 12.2(15)T, the ip route-cache flow command is used to enable NetFlow on an interface. If your router is running Cisco IOS release 12.2(14)S, 12.0(22)S, 12.2(15)T or later, the ip flow ingress command is used to enable NetFlow on an interface

Configuration Validation:

               show ip cache flow
               show ip flow export
               show ip flow interface
               show ip flow export template

For further reference on configuring NetFlow on Cisco IOS devices, reference the Cisco Configuration Guide.

To learn more about using NetFlow for threat detection and performance monitoring, read the white paper 14 Ways to Leverage NetFlow for Network Performance & Security.


More from this contributor:

To build upon my blog post from last week on configuring NetFlow on Cisco devices, this week we’ll be concentrating on NX-OS devices. These devices...
APTs – The Usual Suspects are Becoming More Unusual Cyber espionage is on the rise; not just in terms of frequency, but in terms of distribution as...
If you have paid attention to the security landscape over the past decade, even in passing, you have likely picked up on the idea that the insider...