Cisco NetFlow Replicator™ Released
Posted in NetFlow, NetFlow Analyzer on April 29th, 2010 by mike@plixer.com
The traditional NetFlow configuration on a Cisco router will only let you configure the export to two destinations. Are you looking for a solution that will replicate NetFlow to more than two?
Turn off traditional NetFlow and go with FnF (Flexible NetFlow). It allows for exporting NetFlow to unlimited collectors! Before you try this,you need to make sure you are running at least IOS v15.1.
IOS v15.1 seems to have fixed the high CPU utilization issue caused by enabling FnF with NBAR in IOS v15.0. Make sure you upgrade the router before trying this. I also enabled NBAR because once you get the NetFlow detail offered by NBAR, you won’t want to go back to traditional NetFlow. So how do you export NetFlow on a single router to more than 2 destinations? Follow these 4 steps:
1) Create an FNF ‘record’ and define the fields you want exported.
!
!
version 15.1
!
!
flow record nbar-mon
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface input
match application name
match flow direction ! (Tells the collector if the flow was collected ingress or egress)
collect routing destination as
collect routing next-hop address ipv4
collect ipv4 dscp
collect ipv4 id
collect ipv4 source prefix
collect ipv4 source mask
collect ipv4 destination mask
collect transport tcp source-port
collect transport tcp destination-port
collect transport tcp flags
collect transport udp source-port
collect transport udp destination-port
collect interface output
collect counter bytes
collect counter packets
collect timestamp sys-uptime first
collect timestamp sys-uptime last
!
!
2) Create an ‘exporter’ which tells the router where to send the Netflow ‘record’.
!
!
flow exporter export-to-collector1
description flexible NF v9
destination 10.1.1.1
source FastEthernet0/1
transport udp 2055
template data timeout 60
option interface-table !(see my blog on Interface names via NetFlow)
option exporter-stats !(exports a cool table full of counter stats)
option application-table ! (don’t forget this else, you won’t have any application names e.g. skype)
!
!
flow exporter export-to-collector2
description flexible NF v9
destination 10.1.1.2
source FastEthernet0/1
transport udp 2055
template data timeout 60
option interface-table
option exporter-stats
option application-table
!
!
flow exporter export-to-collector3
description flexible NF v9
destination 10.1.1.3
source FastEthernet0/1
transport udp 2055
template data timeout 60
option interface-table
option exporter-stats
option application-table
!
!
flow exporter export-to-collector4
description flexible NF v9
destination 10.1.1.4
source FastEthernet0/0
transport udp 2055
template data timeout 60
option interface-table
option exporter-stats
option application-table
!
!
flow exporter export-to-collector5
description flexible NF v9
destination 10.1.1.5
source FastEthernet0/1
transport udp 2055
template data timeout 60
option interface-table
option exporter-stats
option application-table
!
!
flow exporter export-to-collector6
description flexible NF v9
destination 10.1.1.6
source FastEthernet0/0
transport udp 2055
template data timeout 60
option interface-table
option exporter-stats
option application-table
!
!
flow exporter export-to-collector7
description flexible NF v9
destination 10.1.1.7
source FastEthernet0/1
transport udp 2055
template data timeout 60
option application-table
!
!
flow exporter export-to-collector8
description new gozilla
destination 10.1.1.8
source FastEthernet0/0
transport udp 2055
template data timeout 60
option application-table
!
!
flow exporter export-to-collector9
description flexible NF v9
destination 10.1.1.9
source FastEthernet0/0
transport udp 2055
template data timeout 60
option interface-table
option exporter-stats
option application-table
!
!
3) Create a ‘monitor’ which tells the router which ‘records’ to send from which ‘exporter’.
!
!
flow monitor nbar-mon
description app traffic analysis
record nbar-mon
exporter new-gozilla
exporter export-to-collector1
exporter export-to-collector2
exporter export-to-collector3
exporter export-to-collector4
exporter export-to-collector5
exporter export-to-collector6
exporter export-to-collector7
exporter export-to-collector8
exporter export-to-collector9
cache timeout active 60
!
!
ip nbar custom GoToMeeting tcp 8200 !(just telling NBAR to label port 8200 as GoToMeeting)
ip cef
!
!
4) Apply the ‘monitor’ to the interfaces you want flows collected from.
!
!
interface FastEthernet0/0
description fa-0/0
ip address 10.1.1.254 255.255.0.0
ip nbar protocol-discovery
ip flow monitor nbar-mon input
ip flow monitor nbar-mon output
!
Notice above I only applied the Monitor to one interface on our 3 interface Cisco 2811. This is because I have egress turned on (ip flow monitor nbar-mon output). Be smart about enabling egress NetFlow. Most collectors will overstate utilization when you enable it. Scrutinizer won’t for two reasons:
1) It is only being configured on 1 interface
2) Because when I created the Flow Record I specified “match flow direction” and Scrutinizer knows to look for this when reporting.
Here is what the CPU looks like on our little router after exporting all this.
Our T-1 is pretty busy during the day.
There you have it. A free NetFlow replicator™ or NetFlow duplicator from Cisco. Get away from traditional NetFlow and go with FnF, it Rocks!
Michael PattersonScrutinizer Product Manager
Click to download Scrutinizer now!
Join NetFlow Developments on Linkedin.com
Tags: egress, export netflow, Flexible NetFlow, FnF, NBAR, netflow configuration, NetFlow Duplicator, NetFlow Replicator, replicate netflow
[...] you to configure unlimited exporters (i.e. more than just 2 destinations). This is a great way to replicate NetFlow . Anyway, the Samplicator only runs on linux so if you need help setting it up or need an [...]