How to enable egress NetFlow

Posted in NetFlow, Network Traffic Analysis on March 9th, 2010 by miles
How to enable egress NetFlow

Working in technical support I get asked a lot, “I enabled NetFlow on my router, why don’t I see outbound traffic?” This is because NetFlow version 5 only supports ingress flow monitoring and they don’t have NetFlow enabled on all interfaces. In NetFlow v5 outbound traffic is calculated by the idea what goes in must go out (or stop at the router) so, it’s necessary that all interfaces are monitoring ingress traffic to get an accurate representation of outgoing traffic. So, if ingress monitoring has been working great all along why enable egress monitoring?

Egress Flow MonitoringThe best of NetFlow

Our Product Manager, Michael Patterson, has put together a great blog on Ingress or Egress NetFlow Analysis that helps answer this question. It’s also important to note that in order to monitor egress traffic you must use NetFlow version 9 or IPFIX. Not yet convinced NetFlow v9 is for you? Check out the McMonster analogy to see the benefits of NetFlow v9; mmm delicious NetFlow.

Enabling Ingress and Egress

Anyhow, back go our original topic.

Here are the commands to configure a Cisco router for both ingress and egress flows:

Router > enable
Router#: configure terminal
! send NetFlow off to the collector – Scrutinizer
Router(config)# ip flow-export destination
! lets send NetFlow off to a 2nd collector
Router(config)# ip flow-export destination
! You have to setup Flexible NetFlow to export to more than two destinations
! Lets export NetFlow v9 as NetFlow v5 doesn’t support egress NetFlows

Router(config)# ip flow-export version 9
! summarize and export long lived flows every minute
Router(config)# ip flow-cache timeout active 1
! export flows that are idle 15 seconds or more
Router(config)# ip flow-cache timeout inactive 15
! export the NetFlow data from the configured loopback interface.
Router(config)# ip flow-export source loopback 0
! lets go enable NetFlow on each interface we want NetFlow from
! lets configure the first interface

Router(config)# interface Ethernet 0/0
Router(config-if)# ip flow ingress
Router(config-if)# ip flow egress
Router(config-if)# exit
! change to a different interface
Router(config)# interface Ethernet 0/1
Router(config-if)# ip flow ingress
Router(config-if)# ip flow egress
Router(config-if)# exit
! commit the above to memory if you want to keep the configuration

Need a NetFlow analysis tool? Scrutinizer 7.0 and greater have the ability to gather and report on NetFlow v9 and IPFIX flows.

If you enjoyed this post, please consider leaving a comment or subscribing to the RSS feed to have future articles delivered to your feed reader.
Tags: , ,