Multicast NetFlow Exports with Flexible NetFlow

Posted in NetFlow, NetFlow Analyzer on May 15th, 2011 by mike@plixer.com
Multicast NetFlow Exports with Flexible NetFlow

I think exporting Multicast NetFlow should be wisely thought out when configuring Flexible NetFlow (FnF). Specifically, I’m talking about ingress vs. egress exports. I sometimes make the suggestion to export only egress with multicast flows.

Why only Egress with Multicast Flows
When exporting multicast flows with ingress only, the destination interface on most flows is reported as 0.  Egress flows display the actual destination interface of multicast flows. We don’t need to export both as this will nearly double the volume of flows exported to the collector.

Setup Flexible NetFlow for Multicast
Here is a configuration suggestion you might want to consider for Cisco NetFlow multicast egress environments:

Configure a New FnF Record
Configure a completely new FnF flow record and add these match and collect entries to a typical Flexible NetFlow record:

match routing is-multicast
collect routing multicast replication-factor
collect counter bytes replicated
collect counter packets replicated

Configure a New FnF Monitor
You then apply this new FnF Flow Record (e.g. mcastRecord) to an existing FnF Exporter (e.g. exportToCollector) however, a new FnF Monitor (e.g. mcastMonitor) should be created that binds the Flow Record to the Exporter as we only want to collect egress multicast flows.

flow monitor mcastMonitor
description lets export egress multicast flows
record mcastRecord
exporter exportToCollector
cache timeout active 60

Apply the FnF Monitor to Interfaces
In the final step of a Flexible NetFlow configuration, the FnF Monitor is applied to interfaces:

interface FastEthernet0/0
ip flow monitor mcastMonitor multicast output
interface FastEthernet0/1
ip flow monitor mcastMonitor multicast output
etc. etc.

Adding “multicast” above will cause that monitor to ONLY monitor multicast. In the same vein, you can exclude Multicast from your other monitors with “unicast”  like:
ip flow monitor ucastMonitor unicast output
You cannot specify the same monitor with unicast and multicast as separate configuration lines. They will overwrite one another. To do that, simply leave out the specification:
ip flow monitor allMonitor output

You can use different records and monitors in order to only give the information relevant to unicast or multicast without worrying about over-stating due to double export.

Summary
A good IPFIX and Flexible NetFlow collector should automatically display inbound multicast traffic using egress collected flows.  If you are having trouble understanding the relationships between Flow Records, Exporters and Monitors, watch this How to configure Flexible NetFlow video. It explains the whole Flexible NetFlow setup process in 4 simple steps.

Please consider joining the NetFlow Developments discussion group on linkedin.

Michael Patterson
Founder and CEO

For a free 30 day trial of Scrutinizer, Download Now!

Sign up for Advanced NetFlow Training™ coming to a city near you!

If you enjoyed this post, please consider leaving a comment or subscribing to the RSS feed to have future articles delivered to your feed reader.
Tags: , ,