Over the past few weeks, I have taken a number of support calls from customers who were looking for help with their Cisco router Flexible NetFlow configuration. There were many times where the customer set up the record, but they did not build it to get the best report visibility. I figured that I would take this opportunity to write a blog walking through the configuration steps, including a recommended record configuration.
The four basic steps to a Flexible NetFlow configuration.
In Step 1, we create a flow record. The record is a description of the elements present in the NetFlow template. It offers the administrator options on what they want to see in the flow data.
There are two command parameter options. The match parameter, or Key, sets up not only a field that is collected, but also how the flow record(s) aggregate on the cache table. The more match parameters configured, the more granular the record data.
The other parameter is a collect, or non-Key. The collect parameters specify other fields that are collected in the record.
There are different versions of some of these commands to support IPv4 and IPv6. You create separate records in support of each address type.
Cisco offers an option that makes this step very easy, because they make available pre-defined flexible NetFlow records on most platforms that include the common elements included in the traditional NetFlow v5 or v9 records.
A recommended flow record will have the following parameters:
flow record RECORD-GENERAL-PURPOSE match ipv4 tos match ipv4 protocol match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port match interface input match flow direction match ipv4 dscp collect ipv4 source mask collect ipv4 destination mask collect transport tcp flags collect interface output collect counter bytes collect counter packets collect timestamp sys-uptime first collect timestamp sys-uptime last
The next three steps will be the same whether you are using pre-defined or your own flow record(s).
In Step 2, we create and configure a flow exporter.
The exporter defines how the flows process out of the device to the collector, and any options relative to that export.
Simply put, you define the:
- Source: specifies the interface used to export the flows. The IP address of this interface also becomes the IP address used by the collector to identify this device.
- Destination: specifies the IP address of the NetFlow collector.
- Transport: specifies the protocol and port number used in the flow export.
- Export-protocol: specifies the version.
Generally, you want to include the template data timeout, which specifies how often the record template exports to the collector. The collector needs to see this template in order to understand the record layout.
A typical flow exporter will look like this:
flow exporter SCRUTINIZER description FLEXIBLE NF V9 destination 10.211.10.112 source GigabitEthernet0/0/1 transport udp 2055 export-protocol netflow-v9 template data timeout 60
In Step 3, we are going to configure a flow monitor.
The flow monitor ties together the flow record and the flow exporter. The monitor also usually contains a reference to the active cache timeout parameter.
A typical flow monitor configuration will look like this:
flow monitor GENERAL-PURPOSE-MON record RECORD-GENERAL-PURPOSE exporter SCRUTINIZER cache timeout active 60
In Step 4, we will apply the monitor to the interface(s). This is where we configure the metering points.
In this step, we will get into interface configuration mode, and apply the flow monitor in input or output mode, or both.
int GigabitEthernet0/1 ip flow monitor GENERAL-PURPOSE-MON input ip flow monitor GENERAL-PURPOSE-MON output
I hope that this information will make Flexible NetFlow configuration easier for you.
You might still be asking, “Why would I ever need to change this type of configuration?”
Here are a couple of reasons that come to mind.
The impact on router overhead when enabling NetFlow may be a concern. By changing the aggregation method (match parameters) in very high traffic volume scenarios, you can directly affect the volume of the flow exports and lessen the overhead realized when enabling flow monitoring.
There are even cases where I have used a modified aggregation method to eliminate the need to sample.
Flexible NetFlow is also the way to take advantage of any of the newer Cisco Flow technologies. Using Flexible NetFlow, there are many options that support Cisco’s AVC (Application Visibility and Control) where network traffic reporting metrics can be done on performance basis and not only bandwidth.
Moving from traditional to Flexible NetFlow gives you a ton of different user configuration options. Contact our support team if you want to learn more or need help with your Flexible NetFlow configuration.