I think exporting Multicast NetFlow should be wisely thought out when configuring Flexible NetFlow (FnF). Specifically, I’m talking about ingress vs. egress exports. I sometimes make the suggestion to export only egress with multicast flows.

Why only Egress with Multicast Flows
When exporting multicast flows with ingress only, the destination interface on most flows is reported as 0.  Egress flows display the actual destination interface of multicast flows. We don’t need to export both as this will nearly double the volume of flows exported to the collector.

Setup Flexible NetFlow for Multicast
Here is a configuration suggestion you might want to consider for Cisco NetFlow multicast egress environments:

Configure a New FnF Record
Configure a completely new FnF flow record and add these match and collect entries to a typical Flexible NetFlow record:

match routing is-multicast
collect routing multicast replication-factor
collect counter bytes replicated
collect counter packets replicated

Configure a New FnF Monitor
You then apply this new FnF Flow Record (e.g. mcastRecord) to an existing FnF Exporter (e.g. exportToCollector) however, a new FnF Monitor (e.g. mcastMonitor) should be created that binds the Flow Record to the Exporter as we only want to collect egress multicast flows.

flow monitor mcastMonitor
description lets export egress multicast flows
record mcastRecord
exporter exportToCollector
cache timeout active 60

Apply the FnF Monitor to Interfaces
In the final step of a Flexible NetFlow configuration, the FnF Monitor is applied to interfaces:

interface FastEthernet0/0
ip flow monitor mcastMonitor multicast output
interface FastEthernet0/1
ip flow monitor mcastMonitor multicast output
etc. etc.

Adding “multicast” above will cause that monitor to ONLY monitor multicast. In the same vein, you can exclude Multicast from your other monitors with “unicast”  like:
ip flow monitor ucastMonitor unicast output
You cannot specify the same monitor with unicast and multicast as separate configuration lines. They will overwrite one another. To do that, simply leave out the specification:
ip flow monitor allMonitor output

You can use different records and monitors in order to only give the information relevant to unicast or multicast without worrying about over-stating due to double export.

A good IPFIX and Flexible NetFlow collector should automatically display inbound multicast traffic using egress collected flows.  If you are having trouble understanding the relationships between Flow Records, Exporters and Monitors, watch this How to configure Flexible NetFlow video. It explains the whole Flexible NetFlow setup process in 4 simple steps.

Please consider joining the NetFlow Developments discussion group on linkedin.

Mike Patterson author pic


Michael is one of the Co-founders and the former product manager for Scrutinizer. He enjoys many outdoor winter sports and often takes videos when he is snowmobiling, ice fishing or sledding with his kids. Cold weather and lots of snow make the best winters as far as he is concerned. Prior to starting Somix and Plixer, Mike worked in technical support at Cabletron Systems, acquired his Novell CNE and then moved to the training department for a few years. While in training he finished his Masters in Computer Information Systems from Southern New Hampshire University and then left technical training to pursue a new skill set in Professional Services. In 1998 he left the 'Tron' to start Somix which later became Plixer.


Big Data

Sankey Flow Graph

One of the greatest benefits of NetFlow collection for traffic analysis, is we’re provided with the ability to visualize the…

Leave a Reply