One of the things I do daily with customers is help them configure NetFlow on their network devices. Often as I’m going through my configuration, they ask what the best practices are for setting up NetFlow. What are the basic fields needed to make NetFlow configuration ideal for flow analytics reporting? Well, I’d be happy to answer that question for you!
Where Do We Start?
So we’ve decided that we need to configure your network devices to send NetFlow… now what? Where do we even start?
First, understand that all devices are different. The basic configuration I’ll cover is Flexible NetFlow, which will work on most Cisco IOS devices exporting NetFlow version 9. If your device only exports version 5, the configuration is a bit different. If you’re unsure about which version your device exports, you can take a look at our configuration guides for NetFlow
That said, first make sure that your device can export Flexible NetFlow v9. Once we’ve figured that out, we can move on to the next step: the actual configuration!
What Do We Need?
A NetFlow configuration for a Cisco IOS device contains three parts: a monitor, an exporter, and the record itself. The record is where you’ll tell the device what fields you want to send to your collector (IP source address, source ports, destination ports, etc.).
Next is the exporter, which tells you where to send the information, on what port, and where it’s coming from.
Lastly, the monitor will be how you send it. This will be the part you put on the interface.
So let’s go to part one: the record. The record can contain as many or as few fields as you would like, depending on what you’re going to send and, in turn, on what your device can support. But if we’re going to go with a basic configuration, there are a few things you need. A simple NetFlow record looks like this:
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match flow direction
match interface input
collect interface output
collect counter bytes long
collect counter packets long
collect transport tcp flags
collect routing next-hop address ipv4
collect ipv4 source prefix
collect ipv4 destination prefix
collect timestamp sys-uptime first
collect timestamp sys-uptime last
With this config, you’ll get everything you need to know the basics of your network conversations. This is going to give you the who, what, where, and when.
Next, the exporter. Your exporter obviously needs a destination IP address (which would be the IP of your collector), the interface you would like to use as the source IP, and the port you want the NetFlow to be sent on. Commonly, NetFlow uses 2055 or 2056, but there are also many other ports you can use. If you are not using 2055 or 2056, make sure that this port is open to accept UDP on your collector.
flow exporter IPV4-FLOW-EXPORTER
destination X.X.X.X
source <interface>
transport udp 2055
Lastly, we have the flow monitor. Without this you won’t be sending flows anywhere. Your monitor needs to contain the record you want to use, the exporter you want to use, and the cache timeout.
I cannot stress enough the importance of having the proper cache timeout. By default, most devices have a timeout rate of 30 minutes, but we strongly recommend changing this to 1 minute. This way, you’ll receive a template containing flow information every minute instead of every half hour. Imagine how much data you’ll miss by sending flows only every half hour. By sending them every minute, you’ll see everything from your network devices. Here is an example monitor for you:
flow monitor IPV4-FLOW-MONITOR
description Used for Monitoring IPv4 Traffic
record IPV4-FLOW-RECORD
exporter IPV4-FLOW-EXPORTER
cache timeout active 60
Last but not least, you need to apply your flow monitor to your interfaces. Enter configuration mode for the interface you want to apply the monitor to. Then use ip flow monitor monitorname input.
Here, we have another best practice that I want to stress. It’s best to only use flow monitor input on an interface—not input and output. If you use both, you run the risk of doubling your flow traffic to your collector and mirroring traffic. With Scrutinizer, if we know what’s coming into an interface, we can infer what’s going out. In other words, there’s no need to add both input and output. Also, the more interfaces you apply the monitor to, the more information you’re going to get. There will also be fewer holes in your monitoring.
There you have it! If you run into any issues configuring NetFlow, please give us a call at 207-324-8805 extension 4 for customer support and 5 for presales.
Happy monitoring!