Are you having trouble getting encrypted NetFlow traffic through your VPN? There is a sort of ambiguous command that can be added to the Flexible NetFlow export called “output-features” that may help. This IS REQUIRED to be in the FnF Configuration if you want to set DSCP or use encryption (e.g. VPN tunnels)
Now step two of my Flexible NetFlow configuration looks like this:
flow exporter export-to-ravica-replicator
description flexible NF v9
destination 10.1.4.66
source Vlan1
output-features
transport udp 2002
template data timeout 60
option interface-table
option exporter-stats
option application-table
Cisco’s Flexible NetFlow documentation is also pretty subtle about this.
“To enable sending Flexible NetFlow export packets using quality of service (QoS) or encryption, use the output-features command in Flexible NetFlow flow exporter configuration mode. To disable sending export packets using QoS or encryption, use the no form of this command:”
output-features
no output-features
NOTE: If you don’t need QoS or encryption, or if you have a huge volume of netflow export and can’t afford to run these features, then use “no output features” (the default) since this requires less CPU as netflow export is written directly to the wire.
This Netflow encryption trick is helpful for getting Netflow over VPN tunnels and is one of many Netflow output features possible with Flexible NetFlow. Download the award winning, best Netflow analyzer. Start using the leading network traffic analyzer.
