Are you having trouble getting encrypted NetFlow traffic through your VPN? There is a sort of ambiguous command that can be added to the  Flexible NetFlow export called “output-features” that may help.  This IS REQUIRED to be in the FnF Configuration if you want to set DSCP or use encryption (e.g. VPN tunnels)

Now step two of my Flexible NetFlow configuration looks like this:

flow exporter export-to-ravica-replicator
description flexible NF v9
source Vlan1
transport udp 2002
template data timeout 60
option interface-table
option exporter-stats
option application-table

Cisco’s Flexible NetFlow documentation is also pretty subtle about this.
“To enable sending Flexible NetFlow export packets using quality of service (QoS) or encryption, use the output-features command in Flexible NetFlow flow exporter configuration mode. To disable sending export packets using QoS or encryption, use the no form of this command:”

no output-features

NOTE: If you don’t need QoS or encryption, or if you have a huge volume of netflow export and can’t afford to run these features, then use “no output features” (the default) since this requires less CPU as netflow export is written directly to the wire.

This Netflow encryption trick is helpful for getting Netflow over VPN tunnels and is one of many Netflow output features possible with Flexible NetFlow. Download the award winning, best Netflow analyzer.  Start using the leading network traffic analyzer.

Ryan Slosser author pic

Ryan Slosser

My name is Ryan. I work in development here at Plixer. I mostly deal with hardware deployment. I enjoy kayaking and fishing during the summer and skiing in the winter. People can count on me and I always give 100% unless I'm donating blood.


Big Data

Sankey Flow Graph

One of the greatest benefits of NetFlow collection for traffic analysis, is we’re provided with the ability to visualize the…

Leave a Reply