To implement NetFlow on a router:
Step 1. Configure NetFlow data capture - NetFlow captures data from ingress (incoming) and egress (outgoing) packets.
Step 2. Configure NetFlow data export - The IP address or hostname of the NetFlow collector must be specified and the UDP port to which the NetFlow collector listens.
Step 3. Verify NetFlow, its operation and statistics - After configuring NetFlow, the exported data can be analyzed on a workstation running an application, such as SolarWinds NetFlow Traffic Analyzer, Plixer Scrutinizer, or Cisco NetFlow Collector (NFC). Minimally, one can rely on the output from a number of show commands on the router itself.
Some NetFlow configuration considerations include:
- Newer Cisco routers, such as the ISR G2 series, support both NetFlow and Flexible NetFlow.
- Newer Cisco switches, such as the 3560-X series switches, support Flexible NetFlow; however, some Cisco switches, such as Cisco 2960 Series switches, do not support NetFlow or Flexible NetFlow.
- NetFlow consumes additional memory. If a Cisco networking device has memory constraints, the size of the NetFlow cache can be pre-set so that it contains a smaller number of entries. The default cache size depends on the platform.
- NetFlow software requirements for the NetFlow collector vary. For example, the Scrutinizer NetFlow software on a Windows host requires 4 GB of RAM and 50 GB of drive space.
Note: The focus here is on Cisco router configuration of the original NetFlow (referred to simply as NetFlow in the Cisco documentation). The configuration of Flexible Netflow is beyond the scope of this course.
A NetFlow flow is unidirectional. This means that one user connection to an application exists as two NetFlow flows, one for each direction. To define the data to be captured for NetFlow in interface configuration mode:
- Capture NetFlow data for monitoring incoming packets on the interface using the ip flow ingress command.
- Capture NetFlow data for monitoring outgoing packets on the interface using the ip flow egress command.
To enable the NetFlow data to be sent to the NetFlow collector, there are several items to configure on the router in global configuration mode:
- NetFlow collector’s IP address and UDP port number - Use the ip flow-export destination ip-address udp-port command. The collector has one or more ports, by default, for NetFlow data capture. The software allows the administrator to specify which port or ports to accept for NetFlow capture. Some common UDP ports allocated are 99, 2055, and 9996.
- (Optional) NetFlow version to follow when formatting the NetFlow records sent to the collector - Use the ip flow-export version version command. NetFlow exports data in UDP in one of five formats (1, 5, 7, 8, and 9). Version 9 is the most versatile export data format, but it is not backward compatible with previous versions. Version 1 is the default version if the version is not specified with Version 5. Version 1 should be used only when it is the only NetFlow data export format version that is supported by the NetFlow collector software.
- (Optional) Source interface to use as the source of the packets sent to the collector - Use the ip flow-export source typenumber command.
The figure shows a basic NetFlow configuration. Router R1 has IP address 192.168.1.1 on the G0/1 interface. The NetFlow collector has the IP address of 192.168.1.3 and is configured to capture the data on UDP port 2055. Ingress and egress traffic through G0/1 is monitored. NetFlow data is sent in Version 5 format.