Cisco NetFlow Configuration
Cisco NetFlowConfiguration
Cisco NetFlow ConfigurationBest Practice / HighlightsCisco IOS NetFlowConfiguration GuideCisco 6500 & 7600 NetFlowConfiguration GuideCatalyst 4500 NetFlowConfiguration GuideCisco 3850 NetFlowConfiguration GuideCisco 3560 & 3750NetFlow Configuration GuideCisco Nexus 7000 NetFlowConfigurationBest Practice / Highlights NetFlow configuration varies slightly per hardware model Set active timeout to 1 minute: “ip flow-cache timeout active” is the time intervalNetFlow records are exported for long lived flows (e.g. large FTP transfer). 1 minute isrecommended and configuration is in minutes in IOS and seconds in MLS and NX-OS. Catalyst 6500/7600 require enabling NetFlow export within MSFC and PFC. The following command will capture NetFlow within the same VLAN for Catalyst6500/7600: ip flow ingress layer2-switched vlan {vlanlist} NetFlow is based on 7 key fields Source IP address Destination IP address Source port number Destination port number Layer 3 protocol type (ex. TCP, UDP) ToS (type of service) byte Input logical interfaceIf one field is different, a new flow is created in the flow cache. Enabled NetFlow on EVERY layer-3 interface for complete visibilityCisco Nexus 1000v NetFlowConfiguration It is best practice to use a NetFlow “source interface” that would never go down such as aloopback interface.Cisco ASR 9000 NetFlowConfiguration A “flow record” within Flexible NetFlow (that used in NX-OS) defines the keys that NetFlowuses to identify packets in the flow as well as other fields of interest that NetFlow gathersfor the flow.Appendix2
Cisco NetFlow ConfigurationBest Practice / HighlightsCisco IOS NetFlowConfiguration GuideCisco 6500 & 7600 NetFlowConfiguration GuideCatalyst 4500 NetFlowConfiguration GuideCisco 3850 NetFlowConfiguration GuideCisco 3560 & 3750NetFlow Configuration GuideCisco Nexus 7000 NetFlowConfigurationCisco Nexus 1000v NetFlowConfigurationCisco ASR 9000 NetFlowConfigurationAppendixCisco IOS NetFlow Configuration GuideNetflow ConfigurationIn configuration mode issue the following to enable NetFlow Export:ip flow-export destination xe netflow collector IP address 2055ip flow-export source interface (e.g. use a Loopback interface)ip flow-export version 9 (if version 9 does not take, use version 5)ip flow-cache timeout active 1ip flow-cache timeout inactive 15snmp-server ifindex persistEnable NetFlow on each layer-3 interface you are interested in monitoring traffic for:interface interface ip flow ingressOptional:ip flow-export version 9 origin-as (to include BGP origin AS)ip flow-capture mac-addresses show ip cache verbose flowip flow-capture vlan-idNote: If your router is running a version of Cisco IOS prior to releases 12.2(14)S,12.0(22)S, or 12.2(15)T the ip route-cache flow command is used to enable NetFlowon an interface. If your router is running Cisco IOS release 12.2(14)S, 12.0(22)S,12.2(15)T, or later the ip flow ingress command is used to enable NetFlow on aninterface.Validate configuration:show ip cache flowshow ip flow exportshow ip flow interfaceshow ip flow export ios/netflow/configuration/guide/12 2sr/nf 12 2sr book.html3
Cisco NetFlow ConfigurationBest Practice / HighlightsCisco IOS NetFlowConfiguration GuideCisco 6500 & 7600 NetFlowConfiguration GuideCatalyst 4500 NetFlowConfiguration GuideCisco 3850 NetFlowConfiguration GuideCisco 3560 & 3750NetFlow Configuration GuideCisco Nexus 7000 NetFlowConfigurationCisco Nexus 1000v NetFlowConfigurationCisco ASR 9000 NetFlowConfigurationAppendixCisco 6500 and 7600 Series IOS NetFlow Configuration GuideNative IOS Netflow Configuration:In configuration mode issue the following to enable NetFlow Export:mls nde sender version 5mls aging long 64mls aging normal 32mls nde interfacemls flow ip interface-fullip flow ingress layer2-switched vlan {vlanlist}ip flow-export destination xe netflow collector IP address 2055ip flow-export source interface (e.g. use a Loopback interface)ip flow-export version 9 (if version 9 does not take, use version 5)ip flow-cache timeout active 1ip flow-cache timeout inactive 15snmp-server ifindex persistEnable NetFlow on each layer-3 interface you are interested in monitoring traffic for:interface interface ip flow ingressOptional:ip flow-capture mac-addressesip flow-capture vlan-idHybrid / CatOS Netflow Configuration:set mls nde xe address 2055set mls nde version 5set mls agingtime long 64set mls agingtime 32set mls flow fullset mls bridged-flow-statistics enable vlanlist set mls nde enableValidate configuration:showshowshowshowip cache flowip flow exportip flow export templatemls rs/7600/ios/12.2SXF/configuration/guide/nde.html4
Cisco NetFlow ConfigurationBest Practice / HighlightsCisco IOS NetFlowConfiguration GuideCisco 6500 & 7600 NetFlowConfiguration GuideCatalyst 4500 NetFlowConfiguration GuideCisco 3850 NetFlowConfiguration GuideCisco 3560 & 3750NetFlow Configuration GuideCisco Nexus 7000 NetFlowConfigurationCisco Nexus 1000v NetFlowConfigurationCisco ASR 9000 NetFlowConfigurationAppendixCatalyst 4500 Series Switch IOS NetFlow Configuration GuideTo use the NetFlow feature, you must have the Supervisor Engine V-10GE (the functionality isembedded in the supervisor engine), or the NetFlow Services Card (WS-F4531) and either aSupervisor Engine IV or a Supervisor Engine V.Verify Daughter Card:Switch# show module all. cut for brevity ModSubmoduleModelSerial No.HwStatus1.Netflow Services CardWS-F4531JAB062209CG0.2Ok2.Netflow Services CardWS-F4531JAB062209CG0.2OkNetflow ConfigurationIn configuration mode on the 4500 issue the following to enable NetFlow Export:ip flow ingressip flow ingress infer-fieldsip flow-export destination xe netflow collector IP address 2055ip flow-export source interface (e.g. use a Loopback interface)ip flow-export version 5ip flow-cache timeout active 1ip flow-cache timeout inactive 15snmp-server ifindex persistValidate configuration:show ip cache flowshow ip flow exportshow ip flow /guide/nfswitch.html5
Cisco NetFlow ConfigurationBest Practice / HighlightsCisco IOS NetFlowConfiguration GuideCisco 6500 & 7600 NetFlowConfiguration GuideCatalyst 4500 NetFlowConfiguration GuideCisco 3850 NetFlow ConfigurationYour software release may not support all the features documented in this module.For the latest caveats and feature information, see Cisco Bug Search Tool and therelease notes for your platform and software release.1. Create a Flow Record (specify the fields to export)A flow record defines the information that NetFlow gathers, such as packets in the flow andthe types of counters gathered per flow. You specify a series of “match” and “collect”commands that tell the router which fields to include in the outgoing NetFlow PDU.Cisco 3850 NetFlowConfiguration GuideThe “match” fields are the “key” fields. They are used to determine the uniqueness of theflow. The “collect” fields are just extra info that to include to provide more detail to thecollector for reporting and analysis.Cisco 3560 & 3750NetFlow Configuration GuideThe fields marked with required below, are fields required for StealthWatch to accept andbuild a flow record.Cisco Nexus 7000 NetFlowConfigurationCisco Nexus 1000v NetFlowConfigurationCisco ASR 9000 NetFlowConfigurationAppendixsw3850(config)# flow record LANCOPE1sw3850(config-flow-record)# description NetFlow record format to send to StealthWatchsw3850(config-flow-record)# match datalink mac source address inputsw3850(config-flow-record)# match datalink mac destination address inputsw3850(config-flow-record)# match datalink vlan inputkey fieldsw3850(config-flow-record)# match ipv4 ttlkey field; provides pathing infosw3850(config-flow-record)# match ipv4 tosrequired; key fieldsw3850(config-flow-record)# match ipv4 protocolrequired; key fieldsw3850(config-flow-record)# match ipv4 source addressrequired; key fieldsw3850(config-flow-record)# match ipv4 destination addressrequired; key fieldsw3850(config-flow-record)# match transport source-portrequired; key fieldsw3850(config-flow-record)# match transport destination-portrequired; key fieldsw3850(config-flow-record)# match interface inputrequired; key fieldsw3850(config-flow-record)# collect interface outputrequired; used for computing bps ratessw3850(config-flow-record)# collect counter bytes longrequired; used for bps calculationsw3850(config-flow-record)# collect counter packets longrequired; used for pps calculationsw3850(config-flow-record)# collect timestamp absolute firstrequired; for calculating durationsw3850(config-flow-record)# collect timestamp absolute lastrequired; for duration6
Cisco NetFlow ConfigurationBest Practice / HighlightsCisco IOS NetFlowConfiguration GuideCisco 6500 & 7600 NetFlowConfiguration GuideCatalyst 4500 NetFlowConfiguration GuideCisco 3850 NetFlowConfiguration GuideCisco 3560 & 3750NetFlow Configuration GuideCisco Nexus 7000 NetFlowConfigurationCisco Nexus 1000v NetFlowConfigurationCisco ASR 9000 NetFlowConfigurationAppendixCisco 3850 NetFlow Configuration2. Create a Flow Exporter (specify where/how NetFlow is to be sent)sw3850(config)#flow exporter NETFLOW TO on Export NetFlow to on fc collector IP address sw3850(config-flow-exporter)#source interface (e.g. use a Loopback)sw3850(config-flow-exporter)#transport udp 20553. Create a Flow Monitor (tie the Flow Record to the Flow Exporter)sw3850(config)#flow monitor IPv4 NETFLOWsw3850(config-flow-monitor)#record LANCOPE1sw3850(config-flow-monitor)#exporter NETFLOW TO STEALTHWATCHsw3850(config-flow-monitor)#cache timeout active 604. Assign Flow Monitor to selected interfacesRepeat this step on every interface you are interested in monitoring traffic for.sw3850(config)#interface interface (e.g. VLAN1 or g2/1)sw3850(config-if)#ip flow monitor IPv4 NETFLOW inputValidate configuration:show flow record LANCOPE1show flow monitor IPv4 NETFLOW statisticsshow flow monitor IPv4 NETFLOW tches/lan/catalyst3850/software/release/3.2 0 se/flexible netflow/commandreference/b fnf 32se 3850 cr chapter 010.html7
Cisco NetFlow ConfigurationBest Practice / HighlightsCisco IOS NetFlowConfiguration GuideCisco 6500 & 7600 NetFlowConfiguration GuideCatalyst 4500 NetFlowConfiguration GuideCisco 3850 NetFlowConfiguration GuideCisco 3560 & 3750NetFlow Configuration GuideCisco Nexus 7000 NetFlowConfigurationCisco Nexus 1000v NetFlowConfigurationCisco ASR 9000 NetFlowConfigurationAppendixCisco 3560X & 3750X NetFlow ConfigurationYour software release may not support all the features documented in this module.For the latest caveats and feature information, see Cisco Bug Search Tool and therelease notes for your platform and software release.Flexible NetFlow is supported on Catalyst 3560-X and 3750-X (Cat3k-X) SeriesSwitches on the 10GE Service Module. Previously unsupported on the platform,the service module can enable hardware-supported, line-rate NetFlow on all trafficthat traverses the module.1. Create a Flow Record (specify the fields to export)A flow record defines the information that NetFlow gathers, such as packets in the flow andthe types of counters gathered per flow. You specify a series of “match” and “collect”commands that tell the router which fields to include in the outgoing NetFlow PDU.The “match” fields are the “key” fields. They are used to determine the uniqueness of theflow. The “collect” fields are just extra info that to include to provide more detail to thecollector for reporting and analysis.The fields marked with required below, are fields required for StealthWatch to accept andbuild a flow record.sw3X50(config)# flow record LANCOPE1sw3X50(config-flow-record)# description NetFlow record format to send to StealthWatchsw3X50(config-flow-record)# match datalink mac source address inputsw3X50(config-flow-record)# match datalink mac destination address inputsw3X50(config-flow-record)# match ipv4 ttlkey field; provides pathing infosw3X50(config-flow-record)# match ipv4 tosrequired; key fieldsw3X50(config-flow-record)# match ipv4 protocolrequired; key fieldsw3X50(config-flow-record)# match ipv4 source addressrequired; key fieldsw3X50(config-flow-record)# match ipv4 destination addressrequired; key fieldsw3X50(config-flow-record)# match transport source-portrequired; key fieldsw3X50(config-flow-record)# match transport destination-portrequired; key fieldsw3X50(config-flow-record)# collect interface input snmprequired; key fieldsw3X50(config-flow-record)# collect interface output snmprequiredsw3X50(config-flow-record)# collect counter bytesrequired; used for bps calculationsw3X50(config-flow-record)# collect counter packetsrequired; used for pps calculationsw3X50(config-flow-record)# collect timestamp sys-uptime firstrequired; for durationsw3X50(config-flow-record)# collect timestamp sys-uptime last required; for duration8
Cisco NetFlow ConfigurationBest Practice / HighlightsCisco IOS NetFlowConfiguration GuideCisco 6500 & 7600 NetFlowConfiguration GuideCatalyst 4500 NetFlowConfiguration GuideCisco 3850 NetFlowConfiguration GuideCisco 3560 & 3750NetFlow Configuration GuideCisco Nexus 7000 NetFlowConfigurationCisco Nexus 1000v NetFlowConfigurationCisco ASR 9000 NetFlowConfigurationAppendixCisco 3560X & 3750X NetFlow Configuration2. Create a Flow Exporter (specify where/how NetFlow is to be sent)sw3x50(config)#flow exporter NETFLOW TO on Export NetFlow to on fc collector IP address sw3x50(config-flow-exporter)#source interface (e.g. use a Loopback)sw3x50(config-flow-exporter)#transport udp 20553. Create a Flow Monitor (tie the Flow Record to the Flow Exporter)sw3x50(config)#flow monitor IPv4 NETFLOWsw3x50(config-flow-monitor)#record LANCOPE1sw3x50(config-flow-monitor)#exporter NETFLOW TO STEALTHWATCHsw3x50(config-flow-monitor)#cache timeout active 604. Assign Flow Monitor to selected interfacesRepeat this step on every interface you are interested in monitoring traffic for.sw3x50(config)#interface interface (e.g. VLAN1 or g2/1)sw3x50(config-if)#ip flow monitor IPv4 NETFLOW inputValidate configuration:show flow record LANCOPE1show flow monitor IPv4 NETFLOW statisticsshow flow monitor IPv4 NETFLOW lateral/switches/ps5718/ps10745/white paper c11691508 ps10744 Products White Paper.html9
Cisco NetFlow ConfigurationBest Practice / HighlightsCisco IOS NetFlowConfiguration GuideCisco 6500 & 7600 NetFlowConfiguration GuideCatalyst 4500 NetFlowConfiguration GuideCisco 3850 NetFlowConfiguration GuideCisco 3560 & 3750NetFlow Configuration GuideCisco Nexus 7000 NetFlowConfigurationCisco Nexus 1000v NetFlowConfigurationCisco ASR 9000 NetFlowConfigurationAppendixCisco Nexus 7000 NetFlow Configuration-using netflow-originalThe Cisco Nexus 7000 switch runs Cisco NX-OS operating system. Configuring Netflow isa little different than in traditional IOS devices. Follow the below 5 steps to enable Netflowmonitoring.1. Enable Netflow Feature and set timeoutsswitch(config)#feature netflowswitch(config)#flow timeout active 60switch(config)#flow timeout inactive 152. Create a Flow Record (specify the fields to export)We will use the Nexus predefined record of “netflow-original” for thisconfiguration.See Creating a Flow Record section of appendix for creating a custom flow record.3. Create a Flow Exporter (specify where/how NetFlow is to be sent)switch(config)#flow exporter netflow to on Export NetFlow to on xe collector IP address switch(config-flow-exporter)#source interface (e.g. use a Loopback)switch(config-flow-exporter)#transport udp 2055switch(config-flow-exporter)#version 94. Create a Flow Monitor (tie the Flow Record to the Flow Exporter)switch(config)#flow monitor standard v9netflowswitch(config-flow-monitor)#record er netflow to stealthwatch5. Assign Flow Monitor to selected interfacesRepeat this step on every interface you are interested in monitoring traffic for.switch(config)#interface interface (e.g. VLAN1 or g2/1)switch(config-if)#ip flow monitor standard v9netflow inputValidate configuration:show flow record netflow-originalshow flow monitor standard v9netflow statisticsshow flow monitor standard v9netflow tches/datacenter/sw/4 0/nx-os/system management/configuration/guide/sm netflow.html10
Cisco NetFlow ConfigurationBest Practice / HighlightsCisco IOS NetFlowConfiguration GuideCisco 6500 & 7600 NetFlowConfiguration GuideCatalyst 4500 NetFlowConfiguration GuideCisco 3850 NetFlowConfiguration GuideCisco 3560 & 3750NetFlow Configuration GuideCisco Nexus 7000 NetFlowConfigurationCisco Nexus 1000v NetFlowConfigurationCisco ASR 9000 NetFlowConfigurationAppendixCisco Nexus 1000v NetFlow Configuration - using netflow-originalThe Cisco Nexus 1000v switch is a virtual switch that runs Cisco NX-OS. Configuring Netflowis a little different than in traditional IOS devices. Follow the below 4 steps to enable Netflowmonitoring.1. Create a Flow Record (specify the fields to export)We will use the Nexus predefined record of “netflow-original” for thisconfiguration.See Creating a Flow Record section of appendix for creating a custom flowrecord.2. Create a Flow Exporter (specify where/how NetFlow is to be sent)n1000v(config)#flow exporter netflow to on Export NetFlow to on xe collector IP address n1000v(config-flow-exporter)#source mgmt 0n1000v(config-flow-exporter)#transport udp 2055n1000v(config-flow-exporter)#version 93. Create a Flow Monitor (tie the Flow Record to the Flow Exporter)n1000v(config)#flow monitor standard v9netflown1000v(config-flow-monitor)#record er netflow to stealthwatchn1000v(config-flow-monitor)#timeout active 60n1000v(config-flow-monitor)#timeout inactive 154. Assign Flow Monitor to selected interfacesRepeat this step on every interface you are interested in monitoring traffic for.n1000v(config)#interface interface (e.g. VLAN1 or g2/1)n1000v(config-if)#ip flow monitor standard v9netflow inputValidate configuration:show flow record netflow-originalshow flow monitor standard v9netflow statisticsshow flow monitor standard v9netflow tches/datacenter/nexus1000/sw/4 0/system management/configuration/guide/system 9flow.html11
Cisco NetFlow ConfigurationBest Practice / HighlightsCisco IOS NetFlowConfiguration GuideCisco 6500 & 7600 NetFlowConfiguration GuideCatalyst 4500 NetFlowConfiguration GuideCisco 3850 NetFlowConfiguration GuideCisco 3560 & 3750NetFlow Configuration GuideCisco Nexus 7000 NetFlowConfigurationCisco Nexus 1000v NetFlowConfigurationCisco ASR 9000 NetFlowConfigurationAppendixCisco ASR 1000 NetFlow ConfigurationYour software release may not support all the features documented in this module.For the latest caveats and feature information, see Cisco Bug Search Tool and therelease notes for your platform and software release.Flexible NetFlow is supported on Catalyst 3560-X and 3750-X (Cat3k-X) SeriesSwitches on the 10GE Service Module. Previously unsupported on the platform,the service module can enable hardware-supported, line-rate NetFlow on all trafficthat traverses the module.1. Create a Flow Record (specify the fields to export)A flow record defines the information that NetFlow gathers, such as packets in the flow andthe types of counters gathered per flow. You specify a series of “match” and “collect”commands that tell the router which fields to include in the outgoing NetFlow PDU.The “match” fields are the “key” fields. They are used to determine the uniqueness of theflow. The “collect” fields are just extra info that to include to provide more detail to thecollector for reporting and analysis.The fields marked with required below, are fields required for StealthWatch to accept andbuild a flow record.asr1k(config)# flow record LANCOPE1asr1k(config-flow-record)#match ipv4 protocolrequired; key fieldasr1k(config-flow-record)#match ipv4 source addressrequired; key fieldasr1k(config-flow-record)#match ipv4 destination addressrequired; key fieldasr1k(config-flow-record)#match transport source-portrequired; key fieldasr1k(config-flow-record)#match transport destination-portrequired; key fieldasr1k(config-flow-record)#match interface inputrequired; key fieldasr1k(config-flow-record)#match ipv4 tosrequired; key fieldasr1k(config-flow-record)#collect interface outputrequired; used for computing bps ratesasr1k(config-flow-record)#collect counter bytesrequired; used for bps calculationasr1k(config-flow-record)#collect counter packetsrequired; used for pps calculationasr1k(config-flow-record)#collect timestamp sys-uptime firstrequired; for calculating durationasr1k(config-flow-record)#collect timestamp sys-uptime last required; for calculating durationasr1k(config-flow-record)#collect flow sampleroptional; used to obtain sampling rateasr1k(config-flow-record)#collect routing next-hop addressipv4optional; used forclosest interface determinationasr1k(config-flow-record)#collect ipv4 dscpoptional; used to generate QoS reportsasr1k(config-flow-record)#collect ipv4 ttl minimumoptional; provides pathing infoasr1k(config-flow-record)#collect ipv4 ttl maximumoptional; provides pathing infoasr1k(config-flow-record)#collect transport tcp flagsoptional; security anaysisasr1k(config-flow-record)#collect routing destination asoptional; enable if you use BGP12
Cisco NetFlow ConfigurationBest Practice / HighlightsCisco IOS NetFlowConfiguration GuideCisco 6500 & 7600 NetFlowConfiguration GuideCatalyst 4500 NetFlowConfiguration GuideCisco 3850 NetFlowConfiguration GuideCisco 3560 & 3750NetFlow Configuration GuideCisco Nexus 7000 NetFlowConfigurationCisco Nexus 1000v NetFlowConfigurationCisco ASR 9000 NetFlowConfigurationCisco ASR 1000 NetFlow Configuration6. Create a Flow Exporter (specify where/how NetFlow is to be sent)asr1k(config)#flow exporter NETFLOW TO n Export NetFlow to n fc collector IP address asr1k(config-flow-exporter)#source interface (e.g. use a Loopback)asr1k(config-flow-exporter)#transport udp 2055asr1k(config-flow-exporter)#version 97. Create a Flow Monitor (tie the Flow Record to the Flow Exporter)asr1k(config)#flow monitor IPv4 NETFLOWasr1k(config-flow-monitor)#record LANCOPE1asr1k(config-flow-monitor)#exporter NETFLOW TO STEALTHWATCHasr1k(config-flow-monitor)#cache timeout active 60asr1k(config-flow-monitor)#cache timeout inactive 158. Assign Flow Monitor to selected interfacesRepeat this step on every interface you are interested in monitoring traffic for.asr1k(config)#interface interface (e.g. VLAN1 or g2/1)asr1k(config-if)#ip flow monitor IPv4 NETFLOW inputIf the ASR is being used for NAT and you would like to log the NATtranslations within StealthWatch, run the following command:Appendixip nat log translations flow-export v9 udp destination X.X.X.X YYYYWhere X.X.X.X is the FlowCollector IP and YYYY is the configured NetFlowExport port.Validate configuration:show flow record LANCOPE1show flow monitor IPv4 NETFLOW statisticsshow flow monitor IPv4 NETFLOW -avc-xe.html13
Cisco NetFlow ConfigurationBest Practice / HighlightsCisco IOS NetFlowConfiguration GuideCisco 6500 & 7600 NetFlowConfiguration GuideCatalyst 4500 NetFlowConfiguration GuideCisco 3850 NetFlowConfiguration GuideCisco 3560 & 3750NetFlow Configuration GuideCisco Nexus 7000 NetFlowConfigurationCisco Nexus 1000v NetFlowConfigurationCisco ASR 9000 NetFlowConfigurationAppendixCisco ASR 9000 NetFlow ConfigurationConsider the following restrictions when configuring NetFlow in Cisco IOS XRsoftware: You must configure a source interface. If you do not configure a sourceinterface, the exporter will remain in a disabled state. Cisco IOS XR softwaresupports export format Version 9 only. You must configure a valid record mapname for every flow monitor map. Please refer to the below reference link fordetailed steps. The ASR9000 can sample flow export, Lancope recommendsexport 1:1 where possible for 100% visibility and accounting. This will be specificto the environment being deployed in.1. Configuring an Exporter Maprouter(config)# flow exporter-map FLOW TO SWrouter(config- FLOW TO SW)# destination xe collector IP address router(config- FLOW TO SW)# source interface (e.g. use a Loopback)router(config- FLOW TO SW)# transport udp 2055router(config- FLOW TO SW)# version v92. Configuring a Monitor Maprouter(config)# flow monitor-map IPv4 NETFLOWrouter(config- IPv4 NETFLOW)# record ipv4router(config- IPv4 NETFLOW)# cache timeout active 60router(config- IPv4 NETFLOW)# cache timeout inactive 15router(config- IPv4 NETFLOW)# exporter FLOW TO SW3. Applying a Monitor Map to an Interfacerouter(config)# interface interface (e.g. gigabitEthernet 0/0/0/0)router(config-if)# flow ipv4 monitor IPv4 NETFLOW ingressValidate configuration:show flow exporter-map FLOW TO SWshow flow monitor-map IPv4 outers/asr9000/software/asr9k 14
Cisco NetFlow ConfigurationBest Practice / HighlightsCisco IOS NetFlowConfiguration GuideCisco 6500 & 7600 NetFlowConfiguration GuideCatalyst 4500 NetFlowConfiguration GuideCisco 3850 NetFlowConfiguration GuideCisco 3560 & 3750NetFlow Configuration GuideCisco Nexus 7000 NetFlowConfigurationCisco Nexus 1000v NetFlowConfigurationCisco ASR 9000 NetFlowConfigurationIPv6 NetFlow ExportReview the below reference links for detailed understanding of IPv6 NetFlowexport.In configuration mode issue the following to enable NetFlow Export:ipv6 flow-export destination xe netflow collector IP address 2055ip flow-export source interface (e.g. use a Loopback interface)ipv6 flow-export version 9ipv6 flow-cache timeout active 1ipv6 flow-cache timeout inactive 15snmp-server ifindex persistEnable NetFlow on each layer-3 interface you are interested in monitoring traffic for:interface interface ipv6 flow ingressOptional:ipv6 flow-export version 9 origin-as (to include BGP origin AS)Validate configuration:show ip cache ration/guide/nfv9 ipv6.html15
Cisco NetFlow ConfigurationBest Practice / HighlightsCisco IOS NetFlowConfiguration GuideCisco 6500 & 7600 NetFlowConfiguration GuideCatalyst 4500 NetFlowConfiguration GuideCisco 3850 NetFlowConfiguration GuideCisco 3560 & 3750NetFlow Configuration GuideCisco Nexus 7000 NetFlowConfigurationAppendix: Creating a Flow Record & Various Show CommandsCreating a Flow RecordA flow record defines the information that NetFlow gathers, such as packets in the flow andthe types of counters gathered per flow. If you would like to build a custom flow record outsideof the predefined “netflow-original”, you would specify a series of “match” and “collect”commands that tell the router which fields to include in the outgoing NetFlow PDU.The “match” fields are the “key” fields. They are used to determine the uniqueness of the flow.The “collect” fields are just extra info that we include to provide more detail to the collector forreporting and analysis.You don’t want to modify the “match” fields much. The seven match entries shown belowshould always be included in your FnF config. The “collect” fields however can vary quite a bitdepending on how much info you want to send to the collector. The configuration listed below isrecommended for all StealthWatch installations.The fields marked with required below, are fields required for StealthWatch to accept and builda flow record.switch(config)#flow record LANCOPE1Cisco Nexus 1000v NetFlowConfigurationCisco ASR 9000 ord)#match ipv4 protocolrequired; key fieldswitch(config-flow-record)#match ipv4 source addressrequired; key fieldswitch(config-flow-record)#match ipv4 destination addressrequired; key fieldswitch(config-flow-record)#match transport source-portrequired; key fieldswitch(config-flow-record)#match transport destination-portrequired; key fieldswitch(config-flow-record)#match interface inputrequired; key fieldswitch(config-flow-record)#match ipv4 tosrequired; key fieldswitch(config-flow-record)#collect interface outputrequired; used for computing bps ratesswitch(config-flow-record)#collect counter bytesrequired; used for bps calculationswitch(config-flow-record)#collect counter packetsrequired; used for pps calculationswitch(config-flow-record)#collect timestamp sys-uptime firstrequired; for calculating durationswitch(config-flow-record)#collect timestamp sys-uptime last required; for calculating durationswitch(config-flow-record)#collect routing next-hop addressipv4optional; used for closest interfaceswitch(config-flow-record)#collect ipv4 dscpoptional; used to generate collect ipv4 ttl minimumoptional; provides pathing infoswitch(config-flow-record)#collect ipv4 ttl maximumoptional; provides pathing infoswitch(config-flow-record)#collect tran
Cisco 3560 & 3750 NetFlow Configuration Guide Cisco Nexus 7000 NetFlow Configuration Cisco Nexus 1000v NetFlow Configuration Cisco ASR 9000 NetFlow Configuration Appendix. 3 Cisco NetFlow Configuration Cisco IOS NetFlow Configuration Guide Netflow Configuration In configuration mode issue the following to enable NetFlow Export:
Cisco 3560 & 3750 NetFlow Configuration Guide Cisco Nexus 7000 NetFlow Configuration Cisco Nexus 1000v NetFlow Configuration Cisco ASR 9000 NetFlow Configuration Appendix. 8 Cisco NetFlow Configuration Cisco 3560X & 3750X NetFlow Configuration Your software release may not support all the features documented in this module.File Size: 2MB
Configuring NetFlow on a Cisco 6500 Series Switch 148 Configuring NetFlow on a Cisco 6500 Series Switch 150 Configuring NetFlow on Cisco Routers 151 Contents NetFlow Configuration Guide, Cisco IOS Release 12.2SX viii . Configuring NetFlow on Cisco Routers 153 Configuring NetFlow Top Talkers 153
NetFlow Cisco Catalyst 6500 NetFlow Collector . Cisco NetFlow Support 20 2011 Lancope , Inc. . Cisco 2800 Cisco 7600 Cisco 1700 Cisco Catalyst 6500 Cisco ASR Cisco 3560/3750-X Cisco ASA Cisco ISR G2 Hardware Supported Cisco Catalyst 4500 . Wide Support for NetFlow Nortel Networks Junip
Example: Router enable Enteryourpasswordifprompted. configureterminal (Required)Entersglobalconfigurationmode. Example: Router# configure terminal Step 2 NetFlow Configuration Guide, Cisco IOS Release 15M&T 5 Configuring SNMP and using the NetFlow MIB to Monitor NetFlow Data How to Configure SNMP and use the NetFlow MIB to Monitor NetFlow Data
NetFlow-lite Aggregators and collectors can sit anywhere in the network, as long as L3 reachable NetFlow-lite Aggregators are transparent to NetFlow collector (NetFlow collectors receive aggregated flow data as if it's coming directly from the switch) NetFlow collector analyzes & correlates both NetFow and aggregated NetFlow-lite data
Flexible NetFlow Configuration Guide, Cisco IOS Release 15.2(3)E and Later (Catalyst 3750-X and 3560-X Switches) 3 Configuring Flexible NetFlow Information About Flexible Netflow . Flexible NetFlow Configuration Guide, Cisco IOS Release 15.2(3)E and Later (Catalyst 3750-X and 3560-X Switches) 17 Configur
Supported Devices - Cisco SiSi NetFlow supported Cisco devices Cisco Catalyst 3560 Cisco 800 Cisco 7200 Cisco Catalyst 3750 Cisco 1800 Cisco 7600 Cisco Catalyst 4500 Cisco 1900 Cisco 12000 Cisco Catalyst 6500 Cisco 2800 Cisco ASR se
classroom teaching to working as a reading specialist, curriculum developer, Title 1 teacher, staff developer, and Title 1 District Coordinator. She is the author of numerous books, articles, and videos and conducts presentations and workshops on literacy throughout the country. Program Advisor: Mary Hawley Mary Hawley is an educational consultant who has worked with teachers, educators, and .
