Tuesday, August 3, 2010

Configuring Cisco IOS Net Flow and NetFlow Data Export

NetFlow is an application which works independently on internetworking devices and have no impact on other device operation. This application provides statistics of packet flowing through the cisco devices. There are some pre-requisities for configuring this application on cisco router:

1. Configuring IP Routing
2. CEF, Fast Switching or Distributed CEF any one should be configured
3. You have sufficient resources as this application consume more memory

Step-by-Step Procedure

1. Enable
2. Configure Terminal
3. IP flow-export [Destination Address] Optional
4. IP flow-export version 9
5. interface [interface type][interface number]
6. ip flow [ingress|egress]
7. exit
8. end

The Detail description of each step is discuss as under:

1. Eenter your desired password if prompt

My-Router > enable

2. Enter global configuration mode by entering following command

My-Router # configure terminal

3. Specify IP address or hostname of the workstation to which you want to send your NetFlow traffic. The workstation is running an application such as NetFlow Collection Engine (NFC). (Optional)

My-Router (config) # ip flow-export destination 192.168.1.1

4. Enable the export of information in NetFlow cache entries. The version 9 the export packet follow version 9 format. (Optional)

My-Router (config) #
ip flow-export version 9

5. Specify the interface for which you want to enable NetFlow on

My-Router (config) # interface serial 2/0

6. Enable NetFlow on interface, Ingress (Capture traffic that is recieved by the interface), Egress (Capture traffic that is being transmitted by the interface)

My-Router (config) # interface serial 2/0
My-Router (config-if) # ip flow ingress | egress

7. Optional, now exit global configuration mode

My-Router (config) # exit
My-Router #

Verification:

To Verify that NetFlow is working properly, issue following command

1. show ip flow interface

This command display NetFlow configuration for an interface. The following is sample output from this command:

My-Router# show ip flow interface
Serial 2/0
ip flow ingress


2. show ip cache flow

This command use to verify that NetFlow is operational, and to display a summary of the NetFlow statistics. The following is sample output from this command:

My-Router# show ip cache flow

IP packet size distribution (1103746 total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.249 .694 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000
512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.000 .000 .027 .000 .027 .000 .000 .000 .000 .000 .000
IP Flow Switching Cache, 278544 bytes
35 active, 4061 inactive, 980 added
2921778 ager polls, 0 flow alloc failures
Active flows timeout in 30 minutes
Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 21640 bytes
0 active, 1024 inactive, 0 added, 0 added to flow
0 alloc failures, 0 force free
1 chunk, 1 chunk added
last clearing of statistics never
Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)
-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow
TCP-FTP 108 0.0 1133 40 2.4 1799.6 0.9
TCP-FTPD 108 0.0 1133 40 2.4 1799.6 0.9
TCP-WWW 54 0.0 1133 40 1.2 1799.6 0.8
TCP-SMTP 54 0.0 1133 40 1.2 1799.6 0.8
TCP-BGP 27 0.0 1133 40 0.6 1799.6 0.7
TCP-NNTP 27 0.0 1133 40 0.6 1799.6 0.7
TCP-other 297 0.0 1133 40 6.8 1799.7 0.8
UDP-TFTP 27 0.0 1133 28 0.6 1799.6 1.0
UDP-other 108 0.0 1417 28 3.1 1799.6 0.9
ICMP 135 0.0 1133 427 3.1 1799.6 0.8
Total: 945 0.0 1166 91 22.4 1799.6 0.8
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
Et0/0 192.168.5.9 Et1/0.1 172.16.10.200 01 0000 0C01 51
Et0/0 10.10.1.1 Null 172.16.11.5 11 0043 0043 51
Et0/0 10.10.1.1 Null 172.16.11.5 11 0045 0045 51


3. show ip cache verbose flow

Use this command to verify that NetFlow is operational and to display a detailed summary of the NetFlow statistics. The following is sample output from this command:

My-Router # show ip cache verbose flow

IP packet size distribution (1130681 total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.249 .694 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000
512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.000 .000 .027 .000 .027 .000 .000 .000 .000 .000 .000
IP Flow Switching Cache, 278544 bytes
35 active, 4061 inactive, 980 added
2992518 ager polls, 0 flow alloc failures
Active flows timeout in 30 minutes
Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 21640 bytes
0 active, 1024 inactive, 0 added, 0 added to flow
0 alloc failures, 0 force free
1 chunk, 1 chunk added
last clearing of statistics never
Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)
-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow
TCP-FTP 108 0.0 1133 40 2.4 1799.6 0.9
TCP-FTPD 108 0.0 1133 40 2.4 1799.6 0.9
TCP-WWW 54 0.0 1133 40 1.2 1799.6 0.8
TCP-SMTP 54 0.0 1133 40 1.2 1799.6 0.8
TCP-BGP 27 0.0 1133 40 0.6 1799.6 0.7
TCP-NNTP 27 0.0 1133 40 0.6 1799.6 0.7
TCP-other 297 0.0 1133 40 6.6 1799.7 0.8
UDP-TFTP 27 0.0 1133 28 0.6 1799.6 1.0
UDP-other 108 0.0 1417 28 3.0 1799.6 0.9
ICMP 135 0.0 1133 427 3.0 1799.6 0.8
Total: 945 0.0 1166 91 21.9 1799.6 0.8
SrcIf SrcIPaddress DstIf DstIPaddress Pr TOS Flgs Pkts
Port Msk AS Port Msk AS NextHop B/Pk Active
Et0/0 192.168.5.9 Et1/0.1 172.16.10.200 01 00 10 799
0000 /0 0 0C01 /0 0 0.0.0.0 28 1258.1
Et0/0 10.10.1.1 Null 172.16.11.5 11 00 10 799
0043 /0 0 0043 /0 0 0.0.0.0 28 1258.0
Et0/0 10.10.1.1 Null 172.16.11.5 11 00 10 799
0045 /0 0 0045 /0 0 0.0.0.0 28 1258.0
Et0/0 10.24.3.1 Et1/0.1 172.16.10.2 01 00 10 799
0000 /0 0 0800 /0 0 0.0.0.0 28 1258.1
Et0/0 10.10.1.1 Null 172.16.11.6 11 00 10 799
0044 /0 0 0044 /0 0 0.0.0.0 28 1258.1

3 comments:

Anonymous said...

Hello Sohail,

Thank you for spreading the word about NetFlow. Maybe your next post will be about Flexible NetFlow?

Please consider Scrutinizer for NetFlow and sFlow collection and reporting.

Sincerely,

Jake
www.plixer.com

Anonymous said...

I would like to exchange links with your site sohailpk.blogspot.com
Is this possible?

Sohail Akhtar said...

@Anonymous
Yes ofcourse you can exchange links