Cisco NetFlow Configuration

Best Practice / Highlights


• NetFlow configuration varies slightly per hardware model
• Set active timeout to 1 minute: “ip flow-cache timeout active” is the time interval
NetFlow records are exported for long lived flows (e.g. large FTP transfer). 1 minute is
recommended and configuration is in minutes in IOS and seconds in MLS and NX-OS.
• Catalyst 6500/7600 require enabling NetFlow export within MSFC and PFC.
• The following command will capture NetFlow within the same VLAN for Catalyst
6500/7600: ip flow ingress layer2-switched vlan {vlanlist}


• NetFlow is based on 7 key fields
• Source IP address
• Destination IP address
• Source port number
• Destination port number
• Layer 3 protocol type (ex. TCP, UDP)
• ToS (type of service) byte
• Input logical interface
If one field is different, a new flow is created in the flow cache.
• Enabled NetFlow on EVERY layer-3 interface for complete visibility
• It is best practice to use a NetFlow “source interface” that would never go down such as a
loopback interface.
• A “flow record” within Flexible NetFlow (that used in NX-OS) defines the keys that NetFlow
uses to identify packets in the flow as well as other fields of interest that NetFlow gathers
for the flow.

Cisco IOS NetFlow Configuration Guide
Netflow Configuration
In configuration mode issue the following to enable NetFlow Export:
ip flow-export destination <xe_netflow_collector_IP_address> 2055
ip flow-export source <interface> → (e.g. use a Loopback interface)
ip flow-export version 9 → (if version 9 does not take, use version 5)
ip flow-cache timeout active 1
ip flow-cache timeout inactive 15
snmp-server ifindex persist
Enable NetFlow on each layer-3 interface you are interested in monitoring traffic for:
interface <interface>
ip flow ingress
Optional:
ip flow-export version 9 origin-as → (to include BGP origin AS)
ip flow-capture mac-addresses → show ip cache verbose flow
ip flow-capture vlan-id
Note: If your router is running a version of Cisco IOS prior to releases 12.2(14)S,
12.0(22)S, or 12.2(15)T the ip route-cache flow command is used to enable NetFlow
on an interface. If your router is running Cisco IOS release 12.2(14)S, 12.0(22)S,
12.2(15)T, or later the ip flow ingress command is used to enable NetFlow on an
interface.
Validate configuration:
show ip cache flow
show ip flow export
show ip flow interface
show ip flow export template
Reference:
http://www.cisco.com/en/US/docs/ios/netflow/configuration/guide/12_2sr/nf_12_2sr_book.html

Native IOS Netflow Configuration:


In configuration mode issue the following to enable NetFlow Export:
mls nde sender version 5
mls aging long 64
mls aging normal 32
mls nde interface
mls flow ip interface-full
ip flow ingress layer2-switched vlan {vlanlist}
ip flow-export destination <xe_netflow_collector_IP_address> 2055
ip flow-export source <interface> → (e.g. use a Loopback interface)
ip flow-export version 9 → (if version 9 does not take, use version 5)
ip flow-cache timeout active 1
ip flow-cache timeout inactive 15
snmp-server ifindex persist
Enable NetFlow on each layer-3 interface you are interested in monitoring traffic for:
interface <interface>
ip flow ingress
Optional:
ip flow-capture mac-addresses
ip flow-capture vlan-id
Hybrid / CatOS Netflow Configuration:set mls nde <xe_address> 2055
set mls nde version 5
set mls agingtime long 64
set mls agingtime 32
set mls flow full
set mls bridged-flow-statistics enable <vlanlist>
set mls nde enable
Validate configuration:
show ip cache flow
show ip flow export
show ip flow export template
show mls nde
Reference:
http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SXF/configuration/guide/nde.html