Netflow - Cisco 871w

The NetFlow config free tool won't work with all platforms. You can manually config Netflow for the 871 by entering this at the indicated levels.

(config) ip flow-export destination {hostname|ip_address} 2055

(config) ip flow-export version 5

(config-if) ip route-cache flow

Here is a snippet of one of our routers that has the NetFlow feature set.

I would think that the 12.4T would work with NetFlow, but it may not...we are running 12.4(18)b on a Cisco 3845, so you may require a different IOS.

Try some of these commands, in my experience if you can not enter them or they aren't there with the "?", then you don't have the support within that IOS.

ip flow-export source GigabitEthernet0/0
ip flow-export version 9
ip flow-export destination <OrionServer> 2055

interface GigabitEthernet0/0 <or whichever interfaces you want to send flow data from>

 ip route-cache flow

The only other gotcha I can think of is to make sure that this router is already listed in the Network Nodes list, otherwise the Netflow module won't see it.

Also, if you get an error within Netflow about an invalid interface (if you get this far), then try this command:

ip flow-export source <interface>

Good Luck.

William

For NetFlow realtime only version 5 is supported. NetFlow Traffic Analyzer module supports versions 9 and 5.

Good clarification.  I should have edited that as well.

You're just too fast :)

I have all of the above setup.  When I do a show ip-flow export it shows it is transferring data, however my Netflow computer does not see anything.  (Advises Netflow is not setup on the selected interface).

I am running engineers toolset 10, using the netflow tool that came with it. 

Any issues with that?

I've never used the Engineer's Toolset version of NetFlow, but it's definitely a good way to test a machine.

As long as there isn't a firewall blocking the traffic, which doesn't seem to be the case because you are getting that error message about the interface.

Would you mind pasting the config for your interface up here, scrubing any private information from it?  

Make sure you have that "Ip route-cache flow" setting on all interfaces you want to send netflow information.  That might be what it's looking for.

William

I would  check your Firewall(s) on your computer to make sure that UDP 2055 is allowed in. This has been an issue especially for Server 2008, Vista, and Win7, and the firewalls associated.

I tried running the Netflow Analyzer on a PC that is local to the router, and it worked.  That tells me that the flow traffic is probably being blocked at the ASA.

I will try looking at that to see if I can open the necessary port.  Any ideas on that one?

yes, there are specific policy map settings you need to configure on your ASA to allow NetFlow Traffic out of the device.

Here is a little more information for a ASA 5505:

! the flow-export command on our devices are configured to go over a IPSec tunnel, so make sure you use the interface appropriate to your environment.

flow-export destination inside <orion server ip> 2055
flow-export template timeout-rate 1
flow-export delay flow-create 15

policy-map global-policy
 class class-default
  flow-export event-type all destination <orion server ip>
  flow-export event-type flow-create destination <orion server ip>
!
service-policy global-policy global

I also have a script written that can be used for multiple devices if you have NCM.  Let me know if you'd like a copy of that.

Regards,

William

One more thing.  You might have to remove the existing Service-Policy if it's applied by default.

Just remembered that, sorry.

William