I’m pretty sure that there are many examples out there to create NetFlow configuration and very well documented as well, however, I wanted to give my config a crack and also wanted to share. I’m adding one more bit of information as it is very useful to keep your network on-check, and that is the NBAR addition.
Which Direction for NetFlow?
I have read somewhere, and I refuse to look for the document again, thinking it was from Lancope’s website, but I remember reading that NetFlow works better if applied in only one direction. Pretty sure that many people out there will have their opinions and reasons to do it in very different directions on the same interface, but after lots of thinking, it made sense to me.
The “Flow” when configuring NetFlow
Create the Flow Record (IN|OUT)
Create the Flow Exporter
Create the Flow Monitor (IN|OUT)
Configure the Flow Monitor to your interface
This is what I use when configuring NetFlow
The Configuration
flow record Netflow-In
match flow direction
match interface input
match ipv4 destination address
match ipv4 protocol
match ipv4 source address
match ipv4 tos
match transport destination-port
match transport source-port
collect counter bytes
collect counter packets
collect interface output
!!!!!!!!!!!!!!!!!
!ADD IF NECESSARY - Just remove the ! at the begining
!!!!!!!!!!!!!!!!!
!flow record Netflow-Out
!match flow direction
!match interface output
!match ipv4 destination address
!match ipv4 protocol
!match ipv4 source address
!match ipv4 tos
!match transport destination-port
!match transport source-port
!collect counter bytes
!collect counter packets
!collect interface input
!Flow Exporter
flow exporter Netflow-to-server
Source GigabitEthernetx/x
destination xx.xx.xx.xx
transport udp 2055
export-protocol netflow-v9
flow monitor Netflow-Monitor-In
exporter Netflow-to-Orion
cache timeout inactive 10
cache timeout active 60
record Netflow-In
!!!!!!!!!!!!!!!!!
!ADD IF NECESSARY - Just remove the ! at the begining
!!!!!!!!!!!!!!!!!
!flow monitor Netflow-Monitor-Out
! exporter Netflow-to-Orion
! cache timeout inactive 10
! cache timeout active 60
! record Netflow-Out
!!!!!!!!!!!!!!!!!
!INTERFACES - ADDING THE NETFLOW COMMAND AND NBAR
!!!!!!!!!!!!!!!!!
interface GigabitEthernetx/x
ip flow monitor Netflow-Monitor-In input
ip nbar protocol-discovery ipv4
inter GigabitEthernetx/x
ip flow monitor Netflow-Monitor-In input
ip nbar protocol-discovery ipv4
!!!!!!!!!!!!!!!!!
Command to Check the Top Talkers
do show flow monitor Netflow-Monitor-In cache sort highest counter bytes top 20
What to look forward to?
More information as it comes fresh from my drafts folder 🙂 –> I still have lots to catch up on so you will be seeing some more posts in the following days – Enjoy!
About the Author:
Andres Sarmiento, CCIE # 53520 (Collaboration)
With more than 13 years of experience, Andres is specialized in the Unified Communications and Collaboration technologies. Consulted for several companies in South Florida, also Financial Institutions on behalf of Cisco Systems. Andres has been involved in high-profile implementations including Cisco technologies; such as Data Center, UC & Collaboration, Contact Center Express, Routing & Switching, Security and Hosted IPT Service provider infrastructures.