0% found this document useful (0 votes)

768 views19 pages

Cisco Netflow Configuration

This document provides guidance on configuring Cisco NetFlow on various Cisco platforms: - It recommends setting the active timeout to 1 minute and inactive timeout to 15 minutes. - On Catalyst 6500/7600, NetFlow export must be enabled within the MSFC and PFC and capturing can be done for a specific VLAN. - NetFlow is based on 7 key fields including source/destination IP, port, protocol, ToS, and interface. - Best practices include enabling NetFlow on all layer-3 interfaces for full visibility and using a loopback interface for source.

Uploaded by

fabio almeida

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

768 views19 pages

Cisco Netflow Configuration

Uploaded by

fabio almeida

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 19

Cisco NetFlow

Configuration
Cisco NetFlow Configuration

Best Practice / Highlights

Best Practice / Highlights
• NetFlow configuration varies slightly per hardware model

Cisco IOS NetFlow • Set active timeout to 1 minute: “ip flow-cache timeout active” is the time interval
Configuration Guide NetFlow records are exported for long lived flows (e.g. large FTP transfer). 1 minute is
recommended and configuration is in minutes in IOS and seconds in MLS and NX-OS.
Cisco 6500 & 7600 NetFlow • Catalyst 6500/7600 require enabling NetFlow export within MSFC and PFC.
Configuration Guide
• The following command will capture NetFlow within the same VLAN for Catalyst
6500/7600: ip flow ingress layer2-switched vlan {vlanlist}
Catalyst 4500 NetFlow
Configuration Guide • NetFlow is based on 7 key fields
• Source IP address
Cisco 3850 NetFlow • Destination IP address
Configuration Guide • Source port number
• Destination port number
Cisco 3560 & 3750 • Layer 3 protocol type (ex. TCP, UDP)
NetFlow Configuration Guide • ToS (type of service) byte
• Input logical interface
Cisco Nexus 7000 NetFlow
If one field is different, a new flow is created in the flow cache.
Configuration
• Enabled NetFlow on EVERY layer-3 interface for complete visibility
Cisco Nexus 1000v NetFlow • It is best practice to use a NetFlow “source interface” that would never go down such as a
Configuration loopback interface.
• A “flow record” within Flexible NetFlow (that used in NX-OS) defines the keys that NetFlow
Cisco ASR 9000 NetFlow
Configuration uses to identify packets in the flow as well as other fields of interest that NetFlow gathers
for the flow.

Appendix

2
Cisco NetFlow Configuration

Cisco IOS NetFlow Configuration Guide

Best Practice / Highlights
Netflow Configuration

Cisco IOS NetFlow In configuration mode issue the following to enable NetFlow Export:
Configuration Guide ip flow-export destination <xe_netflow_collector_IP_address> 2055
ip flow-export source <interface> → (e.g. use a Loopback interface)
Cisco 6500 & 7600 NetFlow ip flow-export version 9 → (if version 9 does not take, use version 5)
Configuration Guide ip flow-cache timeout active 1
ip flow-cache timeout inactive 15
Catalyst 4500 NetFlow snmp-server ifindex persist
Configuration Guide
Enable NetFlow on each layer-3 interface you are interested in monitoring traffic for:
Cisco 3850 NetFlow interface <interface>
Configuration Guide ip flow ingress

Cisco 3560 & 3750 Optional:

NetFlow Configuration Guide ip flow-export version 9 origin-as → (to include BGP origin AS)
ip flow-capture mac-addresses → show ip cache verbose flow
Cisco Nexus 7000 NetFlow
ip flow-capture vlan-id
Configuration

Note: If your router is running a version of Cisco IOS prior to releases 12.2(14)S,
Cisco Nexus 1000v NetFlow
12.0(22)S, or 12.2(15)T the ip route-cache flow command is used to enable NetFlow
Configuration
on an interface. If your router is running Cisco IOS release 12.2(14)S, 12.0(22)S,
Cisco ASR 9000 NetFlow 12.2(15)T, or later the ip flow ingress command is used to enable NetFlow on an
Configuration interface.

Appendix
Validate configuration:
show ip cache flow
show ip flow export
show ip flow interface
show ip flow export template

Reference:
http://www.cisco.com/en/US/docs/ios/netflow/configuration/guide/12_2sr/nf_12_2sr_book.html

3
Cisco NetFlow Configuration

Cisco 6500 and 7600 Series IOS NetFlow Configuration Guide

Best Practice / Highlights
Native IOS Netflow Configuration:

Cisco IOS NetFlow In configuration mode issue the following to enable NetFlow Export:
Configuration Guide mls nde sender version 5
mls aging long 64
Cisco 6500 & 7600 NetFlow mls aging normal 32
Configuration Guide mls nde interface
mls flow ip interface-full
Catalyst 4500 NetFlow ip flow ingress layer2-switched vlan {vlanlist}
Configuration Guide
ip flow-export destination <xe_netflow_collector_IP_address> 2055
Cisco 3850 NetFlow ip flow-export source <interface> → (e.g. use a Loopback interface)
Configuration Guide ip flow-export version 9 → (if version 9 does not take, use version 5)
ip flow-cache timeout active 1
Cisco 3560 & 3750 ip flow-cache timeout inactive 15
NetFlow Configuration Guide snmp-server ifindex persist

Cisco Nexus 7000 NetFlow

Enable NetFlow on each layer-3 interface you are interested in monitoring traffic for:
Configuration
interface <interface>
ip flow ingress
Cisco Nexus 1000v NetFlow
Configuration
Optional:
Cisco ASR 9000 NetFlow ip flow-capture mac-addresses
Configuration ip flow-capture vlan-id

Appendix
Hybrid / CatOS Netflow Configuration:
set mls nde <xe_address> 2055
set mls nde version 5
set mls agingtime long 64
set mls agingtime 32
set mls flow full
set mls bridged-flow-statistics enable <vlanlist>
set mls nde enable

Validate configuration:
show ip cache flow
show ip flow export
show ip flow export template
show mls nde

Reference:
http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SXF/configuration/guide/nde.html

4
Cisco NetFlow Configuration

Catalyst 4500 Series Switch IOS NetFlow Configuration Guide

Best Practice / Highlights
To use the NetFlow feature, you must have the Supervisor Engine V-10GE (the functionality is
embedded in the supervisor engine), or the NetFlow Services Card (WS-F4531) and either a
Cisco IOS NetFlow
Supervisor Engine IV or a Supervisor Engine V.
Configuration Guide

Verify Daughter Card:

Cisco 6500 & 7600 NetFlow
Switch# show module all
Configuration Guide
.
Catalyst 4500 NetFlow <cut for brevity>
Configuration Guide
Mod Submodule Model Serial No. Hw Status
Cisco 3850 NetFlow 1. Netflow Services Card WS-F4531 JAB062209CG 0.2 Ok
Configuration Guide 2. Netflow Services Card WS-F4531 JAB062209CG 0.2 Ok

Cisco 3560 & 3750

NetFlow Configuration Guide Netflow Configuration
In configuration mode on the 4500 issue the following to enable NetFlow Export:
Cisco Nexus 7000 NetFlow ip flow ingress
Configuration ip flow ingress infer-fields
ip flow-export destination <xe_netflow_collector_IP_address> 2055
Cisco Nexus 1000v NetFlow ip flow-export source <interface> → (e.g. use a Loopback interface)
Configuration ip flow-export version 5
ip flow-cache timeout active 1
Cisco ASR 9000 NetFlow ip flow-cache timeout inactive 15
Configuration snmp-server ifindex persist

Appendix
Validate configuration:
show ip cache flow
show ip flow export
show ip flow interface

Reference:
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/25ew/configuration/guide/nfswitch.html

5
Cisco NetFlow Configuration

Cisco 3850 NetFlow Configuration

Best Practice / Highlights
Your software release may not support all the features documented in this module.
For the latest caveats and feature information, see Cisco Bug Search Tool and the
Cisco IOS NetFlow
release notes for your platform and software release.
Configuration Guide

1. Create a Flow Record (specify the fields to export)

Cisco 6500 & 7600 NetFlow
A flow record defines the information that NetFlow gathers, such as packets in the flow and
Configuration Guide
the types of counters gathered per flow. You specify a series of “match” and “collect”
Catalyst 4500 NetFlow commands that tell the router which fields to include in the outgoing NetFlow PDU.
Configuration Guide
The “match” fields are the “key” fields. They are used to determine the uniqueness of the
Cisco 3850 NetFlow flow. The “collect” fields are just extra info that to include to provide more detail to the
Configuration Guide collector for reporting and analysis.

Cisco 3560 & 3750 The fields marked with required below, are fields required for StealthWatch to accept and
NetFlow Configuration Guide build a flow record.

Cisco Nexus 7000 NetFlow sw3850(config)# flow record LANCOPE1

Configuration sw3850(config-flow-record)# description NetFlow record format to send to StealthWatch
sw3850(config-flow-record)# match datalink mac source address input
Cisco Nexus 1000v NetFlow
Configuration sw3850(config-flow-record)# match datalink mac destination address input
sw3850(config-flow-record)# match datalink vlan input key field
Cisco ASR 9000 NetFlow sw3850(config-flow-record)# match ipv4 ttl key field; provides pathing info
Configuration
sw3850(config-flow-record)# match ipv4 tos required; key field

sw3850(config-flow-record)# match ipv4 protocol required; key field

Appendix
sw3850(config-flow-record)# match ipv4 source address required; key field

sw3850(config-flow-record)# match ipv4 destination address required; key field

sw3850(config-flow-record)# match transport source-port required; key field

sw3850(config-flow-record)# match transport destination-port required; key field

sw3850(config-flow-record)# match interface input required; key field

sw3850(config-flow-record)# collect interface output required; used for computing bps rates

sw3850(config-flow-record)# collect counter bytes long required; used for bps calculation

sw3850(config-flow-record)# collect counter packets long required; used for pps calculation

sw3850(config-flow-record)# collect timestamp absolute first required; for calculating duration

sw3850(config-flow-record)# collect timestamp absolute last required; for duration

6
Cisco NetFlow Configuration

Cisco 3850 NetFlow Configuration

Best Practice / Highlights
2. Create a Flow Exporter (specify where/how NetFlow is to be sent)
sw3850(config)#flow exporter NETFLOW_TO_STEALTHWATCH
Cisco IOS NetFlow
sw3850(config-flow-exporter)#description Export NetFlow to StealthWatch
Configuration Guide
sw3850(config-flow-exporter)#destination <fc_collector_IP_address>
sw3850(config-flow-exporter)#source <interface> → (e.g. use a Loopback)
Cisco 6500 & 7600 NetFlow
sw3850(config-flow-exporter)#transport udp 2055
Configuration Guide

Catalyst 4500 NetFlow

Configuration Guide 3. Create a Flow Monitor (tie the Flow Record to the Flow Exporter)
sw3850(config)#flow monitor IPv4_NETFLOW
Cisco 3850 NetFlow sw3850(config-flow-monitor)#record LANCOPE1
Configuration Guide sw3850(config-flow-monitor)#exporter NETFLOW_TO_STEALTHWATCH
sw3850(config-flow-monitor)#cache timeout active 60
Cisco 3560 & 3750
NetFlow Configuration Guide
4. Assign Flow Monitor to selected interfaces
Cisco Nexus 7000 NetFlow Repeat this step on every interface you are interested in monitoring traffic for.
Configuration sw3850(config)#interface <interface> → (e.g. VLAN1 or g2/1)
sw3850(config-if)#ip flow monitor IPv4_NETFLOW input
Cisco Nexus 1000v NetFlow
Configuration
Validate configuration:
Cisco ASR 9000 NetFlow
Configuration show flow record LANCOPE1
show flow monitor IPv4_NETFLOW statistics
show flow monitor IPv4_NETFLOW cache
Appendix
Reference:
http://www.cisco.com/en/US/docs/switches/lan/catalyst3850/software/release/3.2_0_se/flexible_netflow/command_
reference/b_fnf_32se_3850_cr_chapter_010.html

7
Cisco NetFlow Configuration

Cisco 3560X & 3750X NetFlow Configuration

Flexible NetFlow is supported on Catalyst 3560-X and 3750-X (Cat3k-X) Series

Cisco 6500 & 7600 NetFlow
Switches on the 10GE Service Module. Previously unsupported on the platform,
Configuration Guide
the service module can enable hardware-supported, line-rate NetFlow on all traffic
Catalyst 4500 NetFlow that traverses the module.
Configuration Guide
1. Create a Flow Record (specify the fields to export)
Cisco 3850 NetFlow A flow record defines the information that NetFlow gathers, such as packets in the flow and
Configuration Guide the types of counters gathered per flow. You specify a series of “match” and “collect”
commands that tell the router which fields to include in the outgoing NetFlow PDU.
Cisco 3560 & 3750 The “match” fields are the “key” fields. They are used to determine the uniqueness of the
NetFlow Configuration Guide flow. The “collect” fields are just extra info that to include to provide more detail to the
collector for reporting and analysis.
Cisco Nexus 7000 NetFlow
Configuration The fields marked with required below, are fields required for StealthWatch to accept and
build a flow record.
Cisco Nexus 1000v NetFlow
Configuration sw3X50(config)# flow record LANCOPE1
sw3X50(config-flow-record)# description NetFlow record format to send to StealthWatch
Cisco ASR 9000 NetFlow
sw3X50(config-flow-record)# match datalink mac source address input
Configuration
sw3X50(config-flow-record)# match datalink mac destination address input
sw3X50(config-flow-record)# match ipv4 ttl key field; provides pathing info
Appendix
sw3X50(config-flow-record)# match ipv4 tos required; key field

sw3X50(config-flow-record)# match ipv4 protocol required; key field

sw3X50(config-flow-record)# match ipv4 source address required; key field

sw3X50(config-flow-record)# match ipv4 destination address required; key field

sw3X50(config-flow-record)# match transport source-port required; key field

sw3X50(config-flow-record)# match transport destination-port required; key field

sw3X50(config-flow-record)# collect interface input snmp required; key field

sw3X50(config-flow-record)# collect interface output snmp required

sw3X50(config-flow-record)# collect counter bytes required; used for bps calculation

sw3X50(config-flow-record)# collect counter packets required; used for pps calculation

sw3X50(config-flow-record)# collect timestamp sys-uptime firstrequired; for duration

sw3X50(config-flow-record)# collect timestamp sys-uptime last required; for duration

8
Cisco NetFlow Configuration

Cisco 3560X & 3750X NetFlow Configuration

Best Practice / Highlights
2. Create a Flow Exporter (specify where/how NetFlow is to be sent)
sw3x50(config)#flow exporter NETFLOW_TO_STEALTHWATCH
Cisco IOS NetFlow
sw3x50(config-flow-exporter)#description Export NetFlow to StealthWatch
Configuration Guide
sw3x50(config-flow-exporter)#destination <fc_collector_IP_address>
sw3x50(config-flow-exporter)#source <interface> → (e.g. use a Loopback)
Cisco 6500 & 7600 NetFlow
sw3x50(config-flow-exporter)#transport udp 2055
Configuration Guide

Catalyst 4500 NetFlow

Configuration Guide 3. Create a Flow Monitor (tie the Flow Record to the Flow Exporter)
sw3x50(config)#flow monitor IPv4_NETFLOW
Cisco 3850 NetFlow sw3x50(config-flow-monitor)#record LANCOPE1
Configuration Guide sw3x50(config-flow-monitor)#exporter NETFLOW_TO_STEALTHWATCH
sw3x50(config-flow-monitor)#cache timeout active 60
Cisco 3560 & 3750
NetFlow Configuration Guide
4. Assign Flow Monitor to selected interfaces
Cisco Nexus 7000 NetFlow Repeat this step on every interface you are interested in monitoring traffic for.
Configuration sw3x50(config)#interface <interface> → (e.g. VLAN1 or g2/1)
sw3x50(config-if)#ip flow monitor IPv4_NETFLOW input
Cisco Nexus 1000v NetFlow
Configuration
Validate configuration:
Cisco ASR 9000 NetFlow
Configuration show flow record LANCOPE1
show flow monitor IPv4_NETFLOW statistics
show flow monitor IPv4_NETFLOW cache
Appendix
Reference:
http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps10745/white_paper_c11-
691508_ps10744_Products_White_Paper.html

9
Cisco NetFlow Configuration

Cisco Nexus 7000 NetFlow Configuration-using netflow-original

Best Practice / Highlights
The Cisco Nexus 7000 switch runs Cisco NX-OS operating system. Configuring Netflow is
a little different than in traditional IOS devices. Follow the below 5 steps to enable Netflow
Cisco IOS NetFlow
monitoring.
Configuration Guide

1. Enable Netflow Feature and set timeouts

Cisco 6500 & 7600 NetFlow
switch(config)#feature netflow
Configuration Guide
switch(config)#flow timeout active 60
Catalyst 4500 NetFlow switch(config)#flow timeout inactive 15
Configuration Guide

Cisco 3850 NetFlow 2. Create a Flow Record (specify the fields to export)
Configuration Guide We will use the Nexus predefined record of “netflow-original” for this
configuration.
Cisco 3560 & 3750 See Creating a Flow Record section of appendix for creating a custom flow record.
NetFlow Configuration Guide

Cisco Nexus 7000 NetFlow 3. Create a Flow Exporter (specify where/how NetFlow is to be sent)
Configuration switch(config)#flow exporter netflow_to_stealthwatch
switch(config-flow-exporter)#description Export NetFlow to StealthWatch
Cisco Nexus 1000v NetFlow switch(config-flow-exporter)#destination <xe_collector_IP_address>
Configuration switch(config-flow-exporter)#source <interface> → (e.g. use a Loopback)
switch(config-flow-exporter)#transport udp 2055
Cisco ASR 9000 NetFlow
switch(config-flow-exporter)#version 9
Configuration

Appendix 4. Create a Flow Monitor (tie the Flow Record to the Flow Exporter)
switch(config)#flow monitor standard_v9netflow
switch(config-flow-monitor)#record netflow-original
switch(config-flow-monitor)#exporter netflow_to_stealthwatch

5. Assign Flow Monitor to selected interfaces

Repeat this step on every interface you are interested in monitoring traffic for.
switch(config)#interface <interface> → (e.g. VLAN1 or g2/1)
switch(config-if)#ip flow monitor standard_v9netflow input

Validate configuration:
show flow record netflow-original
show flow monitor standard_v9netflow statistics
show flow monitor standard_v9netflow cache

Reference:
http://www.cisco.com/en/US/docs/switches/datacenter/sw/4_0/nx-os/system_management/configuration/guide/
sm_netflow.html
10
Cisco NetFlow Configuration

Cisco Nexus 1000v NetFlow Configuration - using netflow-original

Best Practice / Highlights
The Cisco Nexus 1000v switch is a virtual switch that runs Cisco NX-OS. Configuring Netflow
is a little different than in traditional IOS devices. Follow the below 4 steps to enable Netflow
Cisco IOS NetFlow
monitoring.
Configuration Guide

1. Create a Flow Record (specify the fields to export)

Cisco 6500 & 7600 NetFlow
We will use the Nexus predefined record of “netflow-original” for this
Configuration Guide
configuration.
Catalyst 4500 NetFlow See Creating a Flow Record section of appendix for creating a custom flow
Configuration Guide record.

Cisco 3850 NetFlow

Configuration Guide 2. Create a Flow Exporter (specify where/how NetFlow is to be sent)
n1000v(config)#flow exporter netflow_to_stealthwatch
Cisco 3560 & 3750 n1000v(config-flow-exporter)#description Export NetFlow to StealthWatch
NetFlow Configuration Guide n1000v(config-flow-exporter)#destination <xe_collector_IP_address>
n1000v(config-flow-exporter)#source mgmt 0
Cisco Nexus 7000 NetFlow n1000v(config-flow-exporter)#transport udp 2055
Configuration n1000v(config-flow-exporter)#version 9

Cisco Nexus 1000v NetFlow

Configuration 3. Create a Flow Monitor (tie the Flow Record to the Flow Exporter)
n1000v(config)#flow monitor standard_v9netflow
Cisco ASR 9000 NetFlow
n1000v(config-flow-monitor)#record netflow-original
Configuration
n1000v(config-flow-monitor)#exporter netflow_to_stealthwatch
n1000v(config-flow-monitor)#timeout active 60
Appendix n1000v(config-flow-monitor)#timeout inactive 15

4. Assign Flow Monitor to selected interfaces

Repeat this step on every interface you are interested in monitoring traffic for.
n1000v(config)#interface <interface> → (e.g. VLAN1 or g2/1)
n1000v(config-if)#ip flow monitor standard_v9netflow input

Validate configuration:
show flow record netflow-original
show flow monitor standard_v9netflow statistics
show flow monitor standard_v9netflow cache

Reference:
http://www.cisco.com/en/US/docs/switches/datacenter/nexus1000/sw/4_0/system_management/configuration/guide/
system_9flow.html

11
Cisco NetFlow Configuration

Cisco ASR 1000 NetFlow Configuration

Flexible NetFlow is supported on Catalyst 3560-X and 3750-X (Cat3k-X) Series

Cisco 6500 & 7600 NetFlow
Switches on the 10GE Service Module. Previously unsupported on the platform,
Configuration Guide
the service module can enable hardware-supported, line-rate NetFlow on all traffic
Catalyst 4500 NetFlow that traverses the module.
Configuration Guide
1. Create a Flow Record (specify the fields to export)
Cisco 3850 NetFlow A flow record defines the information that NetFlow gathers, such as packets in the flow and
Configuration Guide the types of counters gathered per flow. You specify a series of “match” and “collect”
commands that tell the router which fields to include in the outgoing NetFlow PDU.
Cisco 3560 & 3750 The “match” fields are the “key” fields. They are used to determine the uniqueness of the
NetFlow Configuration Guide flow. The “collect” fields are just extra info that to include to provide more detail to the
collector for reporting and analysis.
Cisco Nexus 7000 NetFlow
Configuration The fields marked with required below, are fields required for StealthWatch to accept and
build a flow record.
Cisco Nexus 1000v NetFlow
Configuration asr1k(config)# flow record LANCOPE1
asr1k(config-flow-record)#match ipv4 protocol required; key field
Cisco ASR 9000 NetFlow
asr1k(config-flow-record)#match ipv4 source address required; key field
Configuration
asr1k(config-flow-record)#match ipv4 destination address required; key field

asr1k(config-flow-record)#match transport source-port required; key field

Appendix
asr1k(config-flow-record)#match transport destination-port required; key field

asr1k(config-flow-record)#match interface input required; key field

asr1k(config-flow-record)#match ipv4 tos required; key field

asr1k(config-flow-record)#collect interface output required; used for computing bps rates

asr1k(config-flow-record)#collect counter bytes required; used for bps calculation

asr1k(config-flow-record)#collect counter packets required; used for pps calculation

asr1k(config-flow-record)#collect timestamp sys-uptime firstrequired; for calculating duration

asr1k(config-flow-record)#collect timestamp sys-uptime last required; for calculating duration
asr1k(config-flow-record)#collect flow sampler optional; used to obtain sampling rate

asr1k(config-flow-record)#collect routing next-hop address optional; used for

ipv4 closest interface determination

asr1k(config-flow-record)#collect ipv4 dscp optional; used to generate QoS reports

asr1k(config-flow-record)#collect ipv4 ttl minimum optional; provides pathing info

asr1k(config-flow-record)#collect ipv4 ttl maximum optional; provides pathing info

asr1k(config-flow-record)#collect transport tcp flags optional; security anaysis

asr1k(config-flow-record)#collect routing destination as optional; enable if you use BGP

12
Cisco NetFlow Configuration

Cisco ASR 1000 NetFlow Configuration

Best Practice / Highlights
6. Create a Flow Exporter (specify where/how NetFlow is to be sent)
asr1k(config)#flow exporter NETFLOW_TO_STEALTHWATCH
Cisco IOS NetFlow
asr1k(config-flow-exporter)#description Export NetFlow to StealthWatch
Configuration Guide
asr1k(config-flow-exporter)#destination <fc_collector_IP_address>
asr1k(config-flow-exporter)#source <interface> → (e.g. use a Loopback)
Cisco 6500 & 7600 NetFlow
asr1k(config-flow-exporter)#transport udp 2055
Configuration Guide
asr1k(config-flow-exporter)#version 9
Catalyst 4500 NetFlow
Configuration Guide
7. Create a Flow Monitor (tie the Flow Record to the Flow Exporter)
Cisco 3850 NetFlow asr1k(config)#flow monitor IPv4_NETFLOW
Configuration Guide asr1k(config-flow-monitor)#record LANCOPE1
asr1k(config-flow-monitor)#exporter NETFLOW_TO_STEALTHWATCH
Cisco 3560 & 3750 asr1k(config-flow-monitor)#cache timeout active 60
NetFlow Configuration Guide asr1k(config-flow-monitor)#cache timeout inactive 15

Cisco Nexus 7000 NetFlow

Configuration 8. Assign Flow Monitor to selected interfaces
Repeat this step on every interface you are interested in monitoring traffic for.
Cisco Nexus 1000v NetFlow asr1k(config)#interface <interface> → (e.g. VLAN1 or g2/1)
Configuration asr1k(config-if)#ip flow monitor IPv4_NETFLOW input

Cisco ASR 9000 NetFlow

Configuration If the ASR is being used for NAT and you would like to log the NAT
translations within StealthWatch, run the following command:
Appendix
ip nat log translations flow-export v9 udp destination X.X.X.X YYYY

Where X.X.X.X is the FlowCollector IP and YYYY is the configured NetFlow

Export port.

Validate configuration:
show flow record LANCOPE1
show flow monitor IPv4_NETFLOW statistics
show flow monitor IPv4_NETFLOW cache

Reference:
http://www.cisco.com/en/US/docs/ios-xml/ios/fnetflow/configuration/xe-3s/asr1000/cfg-de-fnflow-exprts-xe.html
http://www.cisco.com/en/US/docs/ios-xml/ios/fnetflow/configuration/xe-3s/cfg-avc-xe.html

13
Cisco NetFlow Configuration

Cisco ASR 9000 NetFlow Configuration

Best Practice / Highlights
Consider the following restrictions when configuring NetFlow in Cisco IOS XR
software: You must configure a source interface. If you do not configure a source
Cisco IOS NetFlow
interface, the exporter will remain in a disabled state. Cisco IOS XR software
Configuration Guide
supports export format Version 9 only. You must configure a valid record map
name for every flow monitor map. Please refer to the below reference link for
Cisco 6500 & 7600 NetFlow
detailed steps. The ASR9000 can sample flow export, Lancope recommends
Configuration Guide
export 1:1 where possible for 100% visibility and accounting. This will be specific
Catalyst 4500 NetFlow to the environment being deployed in.
Configuration Guide
1. Configuring an Exporter Map
Cisco 3850 NetFlow router(config)# flow exporter-map FLOW_TO_SW
Configuration Guide router(config- FLOW_TO_SW)# destination <xe_collector_IP_address>
router(config- FLOW_TO_SW)# source <interface> → (e.g. use a Loopback)
Cisco 3560 & 3750 router(config- FLOW_TO_SW)# transport udp 2055
NetFlow Configuration Guide router(config- FLOW_TO_SW)# version v9

Cisco Nexus 7000 NetFlow

Configuration 2. Configuring a Monitor Map
router(config)# flow monitor-map IPv4_NETFLOW
Cisco Nexus 1000v NetFlow router(config- IPv4_NETFLOW)# record ipv4
Configuration router(config- IPv4_NETFLOW)# cache timeout active 60
router(config- IPv4_NETFLOW)# cache timeout inactive 15
Cisco ASR 9000 NetFlow
router(config- IPv4_NETFLOW)# exporter FLOW_TO_SW
Configuration

Appendix 3. Applying a Monitor Map to an Interface

router(config)# interface <interface> → (e.g. gigabitEthernet 0/0/0/0)
router(config-if)# flow ipv4 monitor IPv4_NETFLOW ingress

Validate configuration:
show flow exporter-map FLOW_TO_SW
show flow monitor-map IPv4_NETFLOW

Reference:
http://www.cisco.com/en/US/docs/routers/asr9000/software/asr9k_r3.9.1/netflow/configuration/guide/nfc391flow.html

14
Cisco NetFlow Configuration

IPv6 NetFlow Export

Best Practice / Highlights
Review the below reference links for detailed understanding of IPv6 NetFlow
export.
Cisco IOS NetFlow
Configuration Guide
In configuration mode issue the following to enable NetFlow Export:
ipv6 flow-export destination <xe_netflow_collector_IP_address> 2055
Cisco 6500 & 7600 NetFlow
ip flow-export source <interface> → (e.g. use a Loopback interface)
Configuration Guide
ipv6 flow-export version 9
Catalyst 4500 NetFlow ipv6 flow-cache timeout active 1
Configuration Guide ipv6 flow-cache timeout inactive 15
snmp-server ifindex persist
Cisco 3850 NetFlow
Configuration Guide Enable NetFlow on each layer-3 interface you are interested in monitoring traffic for:
interface <interface>
Cisco 3560 & 3750 ipv6 flow ingress
NetFlow Configuration Guide
Optional:
Cisco Nexus 7000 NetFlow ipv6 flow-export version 9 origin-as → (to include BGP origin AS)
Configuration

Cisco Nexus 1000v NetFlow Validate configuration:

Configuration
show ip cache flow
Cisco ASR 9000 NetFlow
Configuration Reference:
http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-netflow.html
http://www.cisco.com/en/US/docs/ios/netflow/configuration/guide/nfv9_ipv6.html
Appendix

15
Cisco NetFlow Configuration

Best Practice / Highlights

Appendix: Creating a Flow Record & Various Show Commands
Creating a Flow Record
Cisco IOS NetFlow A flow record defines the information that NetFlow gathers, such as packets in the flow and
Configuration Guide the types of counters gathered per flow. If you would like to build a custom flow record outside
of the predefined “netflow-original”, you would specify a series of “match” and “collect”
Cisco 6500 & 7600 NetFlow commands that tell the router which fields to include in the outgoing NetFlow PDU.
Configuration Guide
The “match” fields are the “key” fields. They are used to determine the uniqueness of the flow.
Catalyst 4500 NetFlow The “collect” fields are just extra info that we include to provide more detail to the collector for
Configuration Guide reporting and analysis.

Cisco 3850 NetFlow You don’t want to modify the “match” fields much. The seven match entries shown below
Configuration Guide should always be included in your FnF config. The “collect” fields however can vary quite a bit
depending on how much info you want to send to the collector. The configuration listed below is
Cisco 3560 & 3750 recommended for all StealthWatch installations.
NetFlow Configuration Guide
The fields marked with required below, are fields required for StealthWatch to accept and build
Cisco Nexus 7000 NetFlow
a flow record.
Configuration
switch(config)#flow record LANCOPE1
Cisco Nexus 1000v NetFlow switch(config-flow-record)#match ipv4 protocol required; key field
Configuration switch(config-flow-record)#match ipv4 source address required; key field

switch(config-flow-record)#match ipv4 destination address required; key field

Cisco ASR 9000 NetFlow
switch(config-flow-record)#match transport source-port required; key field
Configuration
switch(config-flow-record)#match transport destination-port required; key field

switch(config-flow-record)#match interface input required; key field

Appendix
switch(config-flow-record)#match ipv4 tos required; key field

switch(config-flow-record)#collect interface output required; used for computing bps rates

switch(config-flow-record)#collect counter bytes required; used for bps calculation

switch(config-flow-record)#collect counter packets required; used for pps calculation

switch(config-flow-record)#collect timestamp sys-uptime firstrequired; for calculating duration

switch(config-flow-record)#collect timestamp sys-uptime last required; for calculating duration
switch(config-flow-record)#collect routing next-hop address optional; used for closest interface
ipv4 determination

switch(config-flow-record)#collect ipv4 dscp optional; used to generate QoS

reports
switch(config-flow-record)#collect ipv4 ttl minimum optional; provides pathing info

switch(config-flow-record)#collect ipv4 ttl maximum optional; provides pathing info

switch(config-flow-record)#collect transport tcp flags optional; security anaysis

switch(config-flow-record)#collect routing destination as optional; enable if you use BGP

Once the “Flow Record” has been created you would tie it to a “Flow Monitor”

Appendix show mls netflow ip

8806 P
75% (4)
8806 P
115 pages
Cisco CCIE 400-101 Study Guide
No ratings yet
Cisco CCIE 400-101 Study Guide
304 pages
ISE-Architecture Fundamentals-Security
No ratings yet
ISE-Architecture Fundamentals-Security
63 pages
BRKEWN - Cisco - Live - Understanding RF Fundamentals-2017
No ratings yet
BRKEWN - Cisco - Live - Understanding RF Fundamentals-2017
170 pages
CCNP Routing and Switching ROUTE 300-101 Official Cert Guide
100% (3)
CCNP Routing and Switching ROUTE 300-101 Official Cert Guide
189 pages
Cisco Catalyst 9800-CL Wireless Controller For Cloud Deployment Guide
No ratings yet
Cisco Catalyst 9800-CL Wireless Controller For Cloud Deployment Guide
80 pages
Advanced Concepts of DMVPN BRKSEC-4054
No ratings yet
Advanced Concepts of DMVPN BRKSEC-4054
120 pages
Cisco SD-Access Workbook
No ratings yet
Cisco SD-Access Workbook
29 pages
Brkewn 2670
No ratings yet
Brkewn 2670
180 pages
Brksec 3690
No ratings yet
Brksec 3690
134 pages
Basic Electronics
0% (1)
Basic Electronics
2 pages
IOS Commands: Privileged Mode
75% (4)
IOS Commands: Privileged Mode
14 pages
Top Data Structure Interview Questions and Answers Are Below
No ratings yet
Top Data Structure Interview Questions and Answers Are Below
17 pages
Cisco Catalyst QoS Simplified Presentation
No ratings yet
Cisco Catalyst QoS Simplified Presentation
58 pages
3PAR Remote
No ratings yet
3PAR Remote
119 pages
BRKCRS 2802
No ratings yet
BRKCRS 2802
114 pages
Ccie en Part 01 Switch
No ratings yet
Ccie en Part 01 Switch
64 pages
BRKCOM-2003 UCS Networking - Deep Dive (2014 Milan)
No ratings yet
BRKCOM-2003 UCS Networking - Deep Dive (2014 Milan)
95 pages
A5 byCCIEMAN2016 - Nonvrf
100% (1)
A5 byCCIEMAN2016 - Nonvrf
60 pages
Wireless Site Survey
No ratings yet
Wireless Site Survey
36 pages
(Networking Technology) Sam Halabi - Hyperconverged Infrastructure Data Centers - Demystifying HCI-Cisco Press (2019)
No ratings yet
(Networking Technology) Sam Halabi - Hyperconverged Infrastructure Data Centers - Demystifying HCI-Cisco Press (2019)
733 pages
WAN Technologies PDF
No ratings yet
WAN Technologies PDF
132 pages
ISIS Routing Lab Workbook: RHC Technologies
No ratings yet
ISIS Routing Lab Workbook: RHC Technologies
24 pages
Cisco ASA Firewall Configuration
No ratings yet
Cisco ASA Firewall Configuration
18 pages
300-420 ENSLD Designing Cisco Enterprise
No ratings yet
300-420 ENSLD Designing Cisco Enterprise
3 pages
Arduino CNC Shield Instructions
100% (1)
Arduino CNC Shield Instructions
7 pages
Xeon D 1500 Thermal Guide
No ratings yet
Xeon D 1500 Thermal Guide
82 pages
Datacenter Ethernet PDF
No ratings yet
Datacenter Ethernet PDF
44 pages
Zhone Dslam
No ratings yet
Zhone Dslam
410 pages
Prep For CCIE SP Lab Exam v3-0 Part - 3 of 7 PDF
No ratings yet
Prep For CCIE SP Lab Exam v3-0 Part - 3 of 7 PDF
39 pages
Spanning Tree
100% (2)
Spanning Tree
1 page
(CCNA) Cisco Commands Cheat Sheet #3
No ratings yet
(CCNA) Cisco Commands Cheat Sheet #3
8 pages
BRKSEC 3699 Reference
No ratings yet
BRKSEC 3699 Reference
411 pages
LG GIS Networking Network Data Admin L2
No ratings yet
LG GIS Networking Network Data Admin L2
4 pages
Dell EMC Networking
No ratings yet
Dell EMC Networking
72 pages
Tecccie 8002
No ratings yet
Tecccie 8002
294 pages
Innovations in Ethernet Encryption (802.1ae - Macsec) For Securing High Speed (1-100ge) Wan Deployments
No ratings yet
Innovations in Ethernet Encryption (802.1ae - Macsec) For Securing High Speed (1-100ge) Wan Deployments
22 pages
CCIE Voice Written Exam Study Guide - CCBootcamp
No ratings yet
CCIE Voice Written Exam Study Guide - CCBootcamp
40 pages
11.1 38-11 Cisco DNA Center
No ratings yet
11.1 38-11 Cisco DNA Center
30 pages
CCIE Wireless v3 Preparation Tips
No ratings yet
CCIE Wireless v3 Preparation Tips
7 pages
ECS Overview and Architecture
No ratings yet
ECS Overview and Architecture
59 pages
SW Ch01
No ratings yet
SW Ch01
33 pages
Cisco Security PDF
No ratings yet
Cisco Security PDF
678 pages
Changing Trends in Computer Architecture
No ratings yet
Changing Trends in Computer Architecture
13 pages
Kubernetes Vs Docker - A Step by Step Guide To Learn and Master Well
No ratings yet
Kubernetes Vs Docker - A Step by Step Guide To Learn and Master Well
247 pages
Cisco Wireless Solution Overview
No ratings yet
Cisco Wireless Solution Overview
4 pages
MQC MLS QOS Conversion Tool: Interface Speed
No ratings yet
MQC MLS QOS Conversion Tool: Interface Speed
13 pages
Designing Data Centers With The Nexus 7000: Ben Basler Technical Marketing Engineer January 2009, v2.1
No ratings yet
Designing Data Centers With The Nexus 7000: Ben Basler Technical Marketing Engineer January 2009, v2.1
55 pages
20C507B Introduction To VXLAN
No ratings yet
20C507B Introduction To VXLAN
59 pages
Nexus 9000 Vs Catalyst 65000
No ratings yet
Nexus 9000 Vs Catalyst 65000
2 pages
Key Attributes STP Example Topology: STP (Spanning Tree Protocol) - Cheat Sheet - Part
No ratings yet
Key Attributes STP Example Topology: STP (Spanning Tree Protocol) - Cheat Sheet - Part
1 page
3 Steps To Tuning A Cisco WLAN Controller From Default Settings
No ratings yet
3 Steps To Tuning A Cisco WLAN Controller From Default Settings
19 pages
Experiment No. - 1
No ratings yet
Experiment No. - 1
14 pages
B Cisco Nexus 7000 Series NX-OS Fundamentals Configuration Guide Release 6.x
No ratings yet
B Cisco Nexus 7000 Series NX-OS Fundamentals Configuration Guide Release 6.x
144 pages
Network Design and Models: The Bryant Advantage CCNP SWITCH Study Guide
No ratings yet
Network Design and Models: The Bryant Advantage CCNP SWITCH Study Guide
11 pages
Huawei FusionServer Pro V5 Rack Server Data Sheet PDF
No ratings yet
Huawei FusionServer Pro V5 Rack Server Data Sheet PDF
20 pages
QoS Practice Labs - English
No ratings yet
QoS Practice Labs - English
65 pages
CCNP Questions and Answers
No ratings yet
CCNP Questions and Answers
15 pages
Manual Testcase
No ratings yet
Manual Testcase
69 pages
Introduction To Software Testing Life Cycle
No ratings yet
Introduction To Software Testing Life Cycle
11 pages
Beckhoff Embedded PC
No ratings yet
Beckhoff Embedded PC
78 pages
t95z Plus
No ratings yet
t95z Plus
2 pages
Terminals of Ecu: 1. Radio Receiver Assy
No ratings yet
Terminals of Ecu: 1. Radio Receiver Assy
1 page
Cos1511 Jan-Feb 2024 Exam
No ratings yet
Cos1511 Jan-Feb 2024 Exam
11 pages
Monitoring Online Tests Through Data Visualization 1
No ratings yet
Monitoring Online Tests Through Data Visualization 1
74 pages
WP Roc809 Modbus Tcpiprev2
No ratings yet
WP Roc809 Modbus Tcpiprev2
11 pages
System Programming
No ratings yet
System Programming
82 pages
Data Sheet 6AV2123-2MB03-0AX0: General Information
No ratings yet
Data Sheet 6AV2123-2MB03-0AX0: General Information
9 pages
AD7616
No ratings yet
AD7616
50 pages
Quickstart DataSynapse Gridserver5 0
No ratings yet
Quickstart DataSynapse Gridserver5 0
17 pages
NX1P2 CPU Unit: Built-In I/O and Option Board User's Manual
No ratings yet
NX1P2 CPU Unit: Built-In I/O and Option Board User's Manual
230 pages
Logcat From Poco
No ratings yet
Logcat From Poco
59 pages
Java Terminal Exam
No ratings yet
Java Terminal Exam
55 pages
Cyberres A Micro Focus Line of Business Presentation
No ratings yet
Cyberres A Micro Focus Line of Business Presentation
9 pages
IoT Based Smart Plug
No ratings yet
IoT Based Smart Plug
22 pages
JDSU JD724C Celladvisor Jd720c Series Cable and Antenna Analyzers Data Sheets en
No ratings yet
JDSU JD724C Celladvisor Jd720c Series Cable and Antenna Analyzers Data Sheets en
13 pages
Waveform Design and DoA-DoD Estimation of OFDM-LFM Signal Based On SDFNT For MIMO Radar
No ratings yet
Waveform Design and DoA-DoD Estimation of OFDM-LFM Signal Based On SDFNT For MIMO Radar
11 pages
Performance Evaluation of 6t Sram Cell Using 90 NM Technology IJERTV10IS0900272
No ratings yet
Performance Evaluation of 6t Sram Cell Using 90 NM Technology IJERTV10IS0900272
6 pages
OBIEE Installation Guide
No ratings yet
OBIEE Installation Guide
17 pages
Logic Gate (AND, OR, XOR, NOT, Nand, Nor, and Xnor)
No ratings yet
Logic Gate (AND, OR, XOR, NOT, Nand, Nor, and Xnor)
8 pages
Alcatel-Lucent Network Routing Specialist II (NRS II) Self-Study Guide: Preparing for the NRS II Certification Exams
From Everand
Alcatel-Lucent Network Routing Specialist II (NRS II) Self-Study Guide: Preparing for the NRS II Certification Exams
Glenn Warnock
No ratings yet
Designing and Implementing Linux Firewalls and QoS using netfilter, iproute2, NAT and l7-filter
From Everand
Designing and Implementing Linux Firewalls and QoS using netfilter, iproute2, NAT and l7-filter
Lucian Gheorghe
No ratings yet
Versatile Routing and Services with BGP: Understanding and Implementing BGP in SR-OS
From Everand
Versatile Routing and Services with BGP: Understanding and Implementing BGP in SR-OS
Alcatel-Lucent
No ratings yet
Alcatel-Lucent Service Routing Architect (SRA) Self-Study Guide: Preparing for the BGP, VPRN and Multicast Exams
From Everand
Alcatel-Lucent Service Routing Architect (SRA) Self-Study Guide: Preparing for the BGP, VPRN and Multicast Exams
Glenn Warnock
No ratings yet
SolarWinds Server & Application Monitor : Deployment and Administration
From Everand
SolarWinds Server & Application Monitor : Deployment and Administration
Justin M. Brant
No ratings yet
Cisco Unified Communications Manager 8: Expert Administration Cookbook
From Everand
Cisco Unified Communications Manager 8: Expert Administration Cookbook
Ezell
No ratings yet
Next-Generation switching OS configuration and management: Troubleshooting NX-OS in Enterprise Environments
From Everand
Next-Generation switching OS configuration and management: Troubleshooting NX-OS in Enterprise Environments
Mamta Devi
No ratings yet
REMOTE ACCESS VPN- SSL VPN: A deep dive into SSL VPN from basic
From Everand
REMOTE ACCESS VPN- SSL VPN: A deep dive into SSL VPN from basic
MAMTA DEVI
5/5 (1)
In Depth Guide to IS-IS Routing: Learn Intermediate System to Intermediate System Routing from scratch
From Everand
In Depth Guide to IS-IS Routing: Learn Intermediate System to Intermediate System Routing from scratch
Mamta Devi
No ratings yet
WAN TECHNOLOGY FRAME-RELAY: An Expert's Handbook of Navigating Frame Relay Networks
From Everand
WAN TECHNOLOGY FRAME-RELAY: An Expert's Handbook of Navigating Frame Relay Networks
Mamta Devi
No ratings yet