Use https://seceonhelp.freshdesk.com/support/login to access updated Knowledge Base Articles, Submit Technical Support Tickets and Review Status of submitted support tickets.

Configure Netflow For Cisco Routers and Switches Running IOS

Overview

NetFlow configuration varies slightly per hardware model.

  • NetFlow is based on 7 key fields

  1. Source IP address

  2. Destination IP address

  3. Source port number

  4. Destination port number

  5. Layer 3 protocol type (ex. TCP, UDP)

  6. ToS (type of service) byte

  7. Input logical interface

  • If one field is different, a new flow is created in the flow cache.

  • Enabled NetFlow on EVERY layer-3 interface for complete visibility

  • It is best practice to use a NetFlow “source-interface” that would never go down such as a loopback interface.

  • A “flow record” within Flexible NetFlow (that is used in NX-OS) defines the keys that NetFlow uses to identify packets in the flow as well as other fields of interest that NetFlow gathers for the flow.

Prerequisite

There are 4 basic steps you need to follow:

  1. Create a flow record

  2. Create a flow exporter

  3. Create a flow monitor

  4. Apply the flow monitor to interfaces

Configuration Steps

1. log in to your router, and go into the global configuration mode by typing “config t “

 

2. Now create the flow record(put any record name, for example, NTA record):

  • #flow record NTA record

3. Now you will define match and collect statements to capture fields to include in the flow record

#match ipv4 source address

#match ipv4 destination address

#match ipv4 protocol

#match transport source-port

#match transport destination-port

#match ipv4 tos (to collect the type of source data)

#match interface input (to collect ingress interface data )

#collect interface output (to collect egress interface data)

#collect counter bytes

#collect counter packets

#collect timestamp sys-uptime first

 

#collect timestamp sys-uptime last

#collect application name

#collect routing source as (to collect AS information)

#collecting routing destination as

#flow exporter NTAExport

#destination CCE_IP_Address

#source gigabitEthernnet 0/1

#transportation UDP 2055 (we will type: ”transport UDP 2055” because that’s the default used by SolarWinds Netflow Traffic Analyzer to listen for Network Packets)

#export-protocol netflow-v9

#template data timeout 60

#option application-table timeout 60

#option application-attributes timeout 300

#flow monitor NTAMonitor

#record NTARecord

#exporter NTAExporter

 

#cache timeout active 60

#cache timeout inactive 15

#exit

#interface gigabitEthernet 0/1

#ip flow monitor NTAMonitor input

#ip flow monitor NTAMonitor output

#exit

#wr mem (to save configuration)

VERIFICATION OF CONFIGURATION

Verification can be done either from CCE Server or from UI.

Using UI

STEP 1: Login to UI >> SYSTEM

STEP 2: >> LOGS AND FLOWS COLLECTION STATUS .

STEP 3: >>Inside SOURCE DEVICE IP, IP will reflect.

Using CCE SERVER

“sudo tcpdump -i any host 514 and host <IP address> -AAA” command should be ran on CCE server to check wheather or not we are getting logs .

 

 

Seceon Inc. All rights reserved. https://www.seceon.com