Configure NetFlow - Cisco NetFlow commands explained

Support for some of flow export vendors. If you don't find your device here please ask us on support@cysight.ai

Netflow, sFlow and IPFIX configurations for some common flow export vendors

Explanations of the Original NetFlow commands below or refer to original Cisco Documentation.

Configure interfaces first

For all interfaces (int s0/0/0:0 or int g0/0) add:
ip route-cache flow

Configure all of the interfaces from which you require analysis.

Note when using CEF: When CEF is enabled by default all flows are sent to the flow collector. Some IOS version require that you setip ip route-cache flow or ip flow ingress on as a general command

When setting up “ip route-cache flow” on each interface some thought is needed when collecting from multiple devices if the need is to avoid duplication and unnecessary flows. CySight does also provide the means to do exclusive and inclusive queries to avoid this after data has been collected but a bit of initial consideration may simplify queries post any commercial deployment. You may not have that choice if all the flows of all interfaces are by default exported to you.

Note if unable to see interface information: Use “ip route-cache flow infer-fields” or “ip flow ingress infer-fields” when using CEF with a daughter card eg 4500/6500

Ensure that you have your snmp community string and passwords available, you will need this later to set auto-discovery of interface names by CySight software. Until such a time as the snmp passwords are enabled, CySight will continue to collect but will record the snmp interface index number. If you do not intend to use snmp discovery then you can manually set the Interface names in CySight Configuration. In this circumstance you must ensure “snmp-server ifindex persist” is used.

DigiToll NetFlow Collection engine will automatically discover the Device/s on receipt of the NetFlow. Please use port 2055 initially as this is the preset CySight Port. You can change the port later but it will facilitate automatic discovery and an easy installation if you retain it initially. CySight Enterprise and Telco versions require a separate Port be setup for each device. This is advantageous in large environments where Router and Switch data need to be considered as a single device e.g. Cisco 6509 where Router and Switch modules both need to report flows individually but the device is seen as a unit.

Click Configuration> Devices> Device and highlight a device in the grid, then click "Modify" to setup your device. Add the SNMP Read Only Community String and Password. After making your change click "Confirm" to save.

Alternatives to using ip route-cache flow are:
ip flow ingress
ip flow egress

We recommend that you use “ip flow ingress” on each interface or “ip flow ingress infer-fields” as a global command when CEF is used and in particular if a daughter card is used. As has been seen on Cisco 4500 series.

Versions other than Cisco IOS 12.3T Releases, 12.3(11)T or later do not support “ip flow ingress” so that will probably dictate your choice of using “ip route-cache flow” or “ip flow ingress” when collecting from a legacy routers or switches.

Egress may seem attractive as it can simplify your configuration in more complex environments.

But the Cisco documentation clearly shows the reasons why we believe you should avoid using egress accounting

“…
Memory Impact
During times of heavy traffic, the additional flows can fill up the global flow hash table. If you need to increase the size of the global flow hash table, increase the memory of the router.

Performance Impact
Egress NetFlow accounting might adversely affect network performance because of the additional accounting-related computation that occurs in the traffic-forwarding path of the router.
…”
Ref: https://www.cisco.com/univercd/cc/td/do ... b_bega.htm

Timing parameters that cause flow export
ip flow-cache timeout active 1 ; active timeout in minutes

This is needed for CySight to have real-time down to the minute views.

When using CySight as a stand-alone collector for long-term collection in billing only environments, as an example, you can retain this at default. This is because the shortest period for long-term record collection and analysis for is down to the hour.

ip flow-cache timeout inactive 15 ; inactive timeout in seconds

The purpose of this timeout parameter is to ensure that flows that have finished are periodically exported.

It is advisable to avoid any buffer overruns in large environments to set this to at least every 15 seconds. Larger timeouts, even at 30 seconds, in many environments will result in traffic graphs that seem jittery. Reducing to 15 seconds should help to smooth out the graph; this can increase flows which will not have any effect on CySight. If NetFlow buffers are full they will flush and be sent to the collector anyway. When using CySight long-term stand-alone process for in billing only environments you can set to a larger timeout as long as the data is forced out before the hour is up. The risk in doing that however would be loss of data if the device were to go down before NetFlow buffers are flushed.

Note: some non-Cisco devices that produce NetFlow and that do not have a flow inactive timeout have been shown to produce incorrect statistics this. Cases have been seen where non standard devices do not export the conversation until it has ended.

ip flow-export source Loopback0 ; physical interface independent

'ip flow-export source loopback0' forces the router / switch to use the internal loopback0 address as a reference IP address of the Device. This is important to ensure the same IP address is always used when exporting flows. This is useful from a security perspective to ensure that if data from another NetFlow source is used it can be identified to be from a different source. Some environments also want to avoid the potential injection of ”dummy” flows into the collectors.

Setting NetFlow versions and collectors
ip flow-export version [5/7/9]

DigiToll CySight collectors will automatically recognize the NetFlow version sent. Do not set version 9 aggregation only the main-cache. Full support of all aggregation caches available soon.

Note Cisco bugs: Be aware that on some platforms the IOS has had bugs you may have unexpected results or interface or ToS fields not providing data.


Check the data and use DigiToll analysis to assist you when tracking down these issues sometimes as in the case of the “ip flow ingress infer-fields” command you may find that it is as a result of something else such as CEF that is causing issues.

If you find something unusual please report it and our support team will be able to help assist you quickly.

ip flow-export version [5/7/9] [peer-as | origin-as]

We recommend not setting the peer or origin initially as adding these options can increase flows substantially.

So in summary start with

ip flow-export version [5/7/9]

If you are an ISP, Telco or large enterprise with multiple edge BGP points then setting to peer-as will assist you in seeing the path of the traffic.
This will help you in least cost routing and SLA analysis

Peer-as provides the numbers of the direct BGP networks you are connected to.

ip flow-export version [5/7/9] peer-as


Data centers, small enterprise, branch offices and data. The

ip flow-export version [5/7/9] origin-as

Start export
ip flow-export destination [CySight IP] 2055 ;

IP to send exports to and UDP port number.


Diagnosis
Check the above by looking at the output from "sh ip flow export" and "sh ip cache verbose flow"
sh ip flow export
sh ip cache verbose flow

snmp-server ifindex
It is useful to enable snmp-server ifindex persist. It enables ifIndex persistence (interface names) globally. This ensures that the ifIndex values are persisted during device reboots.