Configure NetFlow - Cisco commands Quick Start Summary

This area will help fast track you in planning, setting up and managing NetFlow in your environment. NetFlow is an embedded instrumentation within Cisco IOS Software to characterize network operation.

Network specialists of various levels within an organization need to be able to report on traffic traversing sites, key links and data centers without deploying probes. They use CySight powered by unique NetFlow Auditor methods of scalable collection, retention and Predictive AI Baslining to capture and analyze every NetFlow record with aggregation options and small footprint real-time and long-term storage. From Telco to SME you will recognize the superior reliability and performance of the CySight NetFlow Auditing solutions, as well as the management benefits offered.

Configure NetFlow - Cisco commands Quick Start Summary

This quick start will help you with the commands but we strongly advise you read the NetFlow commands for CySight explained to understand why the options below were chosen.

Also see the Cisco documentation for the small variances in installation Cisco NetFlow Installation Intructions

General NetFlow commands:

Enable on each interface (Except when using CEF with a NetFlow Daughter card):
ip route-cache flow

General Commands

ip cef
ip flow-export source Loopback0
ip flow-export version [5/7/9]
ip flow-cache timeout inactive 15
ip flow-cache timeout active 1
snmp-server ifindex persist
ip flow-export destination [CySight IP] 2055

Note: Loopback0 can be changed to another interface such as fastethernet0/0 but it is good practice to choose an interface that will consistently have the same IP Address.

Note: If AS is required then ip flow export needs to include either peer-as or origin-as. origin-as will dramatically increase long-term collection.
ip flow-export version [5/7/9] [peer-as | origin-as]

Additional Options

ip flow ingress infer-fields

If the Source IP address and Destination IP address are not seen in IP Flow
* The packets are blocked by an ACL.
* The packets are being process switched.
* Multicast traffic
* Packets destined for the router
* Tunnels (IPIP, GRE, IPSEC, L2TP) & WCCP
* Static route to null0
* DstIf is NULL when the traffic is dropped because of CAR.

In order to avoid this issue, use the ip flow ingress infer-fields command in order to enable Netflow with inferred input/output interfaces and source/destination informations.

If the flows on the subinterfaces are need to be checked, then there are two options:

1. Configure ip route-cache flow in the main interface. This sends the flows from all the subinterfaces.
2. Configure ip flow ingress on the subinterfaces, which in this case, the main interface does not have any netflow configuration, and it sends the flow from each subinterface where the ip flow ingress command is enabled.

When running NetFlow on Cisco 7600 switches in native mode use

mls nde sender version 5
mls flow ip interface-full
mls aging long 64
ip flow-export source Loopback0
ip flow-export version [5/7/9]
ip flow-export destination [DigiToll IP| CySight IP] 2055
snmp-server ifindex persist

Software Platform Configuration

The following is an example of a basic router configuration for NetFlow. NetFlow basic functionality is very easy to configure. NetFlow is configured on a per interface basis. When NetFlow is configured on the interface, IP packet flow information will be captured into the NetFlow cache. Also, the NetFlow data can be configured to export the NetFlow data to a collection server if a server is deployed.

1. Configuring the interface to capture flows into the NetFlow cache. CEF followed by NetFlow flow capture is configured on the interface
Router(config)# ip cef
Router(config)# interface ethernet 1/0 .
Router(config-if)# ip flow ingress
Router(config-if)# ip route-cache flow

Note: Either ip flow ingress or ip route-cache flow command can be used depending on the Cisco IOS Software version. Ip flow ingress is available in Cisco IOS Software Release 12.2(15)T or above.

2. This step is required if exporting the NetFlow cache to a reporting server. The version or format of the NetFlow export packet is chosen and then the destination IP address of the export server.

The 2055 is the default UDP port CySight server will use to receive the UDP export from the Cisco device. You can setup multiple Port numbers and is required when using CySight Enterprise or Telco versions.

Router(config)# ip flow-export version [1|5|7|9]
Router(config)# ip flow-export destination [DigiToll|CySight IP] 2055