FNF (Flexible Netflow) : Cisco IOS-XE configuration

Netflow is widely used and very useful feature for network administrators. It is a must have feature for a network because it give immense about of details about the network traffic and its users. Netflow is different from basic bandwidth monitoring as it tells you bandwidth utilization per IP per application basis. So you would know how a certain user utilizes his/her time in office (facebook traffic or sql traffic) 🙂 Certainly excellent tool for managers during performance appraisal 😀 !!

Lets see how we can configure and have a working setup.

In netflow you need two components , a network device which you want to monitor and the collector which collects the data sent by the router and shows you various graphical and pictorial overview for the collected data.

Netflow can use both TCP and UDP based transport but mostly UDP is used for it because the nature of the protocol doesn’t need a reliable transport. You can assign your own port to export the flow from the router to the collector device, most commonly used ports are 9996 and 9995 UDP ports.

To configure netflow(FNF) you need to have 3 things configured, flow record, flow exporter and flow monitor. The final step is to configure the monitor under the interface to start the monitoring.

Flow record specifies the list of parameters which you want to capture and send to collector about a flow.

Flow exporter specifies the transport ports, protocol(Netflow v9 or V5 or IPFIX) and destination IP address of the collector.

Flow monitor is like parent entity which calls records and exporter under it.Once this is configured we can call monitor under the interface to start the flow monitoring.

Following is the configuration on ISR4451 router .

ISR4451#show run flow record REC
Current configuration:
!
flow record REC
 match ipv4 destination address
 match ipv4 source address
 match application name
 match interface input
 match interface output
 match ipv4 protocol
 match ipv4 tos
 match transport source-port
 match transport destination-port
 collect transport tcp flags
 collect counter bytes long
 collect counter packets long
!

ISR4451#show run flow exporter EXP
Current configuration:
!
flow exporter EXP
 destination x.x.x.x--------------> Collector IP Address
 transport udp 9996
 template data timeout 60
!

ISR4451#show run flow monitor MON
Current configuration:
!
flow monitor MON
 exporter EXP
 cache timeout active 60
 record REC
!

ISR4451#show running-config interface gi 0/0/0
Building configuration...

Current configuration : 193 bytes
!
interface GigabitEthernet0/0/0
 ip address Y.Y.Y.Y 255.255.255.0
 ip flow monitor MON input
 ip flow monitor MON output

Once the configuration is in place you can use following commands on Cisco router to verify if it has enabled and started exporting the flow out.

Check the stats under EXP exporter. We see that some data has already been sent out of the router to exporter.

Netflow Exporter Statistics — Exporter Stats

So, here is we have verified if router has started sending the data out or not. Now we need to check how does it look on collector. You can use any collector available for free for evaluation or training purpose. I have used Manage engine Opmanager netflow collector. And following is the details that we see on it when the device is added to collect flows.

Following you can see top conversations.You can see application and protocol level information are shown in this chart. You easily identify the application which needs to be policed or may be given more bandwidth in the network as per criticality.

Netflow collector top conversations — Conversations

So we see how neatly it shows the stats.

Now lets see what kind of packet transfer occurs between the router and the exporter to send the flow related stats.

I have taken packet capture on the router to see what kind of data flow occurs between router and the collector. You need to use “cflow” wireshark filter to see packets. Basically there are two kinds of packet transfer occurs between the source and the collector, Template data which contains template of the flow in easy words you can say that the name of the columns and rows for a table are sent in this. The next type of packet is actual Flow data which has information to fill in that template.

See below :