09-10-2015 05:17 PM - edited 03-01-2019 08:01 AM
Hello,
I am trying to do a Proof of Concept using a Prime Infrastructure Gen 1 appliance running 2.2. On the appliance side we are ready. What I am trying to nail down is the router config.
My routers are all ISR 2's running 15.4.1(T) and above. I have installed the data9k license and rebooted. I installed the latest NBAR2 protocol pack and have verified that the pack installed correctly.
Now I would like to export Flexible Netflow to the Prime Appliance. I have found docs that explain the config for SolarWinds and another collector I cant remember the name right now.
What I cant find in a clear way is the config for a 3900 to send netflow to Prime Infrastructure.
Any help much appreciated,
P.
09-23-2015 12:19 AM
NetFlow configuration on the router should not be dependent on the collector. At the most, you might have to change the port on which flows are exported to match the one that your NetFlow collector is listening to. Other than that, most common Flexible NetFlow config should work for Prime too.
R,
Don Jacob
*** Pls rate all useful responses ***
09-24-2015 10:43 AM
Thanks Don. I meant to update this. Here is what I did on the router side:
IOS Version must be 15.4.(1)T and higher. Once that requirement is met:
router01(config)#license boot module XXXX technology-package datak9
router01(config)#ip nbar protocol-pack flash:name_of_file
4.Verify installation of Protocol Pack:
router01#sh ip nbar protocol-pack active
router01#sh ip nbar protocol-pack loaded
flow record Record-FNF
description Flexible NetFlow with NBAR Flow Record
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface input
match flow direction
match application name
collect routing source as
collect routing destination as
collect routing next-hop address ipv4
collect ipv4 dscp
collect ipv4 id
collect ipv4 source prefix
collect ipv4 source mask
collect ipv4 destination mask
collect transport tcp flag
collect interface output
collect counter bytes
collect counter packets
collect timestamp sys-uptime first
collect timestamp sys-uptime last
flow exporter Prime_Infrastructure
description Export IPFIX to Prime
destination 10.64.64.240
source GigabitEthernetxxxx
output-features
transport udp 9991
export-protocol ipfix
option interface-table
option application-table
option application-attributes
flow exporter Riverbed_Profiler
description Export IPFIX to Riverbed Profiler
destination 10.64.93.79
source GigabitEthernetxxxx
output-features
transport udp 9995
export-protocol ipfix
option interface-table
option application-table
option application-attributes
Router01#show flow exporter option application table
Router01#show flow exporter flow exporter name
Router01(config)#flow monitor Monitor-FNF
description FNF/NBAR Application Traffic Analysis
record Record-FNF
exporter Riverbed_Profiler
exporter Prime_Infrastructure
cache timeout active 60
Router01#sh flow monitor
Router01(config)# interface gig 0/1
ip flow monitor Monitor-FNF input (this command rebooted a router running IOS 15.4.1. There is a known bug. The workaround is to issue the command via console or telnet BUT NOT SSH! )
ip flow monitor Monitor-FNF output
Router01# show flow interface
Router(config)#ip nbar custom Crashplan tcp 4282
Router(config)#ip nbar custom Riverbed_Inpath tcp 7800
On the local router you can obtain lots of traffic information from the local cache of Netflow.
Router01#show flow monitor Monitor-FNF cache ?
Examples: These have slight variations depending on the version of IOS.
show flow monitor Monitor-FNF cache filter application name Crashplan
show flow monitor Monitor-FNF cache aggregate ipv4 source address sort highest counter bytes top 10
show flow monitor Monitor-FNF cache aggregate ipv4 dest address sort highest counter bytes top 10
show flow monitor Monitor-FNF cache filter ipv4 destination address regexp 10.64.69.* transport destination-port 80
show flow monitor Monitor-FNF cache aggregate ipv4 destination address ipv4 source address sort highest counter bytes top 10
show flow monitor Monitor-FNF cache aggregate ipv4 destination address ipv4 source address | i 10.1.48.*
show flow monitor Monitor-FNF cache aggregate application name sort highest counter bytes top 10
More Info:
Like I said. This is just the router side. The collector side is a whole other ball of wax
Hope this helps somebody someday!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide