Thanks Don. I meant to update

Pete89 · ‎09-10-2015

Hello,

I am trying to do a Proof of Concept using a Prime Infrastructure Gen 1 appliance running 2.2. On the appliance side we are ready. What I am trying to nail down is the router config.

My routers are all ISR 2's running 15.4.1(T) and above. I have installed the data9k license and rebooted. I installed the latest NBAR2 protocol pack and have verified that the pack installed correctly.

Now I would like to export Flexible Netflow to the Prime Appliance. I have found docs that explain the config for SolarWinds and another collector I cant remember the name right now.

What I cant find in a clear way is the config for a 3900 to send netflow to Prime Infrastructure.

Any help much appreciated,

P.

Don Jacob · ‎09-23-2015

NetFlow configuration on the router should not be dependent on the collector. At the most, you might have to change the port on which flows are exported to match the one that your NetFlow collector is listening to. Other than that, most common Flexible NetFlow config should work for Prime too.

R,
Don Jacob

*** Pls rate all useful responses ***

Regards, Don Thomas Jacob http://www.solarwinds.com/netflow-traffic-analyzer.aspx Head Geek @ SolarWinds NOTE: Please rate and close questions if you found any of the answers helpful.

Pete89 · ‎09-24-2015

Thanks Don. I meant to update this. Here is what I did on the router side:

IOS Version must be 15.4.(1)T and higher. Once that requirement is met:

Install 90 day eval Data/AppX License:

router01(config)#license boot module XXXX technology-package datak9

Reboot Router

Download from Cisco and then copy Protocol Pack to Local flash. Protocol packs are dependent on the version of IOS. They should match. Then run:

router01(config)#ip nbar protocol-pack flash:name_of_file

4.Verify installation of Protocol Pack:

router01#sh ip nbar protocol-pack active
router01#sh ip nbar protocol-pack loaded

Create Flow Record for Netflow Collectors:

flow record Record-FNF
description Flexible NetFlow with NBAR Flow Record
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface input
match flow direction
match application name
collect routing source as
collect routing destination as
collect routing next-hop address ipv4
collect ipv4 dscp
collect ipv4 id
collect ipv4 source prefix
collect ipv4 source mask
collect ipv4 destination mask
collect transport tcp flag
collect interface output
collect counter bytes
collect counter packets
collect timestamp sys-uptime first
collect timestamp sys-uptime last

Create Exporter for Prime and Riverbed NetProfiler:

flow exporter Prime_Infrastructure
description Export IPFIX to Prime
destination 10.64.64.240
source GigabitEthernetxxxx
output-features
transport udp 9991
export-protocol ipfix
option interface-table
option application-table
option application-attributes

flow exporter Riverbed_Profiler
description Export IPFIX to Riverbed Profiler
destination 10.64.93.79
source GigabitEthernetxxxx
output-features
transport udp 9995
export-protocol ipfix
option interface-table
option application-table
option application-attributes

Verify Netflow Exporter

Router01#show flow exporter option application table
Router01#show flow exporter flow exporter name

Create Flow Monitor

Router01(config)#flow monitor Monitor-FNF
description FNF/NBAR Application Traffic Analysis
record Record-FNF
exporter Riverbed_Profiler
exporter Prime_Infrastructure
cache timeout active 60

Verify Flow Monitor Config:

Router01#sh flow monitor

Apply Flow Monitor to Interface:

Router01(config)# interface gig 0/1

ip flow monitor Monitor-FNF input (this command rebooted a router running IOS 15.4.1. There is a known bug. The workaround is to issue the command via console or telnet BUT NOT SSH! )

ip flow monitor Monitor-FNF output

Verify the Interface is configured for Netflow Monitoring. Note: Cisco recommends applying flow monitor to WAN and LAN interfaces.

Router01# show flow interface

Add customs applications :

Router(config)#ip nbar custom Crashplan tcp 4282
Router(config)#ip nbar custom Riverbed_Inpath tcp 7800

On the local router you can obtain lots of traffic information from the local cache of Netflow.

Router01#show flow monitor Monitor-FNF cache ?

Examples: These have slight variations depending on the version of IOS.

show flow monitor Monitor-FNF cache filter application name Crashplan
show flow monitor Monitor-FNF cache aggregate ipv4 source address sort highest counter bytes top 10
show flow monitor Monitor-FNF cache aggregate ipv4 dest address sort highest counter bytes top 10
show flow monitor Monitor-FNF cache filter ipv4 destination address regexp 10.64.69.* transport destination-port 80

show flow monitor Monitor-FNF cache aggregate ipv4 destination address ipv4 source address sort highest counter bytes top 10
show flow monitor Monitor-FNF cache aggregate ipv4 destination address ipv4 source address | i 10.1.48.*
show flow monitor Monitor-FNF cache aggregate application name sort highest counter bytes top 10

More Info:

http://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/Dec2013/CVD-ApplicationMonitoringUsingNetFlowDesignGuide-DEC13.pdf

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/qos_nbar/configuration/xe-3s/qos-nbar-xe-3s-book/nbar2-custm-protocl.html

http://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/infrastructure/2-2/user/guide/pi_ug/config-avc.html#pgfId-1074562

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/fnetflow/configuration/15-mt/fnf-15-mt-book/cgf-topn.html

Like I said. This is just the router side. The collector side is a whole other ball of wax

Hope this helps somebody someday!

Netflow Exporter Config on ISR2 Router