cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11509
Views
5
Helpful
17
Replies

How to configure netflow on 6807

shijomon scaria
Level 1
Level 1

Dear All,

 

Please help me to configure netflow on my new 6807XL VSS, running 15.1(2)SY - IPSERVICESK9.

I have tried to configure it according to the documentations available but getting warning messages while applying to an interface and not getting any flows received at the collector side.

Have created flow record, exporter and monitor. Tried with version 5 and manageengine netflow analyzer.

Is there any working example available ?

Thanks in advance.

Shijo.

17 Replies 17

There's no unique way to implement netflow monitoring. Anyway this is the working configuration for monitoring bandwidth usage that we use in our company along with PRTG as collector:

!

ip flow-export source FastEthernet0/0
ip flow-export version 5
ip flow-export destination <A.B.C.D> <port>

!

interface FastEthernet0/0
 ip address <a.b.c.d> <255.255.255.0>
 ip flow egress
 duplex auto
 speed auto

 

 

Dear Houten,

Thanks for the reply.

But I believe the given configuration steps are belongs to the 'original netflow' configuration, but this has been replaced by Flexible Netflow (FNF) in newer IOS versions.

Regards,

Shijo.

 

You're right, it works for version 12.4, but it's not depreciated yet and you can use it for newer IOS.

can you share your current configuration?

Heres a working flex netflow  of one of my devices

check its exporting with

xxxxxxxxxxxxxxxxxxxx#show flow exporter statistics
Flow Exporter NetQos:
  Packet send statistics (last cleared 40w1d ago):
    Successfully sent:         56805572              (70235337725 bytes)
    No destination address:    24                    (30196 bytes)

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

flow record FLOW-RECORD
 description record to monitor network traffic
 match ipv4 tos
 match ipv4 protocol
 match ipv4 source address
 match ipv4 destination address
 match transport source-port
 match transport destination-port
 match interface input
 match interface output
 collect routing source as
 collect routing destination as
 collect routing next-hop address ipv4
 collect transport tcp flags
 collect counter bytes
 collect counter packets
 collect timestamp sys-uptime first
 collect timestamp sys-uptime last
!
!
flow exporter NetQos
 description export Netflow traffic to HQ
 destination x.x.x.x
 source Vlan1222
 template data timeout 300
 option interface-table timeout 1000
 option exporter-stats timeout 1000
!
!
flow monitor xilinx_nq
 description Used for ipv4 traffic analysis (Mapped To FLOW-RECORD)
 record FLOW-RECORD
 exporter NetQos
 statistics packet protocol

interface Vlan159
 ip address x.x.x.x 255.255.255.0
 ip flow monitor xilinx_nq input
 ip flow monitor xilinx_nq output

Thank you for adding this config.

Looking at your config, I think the only question I have about it is:

flow exporter NetQos
 description export Netflow traffic to HQ
 destination x.x.x.x
 source Vlan1222 (What is this VLan? Why is it a source if you're actually sourcing your monitoring from "interface vlan159"?)
 template data timeout 300
 option interface-table timeout 1000
 option exporter-stats timeout 1000

I also had some questions on a previous comment up above.  The config I commented on above is a bit different from yours.  Might you be able to comment on those questions, as well?

Thank you for your help!

Hi

your sourcing it from vlan 222( thats my choice its our MGMT vlan )not vlan 159 , your collecting stats from vlan 159

every ip interface you want to collect from in flex netflow must have the monitor statements applied  , like in netflow 5 just slightly diff syntax

we source every protocol we use from MGMT interfaces through our FWs for security , you don't have too  

flow exporter NFexporter ----> name of exporter (can the same exporter be used for multiple interfaces, or does each interface require it's own exporter to be created?)

The exporter is only for the destination application where your sending the flows , so I have multiple collectors , NetQos , Live action etc . I have a specific exporter for each application

reading above if you use my netflow any ip interface you want to see flows from you apply what I have under the vlan 159 as the example , that should be on every IP based interface youw nat flows from , you cn colclect layer 2 as well but I don't have that included in that example , the monitor collects , the exporter send the data to the flow collector , the flow record is what you want recorded what stats if you get me

Thank you, everyone, for your help.

I've got this working, though I have a few bugs to work out.  In an effort to make the minor changes I need, I've tried changing the config of the record. "% Flow Record: Flow Record is in use. Remove from all clients before editing."

Based on that, I decided to simply create a new record with the modifications I need, figuring I would then remove the current record from the monitor and put in the new record.  Uhhhm, yeah... not so much.

When I try to remove the current record, I get the same "error".  I only have this applied to 10, or so, VLan interfaces and one port... But is there an easier way to make the change without having to remove the monitor from each port individually, then re-add it?

Thanks, again!

Yes its a pain in the neck trying to change these when in use , I do it all on notepad and copy back in , its a limitation there's no quick fix way really , glad you got sorted anyway

I had our QRadar guy check out the feed.  He's now getting everything!  Thank you for the help.

Is there a way to globally apply the monitor?  Or maybe ply to all active VLan interfaces in one deft swoop?

yes there one way to do it to all vlans , no global command available

(config)#int range vlan 1 - 20
(config-if-range)#

That's pretty amusing... I didn't want to just up and try that! ~ was a bit nervous.

Thank... AGAIN!

Dear Shijomon,

 

You managed to configure NetFlow?

 

I have the same question on the same appliance

Hi,

 

Not yet, what about for you ??

 

Shijo.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco