Re: How to export _> flow.sampling_interval ?

ty.chan007 · ‎05-29-2018

I am using Cisco ASR 1K .

I am trying to find how to export "flow.sampling_interval" value to collector in ELK.

please help.

Georg Pauwen · ‎05-30-2018

Hello,

on the ASR, I think you need to configure Netflow version 8, which has the sample interval field in the header.

--> ip flow-export version 8

The corresponding field in your elastiflow config would be:

"[netflow][sampling_interval]" => "[flow][sampling_interval]"

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/xe-3s/asr1000/nf-xe-3s-asr1000-book/cfg-nflow-data-expt-xe.html#GUID-3D1F5B64-E9E5-4433-98AE-BDBF5B259BF5

https://github.com/robcowart/elastiflow/blob/master/logstash/elastiflow/conf.d/20_filter_20_netflow.logstash.conf

ty.chan007 · ‎05-30-2018

There is no option to select version 8.

Available options are:
ipfix IPFIX (Version 10)
netflow-v5 NetFlow Version 5
netflow-v9 NetFlow Version 9

any suggestion ?

Georg Pauwen · ‎05-30-2018

Hello,

you have to configure an aggregation cache. Th examples below are an excerpt from the document linked...

configure terminal
!
ip flow-aggregation cache as
export destination 10.42.42.2 9991
export destination 10.42.41.1 9991
export version 8
enabled
!
interface Fastethernet0/0/0
ip flow ingress

configure terminal
!
ip flow-aggregation cache source-prefix
mask source minimum 30
enabled
!
interface Fastethernet0/0/0
ip flow ingress
!
end

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/xe-3s/asr1000/nf-xe-3s-asr1000-book.pdf

ty.chan007 · ‎05-30-2018

-##the version that I am using does not support those config anymore. I
have to use flow monitor command. So there is no option to netflow version
beside ipfix, v9 or v5.