NetFlow is a network protocol developed by Cisco for collecting IP traffic information and monitoring network traffic. By analyzing flow data, a picture of network traffic flow and volume can be built. This can be useful for many reasons, such as network planning, traffic engineering, and detecting anomalies.
Here are some recommendations for setting up NetFlow on Cisco ASR routers:
• Use the latest NetFlow version: NetFlow version 9, or IPFIX (considered to be NetFlow v10), offers flexible and extensible means to record network performance data, which is a significant enhancement over earlier versions.
• Select Active Timeout Carefully: The active timeout setting determines how long the router will keep a flow in its table before exporting the flow data. The lower the active timeout, the quicker you’ll see the data in your monitoring tool, but it also means your router will be doing more work and sending more data.
• Be Mindful of Resources: NetFlow can use a significant amount of CPU and memory on your router, especially when you’re monitoring high-volume links. Ensure you have enough resources available.
• Filter NetFlow Records: If you’re interested in specific types of traffic, or if resources are a concern, consider filtering the NetFlow records that the router exports.
Once the NetFlow is configured on the Cisco ASR router, you can use a tool like SolarWinds Orion to analyze the NetFlow data. Here’s a basic example of how this might work:
1. Install and Configure SolarWinds Orion: Install SolarWinds Orion on a server that can communicate with your ASR router.
2. Add the Cisco ASR Router: Use the “Add Node” wizard to add your Cisco ASR router to SolarWinds Orion. You will need to provide the IP address of the router and SNMP credentials.
3. Enable NetFlow Traffic Analyzer: Within the SolarWinds Orion interface, navigate to the NetFlow settings and select “Enable NetFlow Traffic Analyzer” for your ASR router.
4. View NetFlow Data: Once the NetFlow Traffic Analyzer has been enabled, you can view the NetFlow data being collected. This data can be used to analyze the total traffic passing through the router, the types of traffic, the top talkers, etc.
Remember, it’s important to consider the security of your network when setting this up. Make sure all devices are updated with the latest security patches and any unnecessary services are turned off.
Here is a basic example of how you might configure NetFlow export on a Cisco ASR router. This example is simplified and assumes the router has already been configured with an IP address, interface, and routing:
! Enable NetFlow on the interface interface GigabitEthernet0/1 ip flow ingress ip flow egress exit ! Define the flow record flow record myrecord match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port collect counter bytes long collect counter packets long collect timestamp sys-uptime first collect timestamp sys-uptime last exit ! Define the flow exporter flow exporter myexporter destination 192.0.2.1 ! Replace with your SolarWinds Orion IP source GigabitEthernet0/1 ! Replace with the source interface transport udp 2055 ! NetFlow traditionally uses UDP/2055, but this can be changed exit ! Define the flow monitor flow monitor mymonitor exporter myexporter record myrecord cache timeout active 60 ! This sets the active timeout to 60 seconds exit ! Apply the flow monitor to the interface interface GigabitEthernet0/1 ip flow monitor mymonitor input ip flow monitor mymonitor output exit
This example sets up a NetFlow v9 export using a custom record, which includes the source and destination IP addresses and ports, along with packet and byte counters. The data is exported to a SolarWinds Orion server (replace “192.0.2.1” with the actual IP of your server) over UDP on port 2055.
Please ensure to replace the placeholders with your actual network details. It’s also important to note that exact configurations may vary depending on the specific requirements of your network and the version of the IOS running on your router.
Let’s break down the NetFlow configuration commands used in the example:
1. `interface GigabitEthernet0/1`: This enters the interface configuration mode for the Gigabit Ethernet interface 0/1. You should replace this with the interface on your router that you want to enable NetFlow on.
2. `ip flow ingress` and `ip flow egress`: These commands enable NetFlow data capture on incoming and outgoing traffic for the specified interface respectively.
3. `flow record myrecord`: This command creates a flow record named “myrecord“. This flow record defines what information will be collected about each flow.
4. `match ipv4 source address` and `match ipv4 destination address`: These commands instruct the router to record the source and destination IP addresses for each flow.
5. `match transport source-port` and `match transport destination-port`: These commands instruct the router to record the source and destination ports for each flow.
6. `collect counter bytes long` and `collect counter packets long`: These commands tell the router to collect the total number of bytes and packets for each flow.
7. `collect timestamp sys-uptime first` and `collect timestamp sys-uptime last`: These commands capture the system uptime when the first and the last packets of each flow were processed.
8. `flow exporter myexporter`: This command creates a flow exporter named “myexporter“. The flow exporter defines where and how the flow records will be exported.
9. `destination 192.0.2.1`: This command sets the IP address of the destination where the NetFlow data will be sent. In this case, it should be the IP address of your SolarWinds Orion server.
10. `source GigabitEthernet0/1`: This command specifies the interface from which NetFlow exports will originate. Replace this with the actual interface that has connectivity to the SolarWinds Orion server.
11. `transport udp 2055`: This command defines the transport protocol (UDP) and port (2055, the standard port for NetFlow) that will be used to send the NetFlow data.
12. `flow monitor mymonitor`: This command creates a flow monitor named “mymonitor“. The flow monitor applies the flow record and flow exporter to an interface.
13. `exporter myexporter` and `record myrecord`: These commands associate the previously defined exporter and record to the flow monitor.
14. `cache timeout active 60`: This command sets the active timeout for the flow cache to 60 seconds, meaning that every 60 seconds, active flows will be exported.
15. `ip flow monitor mymonitor input` and `ip flow monitor mymonitor output`: These commands apply the flow monitor to both incoming and outgoing traffic on the interface.