Netflow

Scenario
Netflow configuration is comprised of 3 or 4 parts depending on the OS:

  1. The flow record (IOS) or record statement (XR)- what is recorded
  2. The flow exporter (IOS) or flow exporter-map (XR) – where to export the recorded information
  3. The flow monitor (IOS) or flow monitor-map (XR) – binds the recorder and exporter together
  4. (XR only) The sampler-map – specifies a sample ratio of flows to monitor rather than everything.

In this example IOS-XE will be configured to record the source and destination IP address. The non-key fields of the first MPLS label, the network delay and the ipv4 protocol will also be gathered.

For IOS-XR there is no flow record structure like in IOS-XE. It is simply a record statement under the flow monitor-map that captures data in a raw record format. If this record is excluded a set of default fields will be used. Caching is also an option within the flow monitor-map. Among other options, this IOS-XR example here will record ipv4 details, use a sample rate if 1 out of 100 and cache 10,000 entries.

Both IOS-XE and IOS-XR will export to 10.1.1.1 using Netflow version 9. Netflow will be enabled on interface Gi1 for IOS-XE and Gi0/0/0/1 for IOS-XR in both inbound and outbound directions.

IOS Config

flow record RECORD
 match ipv4 source address
 match ipv4 destination address
 collect mpls label 1 details
 collect network delay sum
 collect ipv4 protocol
!
flow exporter EXPORTER
 description Netflow_v9 Exporter
 destination 10.1.1.1
 export-protocol netflow-v9
!
flow monitor FLOW-MONITOR
 record RECORD
 exporter EXPORTER
!
interface GigabitEthernet 1
 ip flow monitor FLOW-MONITOR input
 ip flow monitor FLOW-MONITOR output
!
!
! Verification commands:
!  show flow record RECORD
!  show flow monitor
!  show flow exporter
!  show flow monitor FLOW-MONITOR cache format table
!  show flow monitor FLOW-MONITOR cache sort highest ipv4 source address top 10

XR Config

flow exporter EXPORTER
 version v9
  options sampler-table timeout 60
  template timeout 60
  template data timeout 60
  template options timeout 60
 !
 transport udp 1234
 source loopback0
 destination 10.1.1.1
!
flow monitor-map FLOW-MONITOR
 record ipv4
 exporter EXPORTER
 cache timeout active 60
 cache timeout inactive 15
 cache entries 10000
!
sampler-map SAMPLER
 random 1 out-of 100
!
interface GigabitEthernert0/0/0/1
 flow ipv4 monitor FLOW-MONITOR sampler SAMPLER ingress
 flow ipv4 monitor FLOW-MONITOR sampler SAMPLER egress
!
! Verification commands:
!  show flow monitor-map FLOW-MONITOR
!  show flow exporter-map EXPORTER

Back to top

Follow netquirks on WordPress.com