Flexible NetFlow
The ISR43xx/44xx routers run IOS-XE which only supports Flexible Netflow (FNF).
Original NetFlow and Flexible NetFlow
- High-capacity flow recognition, including scalability and aggregation of flow information.
- Enhanced flow infrastructure for security monitoring and dDoS detection and identification.
- New information from packets to adapt flow information to a particular service or operation in the network. The flow information available will be customizable by Flexible NetFlow users.
- Extensive use of Cisco’s flexible and extensible NetFlow Version 9 export format.
- A comprehensive IP accounting feature that can be used to replace many accounting features, such as IP accounting, Border Gateway Protocol (BGP) Policy Accounting, and persistent caches.
Original NetFlow allows you to understand the activities in the network and thus to optimize network design and reduce operational costs. Flexible NetFlow allows you to understand network behavior with more efficiency, with specific flow information tailored for various services used in the network. The following are some example applications for a Flexible NetFlow feature:
- Flexible NetFlow enhances Cisco NetFlow as a security monitoring tool. For instance, new flow keys can be defined for packet length or MAC address, allowing users to search for a specific type of attack in the network.
- Flexible NetFlow allows you to quickly identify how much application traffic is being sent between hosts by specifically tracking TCP or UDP applications by the class of service (CoS) in the packets.
- The accounting of traffic entering a Multiprotocol Label Switching (MPLS) or IP core network and its destination for each next hop per class of service. This capability allows the building of an edge-to-edge traffic matrix.
Configure netflow on 9300 and collect on PRTG
Below are two recommended flow records for use in the NetFlow configuration.
flow record PRTG-input description IPv4 NetFlow match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port match ipv4 protocol match interface input match ipv4 tos match flow direction collect interface output collect counter bytes long collect counter packets long collect transport tcp flags collect timestamp absolute first collect timestamp absolute last flow record PRTG-output description IPv4 NetFlow match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port match ipv4 protocol match interface output match ipv4 tos match flow direction collect interface input collect counter bytes long collect counter packets long collect transport tcp flags collect timestamp absolute first collect timestamp absolute last
The next step creates the exporter. The exporter defines how we export the flows to the collector.
flow exporter PRTG-EXPORT description Export to PRTG destination IP_Address_of_PRTG_host source [name of interface that you will be exporting flows to collector through] transport udp 2055 template data timeout 60
You must specify a source interface. If you do not configure a source interface, the exporter remains disabled.
In the next step, we will create flow monitors. The flow monitors will tie the flow record with the exporter. There will be a flow monitor for each direction.
flow monitor PRTG_MON_INPUT description IPv4 PRTG ingress exports exporter PRTG-EXPORT record PRTG-RECORD-INPUT cache timeout active 60 flow monitor PRTG_MON_OUTPUT description IPv4 FNF egress exports exporter PRTG-EXPORT record PRTG-RECORD-OUTPUT cache timeout active 60
The last step is to add the flow monitors to the interfaces that you are looking for traffic visibility on.
interface GigabitEthernet1/0/1 ip flow monitor PRTG_MON_INPUT input ip flow monitor PRTG_MON_OUTPUT output
Note that the record of Input must match the direction input on the interface, or else you will get an error message saying “Flow Monitor: Failed to add monitor to interface: Unsupported key field “interface output” for ip traffic in Input direction”