NetFlow Configuration – ASA , Router and Switch
Netflow configuration on Cisco ASA Firewall and Router using via CLI is an easy task to perform, not that much different that configuring NetFlow on any other Cisco Router , Switch and Firewall.
Just follow the couple of steps as below in this article to achieve your goal.The only difference is that you need to set up a service policy, and access rules that allow the export. As well as define which events are going to get exported and where to export (syslog server address and port details).
Netflow Configuration for ASA-
(config)# access-list netflow-export extended permit ip any any (config)# flow-export destination inside 172.16.10.100 9996 (config)# flow-export template timeout-rate 1 (config)# flow-export delay flow-create 60 (config)# class-map netflow-export-class (config-cmap)#match access-list netflow-export (config)#policy-map global_policy (config-pmap)# class netflow-export-class (config-pmap-c)# flow-export event-type all destination 172.16.10.100
So let’s get started here step by Step…!!!
Step-1
Access the ASA Firewall CLI (SSH or Console)
Enter privileged mode by typing enable and entering your enable password.
Step-2
First of all you need to create an ACL in oder to capture all the IP traffic you are interested in.
ASA(Config)# access-list netflow_export_acl extended permit ip any any
Next – Setup the flow export syslog server IP address along with port and rate and delay parameters.
ASA(config)# flow-export destination [interface-name] [IP address][port] ASA(config)# flow-export delay flow-create 15 ASA(config)# flow-export template timeout-rate 1
Next – Create a class-map for the flow that matches ACL.
(config)# class-map netflow_export_class (config-cmap)# match access-list netflow_export_acl
Next –
Now you done with Class-map, now you can either add netflow_export_class to the default global policy-map, or create a new export policy-map.
Add to the default global policy-map – **** note – check may be your ASA firewall global policy-map may have a different name (ie. global-policy or global_policy).
Also And specify the event logs types that we will export and to where (Destination syslog server IP).
Apply the service policy-map to whatever global policy we have
ASA(config)# policy-map global_Policy ASA(config-pmap)# class netflow_export_class ASA(config-pmap-c)# flow-export event-type all destination [IP address]
Step-3
You can get information about what the ASA is doing in terms of the flow output by using the following commands:
ASA#show flow-export counters ASA#show service-policy global flow ip host [source IP] host [dest IP] ASA#show access-list flow_export_acl
Netflow Configuration for Cisco Router-
Router(Config)#ip flow-export version 9 Router(Config)#ip flow-cache timeout active 5 Router(Config)#ip flow-cache timeout inactive 10 Router(Config)#ip flow-export source <interface> Router(Config)#ip flow-export destination 172.16.10.100 9991
Netflow Output Validation Commands –
Router#show ip cache flow Router#show ip flow export Router#show ip flow interface Router#show ip flow export template
Note –
if version 9 does not support , use version 5.
ip flow-export source <interface> → (e.g. use a Loopback interface)
Enable NetFlow on each layer-3 interface you are interested in monitoring traffic for:
Router(config)#interface <interface> Router(Config-if)#ip flow ingress
✍🏽 Note -: If your router is running a version of Cisco IOS prior to releases 12.2(14)S, 12.0(22)S, or 12.2(15)T the ip route-cache flow command is used to enable NetFlow on an interface. If your router is running Cisco IOS release 12.2(14)S, 12.0(22)S, 12.2(15)T, or later the ip flow ingress command is used to enable NetFlow on an interface.
Netflow Configuration for Cisco 6500 and 7600 IOS Switch
Go to configuration mode execute the following to enable NetFlow Export –
mls nde sender version 5 mls aging long 64 mls aging normal 32 mls nde interface mls flow ip interface-full ip flow ingress layer2-switched vlan {vlanlist} ip flow-export destination <xe_netflow_collector_IP_address> 2055 ip flow-export source <interface> — (use a Loopback interface) ip flow-export version 9 — (if version 9 does not support, use version 5) ip flow-cache timeout active 1 ip flow-cache timeout inactive 15 snmp-server ifindex persist
Enable NetFlow on each layer-3 interface you are interested in monitoring traffic for:
interface <interface>
ip flow ingressValidate configuration:
show ip cache flow show ip flow export show ip flow export template show mls nde
Netflow Configuration for Cisco ASR 9000
Following the steps when configuring NetFlow in Cisco IOS XR software:
1. Configure the Source Interface.
2. Cisco IOS XR software supports export format Version 9 only.
3. Configure a Valid Record Map name for each flow monitor.
✍🏽 Note -: You need to configure the source interface, else exporter will remain in a disabled state.Please refer to the below reference link for detailed steps for ASR9000 Netflow configuration.
Configuring an Exporter Map
Router(config)# flow exporter-map netflow-export-1 Router(config- FLOW_TO_SW)# destination <xe_collector_IP_address> Router(config- FLOW_TO_SW)# source <interface> → (e.g. use a Loopback) Router(config- FLOW_TO_SW)# transport udp 2055 Router(config- FLOW_TO_SW)# version v9
Configuring a Monitor Map
Router(config)# flow monitor-map IPv4_netflow-export-1 Router(config- IPv4_NETFLOW)# record ipv4 Router(config- IPv4_NETFLOW)# cache timeout active 60 Router(config- IPv4_NETFLOW)# cache timeout inactive 15 Router(config- IPv4_NETFLOW)# exporter netflow-export-1
Applying a Monitor Map to an Interface
Router(config)# interface <interface> → (e.g. gigabitEthernet 0/0/0/0) Router(config-if)# flow ipv4 monitor IPv4_netflow-export-1 ingress
Validate configuration
show flow exporter-map netflow-export-1 show flow monitor-map IPv4_netflow-export-1
Netflow Configuration for Cisco Nexus 7000 Switch
Netflow Configuration for Cisco Nexus series 7000 switch is bit different than in traditional IOS devices.Follow the below given step’s for configuration to enable Netflow Monitoring.
Enable Netflow Feature and set timeouts
NX7-switch(config)#feature netflow NX7-switch(config)#flow timeout active 60 NX7-switch(config)#flow timeout inactive 15
✍🏽 Note – : In this example, we are using Nexus predefined record of “netflow-original” for this configuration.
Step to Create a Flow Exporter (specify where/how NetFlow is to be sent)
NX7-switch(config)#flow exporter netflow_to_monitor NX7-switch(config-flow-exporter)#description Export NetFlow to monitor NX7-switch(config-flow-exporter)#destination <xe_collector_IP_address> NX7-switch(config-flow-exporter)#source <interface> → (e.g. use a Loopback) NX7-switch(config-flow-exporter)#transport udp 2055 NX7-switch(config-flow-exporter)#version 9
Create a Flow Monitor (tie the Flow Record to the Flow Exporter)
NX7-switch(config)#flow monitor standard_v9netflow NX7-switch(config-flow-monitor)#record netflow-original NX7-switch(config-flow-monitor)#exporter netflow_to_monitor
Assign Flow Monitor to selected interfaces
Note -: Repeat this step on every interface you are interested in monitoring traffic for.
NX7-switch(config)#interface <interface> → (e.g. VLAN1 or g2/1) NX7-switch(config-if)#ip flow monitor standard_v9netflow input
Validate configuration:
show flow record netflow-original show flow monitor standard_v9netflow statistics show flow monitor standard_v9netflow cache
