NetFlow IOS Configuration Using CLI – ASA , Router , Switches and Nexus

NetFlow Configuration ASA and Router

NetFlow Configuration – ASA , Router and Switch

Netflow configuration on Cisco ASA Firewall and Router using via CLI is an easy task to perform, not that much different that configuring NetFlow on any other Cisco Router , Switch and Firewall.

Just follow the couple of steps as below in this article to achieve your goal.The only difference is that you need to set up a service policy, and access rules that allow the export. As well as define which events are going to get exported and where to export (syslog server address and port details).


Netflow Configuration for ASA-

(config)# access-list netflow-export extended permit ip any any
(config)# flow-export destination inside 172.16.10.100 9996
(config)# flow-export template timeout-rate 1
(config)# flow-export delay flow-create 60
(config)# class-map netflow-export-class
(config-cmap)#match access-list netflow-export
(config)#policy-map global_policy
(config-pmap)# class netflow-export-class
(config-pmap-c)# flow-export event-type all destination 172.16.10.100 

So let’s get started here step by Step…!!!

Step-1

Access the ASA Firewall CLI (SSH or Console)

Enter privileged mode by typing enable and entering your enable password.

Step-2

First of all you need to create an ACL in oder to capture all the IP traffic you are interested in.

ASA(Config)# access-list netflow_export_acl extended permit ip any any

Next – Setup the flow export syslog server IP address along with port and rate and delay parameters.

ASA(config)#  flow-export destination [interface-name] [IP address][port]                     
ASA(config)#  flow-export delay flow-create 15
ASA(config)#  flow-export template timeout-rate 1

Next – Create a class-map for the flow that matches ACL.

(config)# class-map netflow_export_class
(config-cmap)# match access-list netflow_export_acl

Next –

Now you done with Class-map, now you can either add netflow_export_class to the default global policy-map, or create a new export policy-map.

Add to the default global policy-map  – **** note – check may be your ASA firewall global policy-map may have a different name (ie. global-policy or global_policy).

Also And specify the event logs types that we will export and to where (Destination syslog server IP).

Apply the service policy-map to whatever global policy we have

ASA(config)# policy-map global_Policy
ASA(config-pmap)# class netflow_export_class
ASA(config-pmap-c)# flow-export event-type all destination [IP address]

Step-3

You can get information about what the ASA is doing in terms of the flow output by using the following commands:

ASA#show flow-export counters
ASA#show service-policy global flow ip host [source IP] host [dest IP]
ASA#show access-list flow_export_acl

Netflow Configuration for Cisco Router-

Router(Config)#ip flow-export version 9
Router(Config)#ip flow-cache timeout active 5
Router(Config)#ip flow-cache timeout inactive 10 
Router(Config)#ip flow-export source <interface>
Router(Config)#ip flow-export destination 172.16.10.100 9991 

Netflow Output Validation Commands –

Router#show ip cache flow 
Router#show ip flow export 
Router#show ip flow interface 
Router#show ip flow export template

Note –

if version 9 does not support , use version 5.

ip flow-export source <interface> → (e.g. use a Loopback interface)

Enable NetFlow on each layer-3 interface you are interested in monitoring traffic for:

Router(config)#interface <interface>
Router(Config-if)#ip flow ingress

✍🏽 Note -: If your router is running a version of Cisco IOS prior to releases 12.2(14)S, 12.0(22)S, or 12.2(15)T the ip route-cache flow command is used to enable NetFlow on an interface. If your router is running Cisco IOS release 12.2(14)S, 12.0(22)S, 12.2(15)T, or later the ip flow ingress command is used to enable NetFlow on an interface.


Netflow Configuration for Cisco 6500 and 7600 IOS Switch

Go to configuration mode execute the following to enable NetFlow Export

mls nde sender version 5 
mls aging long 64 
mls aging normal 32 
mls nde interface 
mls flow ip interface-full 
ip flow ingress layer2-switched vlan {vlanlist}
ip flow-export destination <xe_netflow_collector_IP_address> 2055 
ip flow-export source <interface>  — (use a Loopback interface) 
ip flow-export version 9  (if version 9 does not support, use version 5) 
ip flow-cache timeout active 1 
ip flow-cache timeout inactive 15 
snmp-server ifindex persist

Enable NetFlow on each layer-3 interface you are interested in monitoring traffic for:

interface <interface> 
ip flow ingress

Validate configuration:

show ip cache flow 
show ip flow export 
show ip flow export template
show mls nde

Netflow Configuration for Cisco ASR 9000

Following the steps when configuring NetFlow in Cisco IOS XR software:

1. Configure the Source Interface.

2. Cisco IOS XR software supports export format Version 9 only.

3. Configure a Valid Record Map name for each flow monitor.

✍🏽 Note -:  You need to configure the source interface, else exporter will remain in a disabled state.Please refer to the below reference link for detailed steps for ASR9000 Netflow configuration.

Configuring an Exporter Map

Router(config)# flow exporter-map netflow-export-1
Router(config- FLOW_TO_SW)# destination <xe_collector_IP_address> 
Router(config- FLOW_TO_SW)# source <interface>  (e.g. use a Loopback) 
Router(config- FLOW_TO_SW)# transport udp 2055
Router(config- FLOW_TO_SW)# version v9 

Configuring a Monitor Map

Router(config)# flow monitor-map IPv4_netflow-export-1
Router(config- IPv4_NETFLOW)# record ipv4
Router(config- IPv4_NETFLOW)# cache timeout active 60 
Router(config- IPv4_NETFLOW)# cache timeout inactive 15
Router(config- IPv4_NETFLOW)# exporter netflow-export-1

Applying a Monitor Map to an Interface

Router(config)# interface <interface>  (e.g. gigabitEthernet 0/0/0/0) 
Router(config-if)# flow ipv4 monitor IPv4_netflow-export-1 ingress

Validate configuration

show flow exporter-map netflow-export-1 
show flow monitor-map IPv4_netflow-export-1

Netflow Configuration for Cisco Nexus 7000 Switch

Netflow Configuration for Cisco Nexus series 7000 switch is bit different than in traditional IOS devices.Follow the below given step’s for configuration to enable Netflow Monitoring.

Enable Netflow Feature and set timeouts

NX7-switch(config)#feature netflow 
NX7-switch(config)#flow timeout active 60 
NX7-switch(config)#flow timeout inactive 15 

✍🏽 Note – : In this example, we are using Nexus predefined record of “netflow-original” for this configuration.

Step to Create a Flow Exporter (specify where/how NetFlow is to be sent)

NX7-switch(config)#flow exporter netflow_to_monitor
NX7-switch(config-flow-exporter)#description Export NetFlow to monitor
NX7-switch(config-flow-exporter)#destination <xe_collector_IP_address> 
NX7-switch(config-flow-exporter)#source <interface>  (e.g. use a Loopback) 
NX7-switch(config-flow-exporter)#transport udp 2055 
NX7-switch(config-flow-exporter)#version 9

Create a Flow Monitor (tie the Flow Record to the Flow Exporter)

NX7-switch(config)#flow monitor standard_v9netflow
NX7-switch(config-flow-monitor)#record netflow-original
NX7-switch(config-flow-monitor)#exporter netflow_to_monitor

Assign Flow Monitor to selected interfaces

Note -: Repeat this step on every interface you are interested in monitoring traffic for.

NX7-switch(config)#interface <interface>  (e.g. VLAN1 or g2/1) 
NX7-switch(config-if)#ip flow monitor standard_v9netflow input 

Validate configuration:

show flow record netflow-original
show flow monitor standard_v9netflow statistics 
show flow monitor standard_v9netflow cache 

Author: Ronnie Singh

Your Feedback is Valuable for us. Pls do comments.