Flexible NetFlow (FNF) requires the creation of a flow exporter, flow record and flow monitor. The flow exporter defines the export aspects of the flow data like export destination, UDP port for NetFlow export, export interface and so on. The flow record defines the key and non key fields to be included in the flows. Both the exporter and record are then associated with a flow monitor which again has to be associated with every L3 interface of the monitored router. Doing this exports NetFlow data from the device to the IP Address specified.
First, let us create the flow exporter.
FLOW EXPORTER:
cisco_281(config)#flow exporter FNFnbarEXP – Name of the flow exporter
cisco_281(config-flow-exporter)#destination 192.168.116.80 – IP Address of the NetFlow Analyzer server
cisco_281(config-flow-exporter)#source fastEthernet 0/0 – Can be any interface like Loopback
cisco_281(config-flow-exporter)#transport udp 9996 – UDP for exporting NetFlow packets
cisco_281(config-flow-exporter)#export-protocol netflow-v9
Now, to creating a flow record with the statement which will enable the inclusion of NBAR records with the NetFlow data.
FLOW RECORD:
cisco_281(config)#flow record FNFnbarREC
cisco_281(config-flow-record)#match ipv4 source address
cisco_281(config-flow-record)#match ipv4 destination address
cisco_281(config-flow-record)#match transport source-port
cisco_281(config-flow-record)#match transport destination-port
cisco_281(config-flow-record)#match interface input
cisco_281(config-flow-record)#match ipv4 protocol
cisco_281(config-flow-record)#match ipv4 tos
cisco_281(config-flow-record)#match ipv4 dscp
cisco_281(config-flow-record)#match application name – This statement allows the inclusion of NBAR data in NetFlow records.
cisco_281(config-flow-record)#collect routing source as
cisco_281(config-flow-record)#collect routing destination as
cisco_281(config-flow-record)#collect routing next-hop address ipv4
cisco_281(config-flow-record)#collect transport tcp flags
cisco_281(config-flow-record)#collect counter bytes
cisco_281(config-flow-record)#collect counter packets
cisco_281(config-flow-record)#collect timestamp sys-uptime first
cisco_281(config-flow-record)#collect timestamp sys-uptime last
cisco_281(config-flow-record)#collect interface output
cisco_281(config-flow-record)#collect flow direction
cisco_281(config-flow-record)#collect ipv4 id
cisco_281(config-flow-record)#collect ipv4 source mask
cisco_281(config-flow-record)#collect ipv4 destination mask
The flow record and exporter now has to be associated with a flow monitor.
FLOW MONITOR:
cisco_281(config)#flow monitor FNFnbarMON
cisco_281(config-flow-monitor)#exporter FNFnbarEXP
cisco_281(config-flow-monitor)#record FNFnbarREC
cisco_281(config-flow-monitor)#cache timeout active 1
cisco_281(config-flow-monitor)#cache timeout inactive 15
The flow monitor then has to be associated with each and every L3 interface of the router. The ‘input’ variable sets the flow collection for ingress traffic.
ASSOCIATING TO INTERFACE:
cisco_281(config)#int FastEthernet 0/0
cisco_281(config-if)#ip flow monitor FNFnbarMON input
cisco_281(config)#int FastEthernet 0/1
cisco_281(config-if)#ip flow monitor FNFnbarMON input
Once the configuration is done and saved, flows will be exported to the server where NetFlow Analyzer is installed. NetFlow Analyzer is based on automatic discovery and so the NetFlow exporting devices are automatically discovered and reports are generated within seconds of receiving the flows.
Lets now see how the NBAR reports look like.
Traditional NBAR, based on SNMP polling, allowed only the capture of the application name and its usage in the network. This did not have the capability to include the hosts involved with the application traffic.
Use NetFlow Analyzer to get NBAR reporting the way you would like to have it.
Download | Interactive Demo | Product overview video | Twitter | Customers
Regards,
Don Thomas Jacob
Is this article still relevant config for 2019?
I think there is a mistake with the cache timeout values in the flow record,
as these are in ‘seconds’ for flexible netflow.
(which means your config above is set for every 1 second)
I believe it should be ’60’ (ie: 60 seconds)
timeout active seconds:Specifies the active flow timeout in seconds. Range: 1 to 604800 (7 days). Default: 1800.
Pingback: Worm Detection Using Cisco NBAR
Can both FNF and original Netflow be enabled on the same interfaces? I setup my router per this article and my FNF NBAR page is showing me no stats. I did leave my original Netflow configurations in place though.
Hi Ryan,
Please disable all original NetFlow commands and use only FNF commands on your router. This should get FNF export working. If you still face issues, please send an email to netflowanalyzer-support ‘at’ manageengine ‘dot’ com and our TAC team can assist in the setup.
Regards,
Don Thomas Jacob
Hi Andres,
Yes, NetFlow Analyzer 7 supports Flexible NetFlow if you export the same fields as NetFlow version 5. If you need support for new fields like IPv6, Multicast traffic, Medianet, etc., you need the latest NetFlow Analyzer version.
Regards,
Don Thomas
Hello. Does Netflow Analyzer 7 Professional support NFN?
Hi Andres,
Yes, NetFlow Analyzer 7 supports Flexible NetFlow if you export the same fields as NetFlow version 5. If you need support for new fields like IPv6, Multicast traffic, Medianet, etc., you need the latest NetFlow Analyzer version.
Regards,
Don Thomas