NetFlow technology involves checking the packets traversing a router interface to identify the actual traffic. The high volume of packets and packet rates of traffic on some router links causes the router to use higher CPU and memory during such analysis. Sampling is the solution to be used when flow analytics has to be done on a device.
Sampling defines that instead of every packet, 1 out of N packets (where N is the sampling rate) is captured and sent to NetFlow Analyzer for traffic analytics. Based on the information in that one packet, the traffic pattern for the rest of the packets is constructed.
These sampling packets will considerably decrease the CPU utilization needed to account for NetFlow packets by allowing the majority of the packets to be switched faster because they will not need to go through additional NetFlow processing.
This blog help us to configure sample based Flexible NetFlow export on Cisco Routers. All Cisco router with latest IOS supports Flexible NetFlow export with sampling option.
To configure sample based traditional NetFlow export on the router refer this link and for core switches refer this link.
Flexible NetFlow configuration
Flexible NetFlow configuration is somewhat different from traditional NetFlow export as it needs multiple entities like:
- Flow Exporter
- Defining sampler
- Flow Record
- Flow Monitor
- Attaching the monitor to interface
Refer this link to find steps configure Flexible NetFlow without sampling on Cisco router.
Flow exporter configuration
Flow exporter is the one which defines export source and destination which receives the NetFlow packets.
flow exporter ManageEngine
destination
transport udp 9996
data template timeout 60
option sampler-table
Configuring sampling:
sampler NFASample
mode 1 out-of 100
Flow record configuration
Flow record configuration defines the fields exported via NetFlow protocol. Flexible pre-defined flow records are based on the original NetFlow ingress or egress caches. Cisco provides a unique keyword to identify the pre-defined records and these records can associated with a Flexible NetFlow Flow record configuration. The Flexible NetFlow “netflow-original” and netflow ipv4 original-input are predefined records and these two records can be used interchangeably to export the basic key fields and time stamp fields.
The latest Cisco IOS also allow us to define user defined flow record with unique name.
Flow monitor configuration
Flow monitor is the one defines the exporter and record which has to be sent to Analyzing software.
flow monitor ManageEngine
record netflow-original or netflow ipv4 original-input
exporter ManageEngine
cache timeout active 60
cache timeout inactive 15
Associating the monitor to an interface for NetFlow accounting
The flow monitor has to attached to every physical or logical interfaces to capture the traffic and export NetFlow packets.
Interface FastEthernet0/0
ip flow monitor ManageEngine input NFAsample
Hope this blogs help those who want to configure sample-based Flexible NetFlow export on their Cisco routers.
References:
http://www.cisco.com/en/US/docs/ios/fnetflow/configuration/guide/cfg_cpu_friendly_netflow_export.html
http://www.cisco.com/en/US/docs/ios/fnetflow/configuration/guide/use_fnflow_redce_cpu.html
http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/12s_sanf.html
This is flexible NetFlow by default it will take NetFlow Version 9, You can also specify NetFlow V9
Which ip flow version should I specify in the router config?