Enabling NetFlow on Cisco Routers

Activating NetFlow Globally on your Existing Routers

You need to enter the following global commands:

  • (config)#ip flow-export source <interface number>
  • (config)#ip flow-export version 5 peer-as
  • (config)#ip flow-export destination<ip address> <port number>

Then activate NetFlow on each interface: Use the commands below to enable NetFlow on each physical interface (i.e. not VLANs and Tunnels, as they are auto included) you are interested in collecting a flow from. This will normally be an Ethernet or WAN interface. You may also need to set the speed of the interface in kilobits per second. It is especially important to set the speed for frame relay or ATM virtual circuits.

  • Command to type: interface <interface>
  • Command to type: ip route-cache flow
  • Command to type: bandwidth

Below is a more in depth overiew on some of the commands that can be involved.

 

Set this <interface number> value for example to: FastEthernet0/0. This specifies the interface that the NetFlow is going to be sent from. This is recommended because if the router is restarted and the interface number changes or if a backup connection goes active, the interface the flow is coming from will appear to not have changed. This is important as we don’t want to loose historical data.

Also, using a loopback address allows for real interfaces to go down and if there is still a route back to Scrutinizer the NetFlow packets will make it. If you don’t use this command, the following example could occur: if you have configured the source as wan interface 1 and it goes down but, there is a route back via wan interface 2 then the NetFlow may not get sent to Scrutinizer even though the network connection is active and traffic is being passed.
  • Command to type: ip flow-export source <interface number>
Use the command below to specify the IP ADDRESS (e.g. 10.1.1.5) of your Scrutinizer Host and the "Listener Port" specified in the Configuration under the Settings tab. Port 2055 is monitored by default.
  • Command to type: ip flow-export destination <IP ADDRESS> 2055
The source interface is used to set the source IP address of the NetFlow exports sent by the router. Scrutinizer may send SNMP requests to the router using this address. Use the command below if you experience problems. You can set the source interface to an Ethernet or WAN interface instead of the loopback.
  • Command to type: ip flow-export source loopback 0
Use the command below to set the export version. Version 5 is the most recent full export version supported by routers.
  • Command to type: ip flow-export version 5
The command below breaks up long-lived flows into 5-minute segments. You can choose any number of minutes between 1 and 60; if you leave the default of 30 minutes you will get spikes in your utilization reports.
  • Command to type: ip flow-cache timeout active 5
The command below ensures that flows that have finished are exported in a timely manner. The default is 15 seconds; you can choose any value between 10 and 600. Note however that if you choose a value that is longer than 250 seconds Scrutinizer may report traffic levels that appear low.
  • Command to type: ip flow-cache timeout inactive 15
Use the command below to display the current NetFlow configuration. Issue this in normal (not configuration) mode!
  • Command to type: show ip flow export
Issue these commands in normal mode to summarise the active flows and to give an indication of how much NetFlow data is being transmitted by the router.
  • Command to type: show ip cache flow
  • Command to type: show ip cache verbose flow
This enables Cisco Express Forwarding, which is required for NetFlow in most recent IOS releases.
  • Command to type: ip cef