Netflow (IOS-XE)
On CSR1, configure Netflow for IPv4 using the following guidelines:
Match on the default 7 fields, and also gather information about payload length and the TTL value
Sample 1 in 50 packets
Export netflow data to a collector at 1.1.1.1 over netflow v9
Send the template every 60 seconds
Active flows should timeout after 600 seconds, and inactive flows should timeout after 20 seconds
Apply this to traffic ingressing and egressing Gi2.12
Answer
Explanation
Netflow is used to capture statistics about traffic ingressing/egressing and interface, without performing a full packet capture/SPAN session. Netflow can be used to bill based on usage, plan network capacitiy, and aid in security analysis.
In Netflow, a summary of the traffic is sent to a collector, instead of sending the actual packet. For example, the headers of the packet, size of the packet, etc. is reported to the collector.
Netflow is composed of four components:
Flow records, which define key and nonkey fields
Key fields (match) define the flow
Nonkey fields (collect) define information to gather about each flow
Flow exporters define the exporting of flow records
Flow monitors tie together the record and exporter, and are applied to an interface
Samplers ease burden of the router by only collecting netflow data on a percentage of traffic passing through the router
By default, a flow is categorized based on seven keys:
Src/Dst IP
Src/Dst port
IP protocol
ToS byte
Input interface
For this reason, we define these as match fields (key fields) in our flow record. The collect fields are fields to collect, but which do not define a flow.
For example, the payload length is gathered for all packets in the flow, and exported as a total bytes captured for the flow. This is a “collect” field, so it does not define the flow.
Note that you do not have to use your own record. You can instead use the basic flow record by using:
Next you define an exporter. Here you can define the VRF, export-protocol (usually v9 or IPFIX), source interface, and DSCP value.
In netflow v9 and IPFIX, a flexible format is used, in which a template record describes the template. Flow records are “lightweight,” because they simply contain the data itself with a reference to the previously sent template record. This means that a collector cannot use the data until it sees the template record. We can control how often the router exports the template records using the following command:
The exporter and record are tied together using a flow monitor. This is where you can also define the cache timeout values. The active timeout value is how long to wait until finally timing out an active flow and exporting the data. The inactive timeout value is how long to wait after a flow is inactive before exporting the data.
This is tied to an interface, along with an optional sampler.
Note that for IPv6, you would need a separate monitor that matches on ipv6 fields and you would apply this to the interface as follows:
Last updated