Configuring NetFlow Export on an IOS Device

Follow the steps below to configure NetFlow export on a Cisco IOS device.

Refer the Cisco Version Matrix for information on Cisco platforms and IOS versions supporting NetFlow

Enabling NetFlow Export

Enter global configuration mode on the router or MSFC, and issue the following commands for each interface on which you want to enable NetFlow:

interface {interface} {interface_number}

ip route-cache flow

bandwidth <kbps>

exit

In some recent IOS releases Cisco Express Forwarding has to be enabled. Issue the command ip cef in global configuration mode on the router or MSFC for this.

This enables NetFlow on the specified interface alone. Remember that on a Cisco IOS device, NetFlow is enabled on a per-interface basis. The bandwidth command is optional, and is used to set the speed of the interface in kilobits per second. Interface speed or link speed value is used to later calculate percentage utilization values in traffic graphs.

Exporting NetFlow Data

Issue the following commands to export NetFlow data to the server on which NetFlow Analyzer is running:

Command	Purpose
`ip flow-export destination {hostname\|ip_address} 9996`	Exports the NetFlow cache entries to the specified IP address. Use the IP address of the NetFlow Analyzer server and the configured NetFlow listener port. The default port is 9996.
`ip flow-export source {interface} {interface_number}`	Sets the source IP address of the NetFlow exports sent by the device to the specified IP address. NetFlow Analyzer will make SNMP requests of the device on this address.
`ip flow-export version 5 [peer-as \| origin-as]`	Sets the NetFlow export version to version 5. NetFlow Analyzer supports only version 5, version 7 and version 9. If your router uses BGP you can specify that either the origin or peer AS is included in exports - it is not possible to include both.
`ip flow-cache timeout active 1`	Breaks up long-lived flows into 1-minute fragments. You can choose any number of minutes between 1 and 60. If you leave it at the default of 30 minutes your traffic reports will have spikes. It is important to set this value to 1 minute in order to generate alerts and view troubleshooting data.
`ip flow-cache timeout inactive 15`	Ensures that flows that have finished are periodically exported. The default value is 15 seconds. You can choose any number of seconds between 10 and 600. However, if you choose a value greater than 250 seconds, NetFlow Analyzer may report traffic levels that are too low.
`snmp-server ifindex persist`	Enables ifIndex persistence (interface names) globally. This ensures that the ifIndex values are persisted during device reboots.

For more information on BGP reporting in NetFlow Analyzer, look up the section on Configuring NetFlow for BGP

Verifying Device Configuration

Issue the following commands in normal (not configuration) mode to verify whether NetFlow export has been configured correctly:

Command	Purpose
`show ip flow export`	Shows the current NetFlow configuration
`show ip cache flow`	These commands summarize the active flows and give an indication of how much NetFlow data the device is exporting
`show ip cache verbose flow`

A Sample Device Configuration

The following is a set of commands issued on a router to enable NetFlow version 5 on the FastEthernet 0/1 interface and export to the machine 192.168.9.101 on port 9996.

router#enable

      Password:*****

      router#configure terminal

      router-2621(config)#interface FastEthernet 0/1

        router-2621(config-if)#ip route-cache flow

        router-2621(config-if)#exit 

      router-2621(config)#ip flow-export destination 192.168.9.101 9996

      router-2621(config)#ip flow-export source FastEthernet 0/1

      router-2621(config)#ip flow-export version 5

      router-2621(config)#ip flow-cache timeout active 1

      router-2621(config)#ip flow-cache timeout inactive 15

      router-2621(config)#snmp-server ifindex persist

      router-2621(config)#^Z

      router#write

      router#show ip flow export

      router#show ip cache flow

*repeat these commands to enable NetFlow for each interface

Please note that NetFlow data export has to be enabled on all interfaces of a router in order to see accurate IN and OUT traffic. Suppose you have a router with interface A and B. Since NetFlow, by default, is done on an ingress basis, when you enable NetFlow data export on interface A, it will only export the IN traffic for interface A and OUT traffic for interface B. The OUT traffic for interface A will be contributed by the NetFlow data exported from interface B.

Even if you are interested in managing only interface A, please enable NetFlow data export on A and B. You may subsequently unmanage interface B from the License Management link.

Turning off NetFlow

Issue the following commands in global configuration mode to stop exporting NetFlow data:

Command	Purpose
`no ip flow-export destination {hostname\|ip_address} {port_number}`	This will stop exporting NetFlow cache entries to the specified destination IP address on the specified port number
`interface {interface} {interface_number}`	This will disable NetFlow export on the specified interface. Repeat the commands for each interface on which you need to disable NetFlow.
`no ip route-cache flow`
`exit`

For further information on configuring your IOS device for NetFlow data export, refer Cisco's NetFlow commands documentation