A lot more Network Security Monitoring (NSM) products these days (Freeware and Open-source Applications & Commercial Applications) are capable of receiving NetFlow from routing and switching devices. Configuring the export of these flow records are not the most straightforward task as the steps differ between device models. This article will explain the basics behind configuring NetFlow on various Cisco devices:
Perform the steps in this required task to configure Netflow and Netflow Data Export:
1) In global configuration
– ip flow-export source |interface|
– ip flow-export version |number|
– ip flow-cache timeout active 1
– ip flow-export destination |ip| |port|
Where:
|interface| – is the interface you want your NetFlow export to originate from
|number| – is the NetFlow version you wish to export (i.e. 5)
|ip| – is the destination IP of your QFlow collector
|port| – is the port you wish to export NetFlow on
2) In the interface configuration mode of each major interface (not sub-interface) you must run the following command:
– ip route-cache flow
Perform the following steps if using Cisco 4000/4500 switches
1) Commands for enabling NetFlow:
– ip flow-export destination |ip| |port|
– ip flow-export version |number|
– ip flow-export source |interface|
– ip flow-cache timeout active 1
– ip route-cache flow infer-fields
Where:
|interface| – is the interface you want your NetFlow export to originate from
|number| – is the NetFlow version you wish to export (i.e. 5)
|ip| – is the destination IP of your QFlow collector
|port| – is the port you wish to export NetFlow on
Note – You will not enter the ip route-cache flow command on each interface. Also the 4000 and 4500 series switches require a Supervisor IV with a Netflow Services daughter card (WS-F4531) and IOS version 12.1(19)EW or above to support NetFlow.
Perform the following steps if using Catalyst 6500 Switches
On Catalyst 6500 switches, there are two fundamentally different operating systems or modes that can be used: Native and Hybrid. Regardless of mode, in order to run NetFlow the switch must comply with the below table as far as Supervisor Engine and operating system level.
A Catalyst 6500 in Native mode provides the best NetFlow data because it correlates the switch port information to the VLAN information. For sizing purposes, this means that the customer only needs to count the VLANs on the switch toward the total interface count.
A Catalyst 6500 in Hybrid mode provides NetFlow data but does not correlate the switch port information to the VLAN information. For sizing purposes, this means that the customer must count both the VLANs and the individual switch ports toward the total interface count. Either Native or Hybrid mode will work with NetFlow, but the number of interfaces monitored is drastically increased in Hybrid mode.
1) To configure a SupII (Native) with an 12.1(13)E3 IOS version:
– mls nde sender version |number|
– mls flow ip interface-full
– mls nde interface
2) To configure a SupII (Hybrid) with a 7.6.1 CatOS and 12.1(13)E3 IOS version (on the CatOS side):
– set mls flow full
– set mls nde |ip| |port|
– set mls nde version |number|
– set mls nde enable
Where:
|number| – is the NetFlow version you wish to export (i.e. 5)
|ip| – is the destination IP of your QFlow collector
|port| – is the port you wish to export NetFlow on
Note – The above commands are in addition to the required NetFlow commands ‘ip flow-export’ and ‘ip route-cache flow’. SupII in Hybrid commands are CatOS side.
Perform the following steps if using Cisco 7600 switches in native mode
1) If running in native mode make sure the following commands are set:
– mls nde sender version |number|
– mls flow ip interface-full
– mls aging long 64
– ip flow-export source |interface|
– ip flow-export version |number|
– ip flow-export destination |ip| |port|
– snmp-server ifindex persist
Where:
|interface| – is the interface you want your NetFlow export to originate from
|number| – is the NetFlow version you wish to export (i.e. 5)
|ip| – is the destination IP of your QFlow collector
|port| – is the port you wish to export NetFlow on
2) For each interface:
– ip route-cache flow
Problems with flexwan feature card modules for 6500 and 7600 routers
If you have a 6500 or 7600 Cisco series router running in hybrid mode with flexwan feature cards the interface reporting may not be accurate. It is likely that will discover that not all interfaces on your Cisco 6500 or 7600 router are reporting data to QRadar. It is also possible that the interfaces that do show data in Network Surveillance do not appear to be accurate.
In conversations with Cisco TAC, NetFlow is being sent correctly from the router, however the NetFlow datagrams contain inaccurate IFIndex values. This causes problems with data reporting.
Comments are closed.
It may seems a little bit hard to try but once you follow the steps correctly you’ll be fine. Remember to enable NetFlow you must first configure the router for IP.