**Update: Featured image was updated to change Netflow collector instead of server 05/27/2020

Netflow is a network protocol that provides a look into the network traffic and the capability to monitor the flow of data traversing the network. Traditional Netflow and Flexible Netflow is a feature that was added to Cisco routers. Flexible Netflow is an extension of traditional Netflow. It provides an insight into network traffic as does Traditional but in addition, Flexible Netflow provides the ability to monitor a wide range of packet information and expansion of Traditional Netflow. This flexibility and additional specific data are useful to troubleshoot network problems.

Before getting into those steps of each Netflow lets setup the router to use NAT overload. 

Router>enable
Router#configure terminal
Router(config)#interface fastethernet 0/1
Router(config-if)#ip address dhcp
Router(config-if)#ip nat outside
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#interface fastethernet 0/0
Router(config-if)#ip address 192.168.113.1 255.255.255.0
Router(config-if)#ip nat inside
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#ip name-server 8.8.8.8
Router(config)#access-list 10 permit 192.168.113.0 0.0.0.255
Router(config)#ip nat inside source list 10 interface fastethernet 0/1 overload

Traditional Netflow

Step 1: Define the IP address of the Netflow collector and the UDP port to be used. In this example, we will use UDP 2055. 

Router(config)#ip flow-export destination 192.168.113.5 2055

Step 2: Specify the version of Netflow the export will use. For this example use version 9.

Router(config)#ip flow-export version 9

Step 3: Enable Netflow on the interface that you wish to monitor the ingress and egress Netflow traffic.

Router(config)#interface  fastethernet 0/0
Router(config-if)#ip flow ingress
Router(config-if)#ip flow egress

Flexible Netflow

Step 1: Configure a flow record.

Router# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#flow record Netflow-Record
Router(config-flow-record)#match ipv4 tos
Router(config-flow-record)#match ipv4 protocol
Router(config-flow-record)#match ipv4 source address
Router(config-flow-record)#match ipv4 destination address
Router(config-flow-record)#match transport source-port
Router(config-flow-record)#match transport destination-port
Router(config-flow-record)#match interface input
Router(config-flow-record)#collect interface output
Router(config-flow-record)#collect counter bytes
Router(config-flow-record)#collect counter packets
Router(config-flow-record)#exit

Step 2: Configure a flow exporter

Router(config)#flow exporter Netflow-Exporter
Router(config-flow-exporter)#destination 192.168.113.5
Router(config-flow-exporter)#source fa0/0
Router(config-flow-exporter)#transport udp 2055
Router(config-flow-exporter)#exit

Step 3: Configure a flow monitor

Router(config)#flow monitor Netflow-Monitor
Router(config-flow-monitor)#exporter Netflow-Exporter
Router(config-flow-monitor)#record Netflow-Record
Router(config-flow-monitor)#cache timeout active 60
Router(config-flow-monitor)#exit

Step 4: Apply the flow monitor to an interface

Router(config)#interface fa0/0
Router(config-if)#ip flow monitor Netflow-Monitor input
Router(config-if)#ip flow monitor Netflow-Monitor output
Router(config-if)#exit

Verify the NetFlow flow monitor statistics to see if the Router is collecting from the interface identified.

To test generate network traffic by browsing and/or pinging websites.

Verify the Netflow Collector is receiving the data. I used Solarwinds Real-Time Netflow Analyzer. It is free so long that you register a Solarwinds account. There are many open source programs as well that collect Netflow flows.

Related articles

Leave a Reply