How to configure a Cisco ISR router to send Netflow v9 or IPFIX data to VOSS Insights arbitrator ------------------------------------------------------------------------------------------------- Abstract ............... This document provides the procedure to configure a Cisco ISR router to send Netflow data to VOSS Insights arbitrator using v9 or IPFIX format. Assumptions .................. This document assumes that the following configuration will be applied on a Cisco ISR router with two interfaces: * GigabitEthernet0/0/0 * GigabitEthernet0/0/1 For the purposes of this guide, the following software specifications are assumed: :: isr4300-3977#show version Cisco IOS XE Software, Version 03.16.04b.S - Extended Support Release Cisco IOS Software, ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.5(3)S4b, RELEASE SOFTWARE (fc1) VOSS Insights Team recommends that Netflow is configured and enabled in the "ingress" direction for all interfaces on a Netflow source device. Configuration ..................... The following sample configuration can be used as a template for Netflow v9 & IPFIX: ENABLE SNMP INDEX PERSISTENCE :: isr4300-3977#configure terminal Enter configuration commands, one per line. End with **CTRL-Z**. :: isr4300-3977(config)#snmp-server ifindex persist isr4300-3977(config)# ENABLE NBAR ON ROUTER INTERFACES :: isr4300-3977>enable isr4300-3977#configure terminal isr4300-3977(config)#interface GigabitEthernet0/0/0 isr4300-3977(config)#ip nbar protocol-discovery isr4300-3977(config)#exit isr4300-3977(config)#interface GigabitEthernet0/0/1 isr4300-3977(config)#ip nbar protocol-discovery isr4300-3977(config)#exit isr4300-3977#copy run start NETFLOW CONFIGURATION :: isr4300-3977#configure terminal isr4300-3977(config)#flow record netflow-record isr4300-3977(config-flow-record)#match flow direction isr4300-3977(config-flow-record)#match ipv4 protocol isr4300-3977(config-flow-record)#match ipv4 source address isr4300-3977(config-flow-record)#match ipv4 destination address isr4300-3977(config-flow-record)#match transport source-port isr4300-3977(config-flow-record)#match transport destination-port isr4300-3977(config-flow-record)#match ipv4 tos isr4300-3977(config-flow-record)#match interface input isr4300-3977(config-flow-record)#match application name isr4300-3977(config-flow-record)#collect interface output isr4300-3977(config-flow-record)#collect routing source as isr4300-3977(config-flow-record)#collect routing destination as isr4300-3977(config-flow-record)#collect routing next-hop address ipv4 isr4300-3977(config-flow-record)#collect ipv4 source mask isr4300-3977(config-flow-record)#collect ipv4 destination mask isr4300-3977(config-flow-record)#collect transport tcp flags isr4300-3977(config-flow-record)#collect counter bytes long isr4300-3977(config-flow-record)#collect counter packets long isr4300-3977(config-flow-record)#collect timestamp sys-uptime first isr4300-3977(config-flow-record)#collect timestamp sys-uptime last :: isr4300-3977(config-flow-record)#flow exporter netflow-exporter isr4300-3977(config-flow-exporter)#description ---To Netflow Dashboard--- isr4300-3977(config-flow-exporter)#destination [VOSS Insights arbitrator IP Address] isr4300-3977(config-flow-exporter)#source GigabitEthernet0/0/0 .. note:: Source command determines the interface from which the Netflow packets will be sent to the VOSS Insights arbitrator server. Please make sure that IP routing works properly between the source address and VOSS Insights arbitrator server. :: isr4300-3977(config-flow-exporter)#transport udp {2055|4739} isr4300-3977(config-flow-exporter)#export-protocol {netflow-v9|ipfix} isr4300-3977(config-flow-exporter)#template data timeout 60 isr4300-3977(config-flow-exporter)#option application-table timeout 60 isr4300-3977(config-flow-exporter)#flow monitor netflow-monitor isr4300-3977(config-flow-monitor)#exporter netflow-exporter isr4300-3977(config-flow-monitor)#cache timeout active 1 isr4300-3977(config-flow-monitor)#cache timeout inactive 15 isr4300-3977(config-flow-monitor)#record netflow-record isr4300-3977(config-flow-monitor)#exit isr4300-3977(config)#interface GigabitEthernet0/0/0 isr4300-3977(config-if)#ip flow monitor netflow-monitor input isr4300-3977(config-if)#exit isr4300-3977(config)#interface GigabitEthernet0/0/1 isr4300-3977(config-if)#ip flow monitor netflow-monitor input isr4300-3977(config-if)#exit isr4300-3977(config)#exit isr4300-3977#copy run start