How to configure a Cisco ISR router to send Netflow v9 or IPFIX data to VOSS Insights arbitrator¶
Abstract¶
This document provides the procedure to configure a Cisco ISR router to send Netflow data to VOSS Insights arbitrator using v9 or IPFIX format.
Assumptions¶
This document assumes that the following configuration will be applied on a Cisco ISR router with two interfaces:
GigabitEthernet0/0/0
GigabitEthernet0/0/1
For the purposes of this guide, the following software specifications are assumed:
isr4300-3977#show version
Cisco IOS XE Software, Version 03.16.04b.S - Extended Support Release
Cisco IOS Software, ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M),
Version
15.5(3)S4b, RELEASE SOFTWARE (fc1)
VOSS Insights Team recommends that Netflow is configured and enabled in the “ingress” direction for all interfaces on a Netflow source device.
Configuration¶
The following sample configuration can be used as a template for Netflow v9 & IPFIX:
ENABLE SNMP INDEX PERSISTENCE
isr4300-3977#configure terminal
Enter configuration commands, one per line. End with CTRL-Z.
isr4300-3977(config)#snmp-server ifindex persist
isr4300-3977(config)#
ENABLE NBAR ON ROUTER INTERFACES
isr4300-3977>enable
isr4300-3977#configure terminal
isr4300-3977(config)#interface GigabitEthernet0/0/0
isr4300-3977(config)#ip nbar protocol-discovery
isr4300-3977(config)#exit
isr4300-3977(config)#interface GigabitEthernet0/0/1
isr4300-3977(config)#ip nbar protocol-discovery
isr4300-3977(config)#exit
isr4300-3977#copy run start
NETFLOW CONFIGURATION
isr4300-3977#configure terminal
isr4300-3977(config)#flow record netflow-record
isr4300-3977(config-flow-record)#match flow direction
isr4300-3977(config-flow-record)#match ipv4 protocol
isr4300-3977(config-flow-record)#match ipv4 source address
isr4300-3977(config-flow-record)#match ipv4 destination address
isr4300-3977(config-flow-record)#match transport source-port
isr4300-3977(config-flow-record)#match transport destination-port
isr4300-3977(config-flow-record)#match ipv4 tos
isr4300-3977(config-flow-record)#match interface input
isr4300-3977(config-flow-record)#match application name
isr4300-3977(config-flow-record)#collect interface output
isr4300-3977(config-flow-record)#collect routing source as
isr4300-3977(config-flow-record)#collect routing destination as
isr4300-3977(config-flow-record)#collect routing next-hop address ipv4
isr4300-3977(config-flow-record)#collect ipv4 source mask
isr4300-3977(config-flow-record)#collect ipv4 destination mask
isr4300-3977(config-flow-record)#collect transport tcp flags
isr4300-3977(config-flow-record)#collect counter bytes long
isr4300-3977(config-flow-record)#collect counter packets long
isr4300-3977(config-flow-record)#collect timestamp sys-uptime first
isr4300-3977(config-flow-record)#collect timestamp sys-uptime last
isr4300-3977(config-flow-record)#flow exporter netflow-exporter
isr4300-3977(config-flow-exporter)#description ---To Netflow Dashboard---
isr4300-3977(config-flow-exporter)#destination [VOSS Insights arbitrator IP Address]
isr4300-3977(config-flow-exporter)#source GigabitEthernet0/0/0
Note
Source command determines the interface from which the Netflow packets will be sent to the VOSS Insights arbitrator server.
Please make sure that IP routing works properly between the source address and VOSS Insights arbitrator server.
isr4300-3977(config-flow-exporter)#transport udp {2055|4739}
isr4300-3977(config-flow-exporter)#export-protocol {netflow-v9|ipfix}
isr4300-3977(config-flow-exporter)#template data timeout 60
isr4300-3977(config-flow-exporter)#option application-table timeout 60
isr4300-3977(config-flow-exporter)#flow monitor netflow-monitor
isr4300-3977(config-flow-monitor)#exporter netflow-exporter
isr4300-3977(config-flow-monitor)#cache timeout active 1
isr4300-3977(config-flow-monitor)#cache timeout inactive 15
isr4300-3977(config-flow-monitor)#record netflow-record
isr4300-3977(config-flow-monitor)#exit
isr4300-3977(config)#interface GigabitEthernet0/0/0
isr4300-3977(config-if)#ip flow monitor netflow-monitor input
isr4300-3977(config-if)#exit
isr4300-3977(config)#interface GigabitEthernet0/0/1
isr4300-3977(config-if)#ip flow monitor netflow-monitor input
isr4300-3977(config-if)#exit
isr4300-3977(config)#exit
isr4300-3977#copy run start