CCNP Security 300-206 (SENSS) – Implement NetFlow IOS-XE with NBAR Discovery

I’m pretty sure that there are many examples out there to create NetFlow configuration and very well documented as well, however, I wanted to give my config a crack and also wanted to share. I’m adding one more bit of information as it is very useful to keep your network on-check, and that is the NBAR addition.

Which Direction for NetFlow?

I have read somewhere, and I refuse to look for the document again, thinking it was from Lancope’s website, but I remember reading that NetFlow works better if applied in only one direction. Pretty sure that many people out there will have their opinions and reasons to do it in very different directions on the same interface, but after lots of thinking, it made sense to me.

The “Flow” when configuring NetFlow

Create the Flow Record (IN|OUT)
Create the Flow Exporter
Create the Flow Monitor (IN|OUT)
Configure the Flow Monitor to your interface

This is what I use when configuring NetFlow

The Configuration


flow record Netflow-In
match flow direction
match interface input
match ipv4 destination address
match ipv4 protocol
match ipv4 source address
match ipv4 tos
match transport destination-port
match transport source-port
collect counter bytes
collect counter packets
collect interface output

!!!!!!!!!!!!!!!!!
!ADD IF NECESSARY - Just remove the ! at the begining
!!!!!!!!!!!!!!!!!
!flow record Netflow-Out
!match flow direction
!match interface output
!match ipv4 destination address
!match ipv4 protocol
!match ipv4 source address
!match ipv4 tos
!match transport destination-port
!match transport source-port
!collect counter bytes
!collect counter packets
!collect interface input

!Flow Exporter
flow exporter Netflow-to-server
Source GigabitEthernetx/x
destination xx.xx.xx.xx
transport udp 2055
export-protocol netflow-v9


flow monitor Netflow-Monitor-In 
exporter Netflow-to-Orion 
cache timeout inactive 10 
cache timeout active 60 
record Netflow-In

!!!!!!!!!!!!!!!!!
!ADD IF NECESSARY - Just remove the ! at the begining
!!!!!!!!!!!!!!!!!
!flow monitor Netflow-Monitor-Out 
! exporter Netflow-to-Orion 
! cache timeout inactive 10 
! cache timeout active 60 
! record Netflow-Out

!!!!!!!!!!!!!!!!!
!INTERFACES - ADDING THE NETFLOW COMMAND AND NBAR
!!!!!!!!!!!!!!!!!

interface GigabitEthernetx/x
ip flow monitor Netflow-Monitor-In input
ip nbar protocol-discovery ipv4

inter GigabitEthernetx/x 
ip flow monitor Netflow-Monitor-In input
ip nbar protocol-discovery ipv4



!!!!!!!!!!!!!!!!!

Command to Check the Top Talkers
do show flow monitor Netflow-Monitor-In cache sort highest counter bytes top 20

 

What to look forward to?

More information as it comes fresh from my drafts folder 🙂 –> I still have lots to catch up on so you will be seeing some more posts in the following days – Enjoy!

About the Author:

Andres Sarmiento, CCIE # 53520 (Collaboration)
With more than 13 years of experience, Andres is specialized in the Unified Communications and Collaboration technologies. Consulted for several companies in South Florida, also Financial Institutions on behalf of Cisco Systems. Andres has been involved in high-profile implementations including Cisco technologies; such as Data Center, UC & Collaboration, Contact Center Express, Routing & Switching, Security and Hosted IPT Service provider infrastructures.

You can follow Andres using Twitter, LinkedIn or Facebook

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s