A couple of follow ups on Netflow from yesterday.

Configuring netflow on a Cisco router.

I was asked about setting up netflow exports on a Cisco router.

I have to be honest, setting up netflow can vary wildly, depending on what you want to do, but here is a very very simply example. In this case, the router traffic that I want to keep track of is entering the router through Interface Ethernet 0/0, and I want the netflow data to go to a collector on the server at 172.17.60.29, port 9990.

Once you are in config mode, here is what you would need to enter:

ip flow-export version 5
ip flow-export destination 172.17.60.29 9990

int e0/0
ip flow ingress

See, very simple. That is from a Cisco 3845 router, and off the top of my head I can’t remember the IOS version, but it is still pretty simple and straightforward. Hasn’t changed in years as far as I can tell.

Netflow Collectors

Next, I did get a question or two about collectors and viewing the netflow data. So here goes:

Netflow collectors are applications or services running on a computer that take the information passed to them from the routers exporting the data, and store it in some sort of database or file system.

There are several collectors on the market, both commercial and free (including one that was left in the comments yesterday - Scrutinizer - (that I haven’t used before but will give a try soon) that offer both paid and free options. Some of the opensource (ie - free) include NEye and flowd. There are many others on the market. I know that there are a couple out there for the Windows platform too, just Google for them.

Now, not all of the collectors include the ability to view the data, as they are simply collectors. This is especially true in the Unix world, where the concept of having a separate, reusable piece of code for each function that you might need was born. This makes for great flexibility in viewing the data, so it’s not a bad thing at all.

Netflow viewers or report tools vary greatly also. Some are predominately text / table reporting tools, like the Flow Viewer app (watch for info on this to come soon as I start discussing the CactiEZ project), which generates text based reports on traffic that has been collected. And some are very visual which is great for impressing management, and can actually be very useful for a quick glance approach to finding issues.

Here is a sample graph created by FlowScan (an opensource package):

As you can see, it shows you at a glance how much traffic there is on the router interface that you are exporting from, and it separates out the different amounts of traffic by applications or protocols. Granted, this is a very old map (take note of the Napster traffic), but it gives you a good idea of the kinds of data and details that you can pick out by using a graphic based tool to report on your Netflow data.

I hope that gives you a better idea of what you can expect from Netflow. If you’d like to get Netflow up and running, with pretty pictures and good solid information, we’ll plug our sister company - Voodoo Networks as they have many years of experience with large networks and getting simple tools in place to monitor them.

Hope everyone stays up and running.

Updated:
Nathan pointed out that I left out the ip flow-export version 5 line from the sample Cisco configuration. Thanks Nathan!