How to configure Netflow on a Cisco device for Netmon

Warning: Configuration of the Cisco device is your responsibility and you can potentially do damage to your device so please make backups of your router before making any changes. Commands can vary with different Versions of Cisco firmwares.

Why NetFlow?

The traditional way is to mirror all traffic in its entirety on your switch for analysis. This requires an interface capable of speeds equivalent of the traffic you wish to monitor. NetFlow (and similar protocols) instead summarize and break traffic down for analysis resulting in much less data required.

In this blog I will set up NetFlow on a Cisco 2901 and configure it to export NetFlow in a very basic way (no security) to provide Netmon a remote view of a network at another location – on the other side of an internet connection.

These are the commands will be used:

 snmp-server community public RO

ip flow-cache timeout active 1

ip flow-export source Vlan1

ip flow-export version 5

ip flow-export destination 10.10.1.50 9996

ip flow ingress

ip flow egress

 

How to configure Netflow

Let me show you where to put them. First elevate your privileges to configure the router.

 Cisco2901(config)#

 # snmp-server community public RO

This enables the SNMP community string of ‘public’ and is Read Only. If you have already done this you can skip this step.

 # ip flow-cache timeout active 1

This breaks up the NetFlow traffic into 1 minute blocks.

# ip flow-export source Vlan1

In Netmon Vlan1 will be the ip address the device has been configured. In my case this ip address is 10.66.0.2. The device in Netmon is configured as 10.66.0.2

 # ip flow-export version 5

Netflow version 5 is the most common version of NetFlow used by many manufacturers of routers.

 # ip flow-export destination 10.10.1.50 9996

10.10.1.50 is the private ip address of http://demo.netmon.ca and 9996 is the default port Netmon uses for NetFlow traffic.

User ID: demo
Password: demo742

 Next I have to decide which interface I wish to monitor. I could choose multiple. In my case I have Vlan 111 as a collector MPLS interface which represents all traffic for this network.

# interface Vlan111

 Cisco2901(config-if)#

 # ip flow ingress

# ip flow egress

 Cisco2901(config-if)#

*Hold Control + Z*

 Cisco2901# write mem

Everything is done on the Cisco Router. We move on to Netmon. Navigate to the ‘Devices’ tab of Netmon and click on “New Device”

Add/remove netflow device for cisco on netmon

 

The ip address we had chosen as a source which was Vlan 1 and the Read Only SNMP community string I configured as ‘public’

 

cisco device dashboard netmon 6.0

 Click on the Network tab.

On the right side find the interface you are looking to view.

 

netflow device dashboard netmon 6.0

 

If you click on the interface here you will see a new window.

 

add-edit interface device dashboard netmon 6.0

 You can name this interface whatever you like. I select all 3 boxes.

 

netflow data graph dashboard netmon 6.0

 

You now know how to configure netflow on a Cisco device for Netmon. In a few minutes a graph on the front page will start populating. As it fills in you will see the breakdown of remote traffic summarized by NetFlow.

 

configure netflow on a cisco device data graph

 

If we take a look at the impact NetFlow on the internet connection we see that it averages around 400 kbps. A common 5mbit/1mbit DSL connection can handle this traffic. Comparing that to to the traditional method of simply mirroring traffic this would not be possible as seen in previous graph where traffic is spiking up to 60.23 Mbps.