43. Appendix 2 – Configuring Flow Export

The information provided here regarding router configurations is for informational purposes only. Please refer to the appropriate router user guides for more detailed and up-to-date information.

43.1. Flow Export on older IOS Devices

In the configuration mode on the router or MSFC, issue the following to start NetFlow Export.

First, enable Cisco Express Forwarding:

router(config)# ip cef
router(config)# ip cef distributed

Turn on flow accounting for each input interface with the interface command:

interface
ip route-cache flow

For example:

interface FastEthernet0
ip route-cache flow
interface Serial2/1
ip route-cache flow

It is necessary to enable NetFlow on all interfaces through which traffic (you are interested in) will flow. Now, verify that the router (or switch) is generating flow stats – try the command ‘show ip cache flow’. Note that for routers with distributed switching (GSR’s, 75XX’s) the RP cli will only show flows that made it up to the RP. To see flows on the individual line cards, use the ‘attach’ or ‘if-con’ command and issue the ‘sh ip ca fl’ on each LC.

Enable the exports of these flows with the global commands:

router(config)# ip flow-export version 5
router(config)# ip flow-export destination <ip_address> 2000
router(config)# ip flow-export source FastEthernet0

Use the IP address of the server running Flow Sensor and the configured listening port. UDP port 2000 is used as an example. The ‘ip flow-export source’ command is used to set up the source IP address of the exports sent by the equipment.

If your router uses the BGP protocol, you can configure AS to be included in exports with the command:

router(config)# ip flow-export version 5 [peer-as | origin-as]

The following commands break up flows into shorter segments: 1 minute for active traffic and 30 seconds for inactive traffic. Flow Sensor ignores flows older than 5 minutes, so it’s very important to export them sooner.

router(config)# ip flow-cache timeout active 1
router(config)# ip flow-cache timeout inactive 30

In enable mode, you can see current NetFlow configuration and state.

router# show ip flow export
router# show ip cache flow
router# show ip cache verbose flow

43.2. Flow Export on CatOS Device

In privileged mode on the Supervisor Engine enable Netflow Data Export:

switch> (enable) set mls nde <ip_address> 2000

Use the IP address of the server running Flow Sensor and the configured listening port. UDP port 2000 is used only as an example.

switch> (enable) set mls nde version 5

The following command is required to set up flow mask to full flows.

switch> (enable) set mls flow full

The following commands break up flows into shorter segments: ~1 minute for active flows and ~30 seconds for inactive flows. Flow Sensor ignores flows older than 5 minutes, so it’s very important to export them sooner.

switch> (enable) set mls agingtime long 8
switch> (enable) set mls agingtime 4

If you want to account all traffic within the specified VLANs rather than inter VLAN traffic use CatOS 7.2 or higher and issue the following command:

switch> (enable) set mls bridged-flow-statistics enable

Enable Netflow Data Export:

switch> (enable) set mls nde enable

To see current NetFlow configuration and state issue the following commands:

switch> (enable) show mls nde
switch> (enable) show mls debug

43.3. Flow Export on Native IOS Device

To configure Netflow Data Export (NDE) use the same commands as for the IOS device. In the enable mode on the Supervisor Engine, issue the following to set up the NetFlow export version 5.

switch(config)# mls nde sender version 5

The following commands break up flows into shorter segments: ~1 minute for active flows and ~30 seconds for inactive flows. Flow Sensor ignores flows older than 5 minutes, so it’s very important to export them sooner.

switch(config)# mls aging long 8
switch(config)# mls aging normal 4

On the Supervisor Engine 1 issue the following to put full flows into the NetFlow exports:

switch(config)# mls flow ip full

If you have a Supervisor Engine 2 or 720 running IOS version 12.1.13(E) or higher, issue the following commands instead:

switch(config)# mls flow ip interface-full
switch(config)# mls nde interface

43.4. Flow Export on 4000 Series Switch

Configure the switch the same as an IOS device, but instead of the command ‘ip route cache flow’ use the command ‘ip route-cache flow infer-fields’. This series requires a Supervisor IV with a NetFlow Services daughter card to support Netflow Data Export.

43.5. Flow Export on IOS XE

Traditional NetFlow is being replaced with flexible NetFlow on newer IOS versions.

conf t
flow exporter WGFlowSensor
destination <ip_address>
source gi0/0/1
transport udp 9991
export-protocol netflow-v5
flow monitor WGFlowSensor
record netflow ipv4 original-input
exporter WGFlowSensor
cache timeout active 120 #in seconds
exit
int gi0/0/2
ip flow monitor WGFlowSensor input
exit
exit
wr mem

43.6. Flow Export on IOS XR

A sample configuration for IOS XR:

flow exporter-map wanguard
 version v9
  options interface-table timeout 300
  options vrf-table timeout 300
  options sampler-table timeout 300
!
transport udp <port>
 source Loopback8648
 destination <ip_address>
!
flow monitor-map IPV4-FMM
 record ipv4
 exporter wanguard
 cache entries 16384
 cache timeout active 60
 cache timeout inactive 30
!
flow monitor-map IPV6-FMM
 record ipv6
 exporter wanguard
 cache entries 16384
 cache timeout active 60
 cache timeout inactive 30
!
sampler-map 1-of-128
 random 1 out-of 128

interface TenGigE0/0/2/1
 description Upstream Interface
 ...
 flow ipv4 monitor IPV4-FMM sampler 1-of-128 ingress
 flow ipv4 monitor IPV4-FMM sampler 1-of-128 egress
 flow ipv6 monitor IPV6-FMM sampler 1-of-128 ingress
 flow ipv6 monitor IPV6-FMM sampler 1-of-128 egress
!

43.7. Flow Export on IOS-XE Everest

flow record v4r2
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface input
match flow sampler
collect routing next-hop address ipv4
collect ipv4 source mask
collect ipv4 destination mask
collect transport tcp flags
collect interface output
collect counter bytes
collect counter packets
collect timestamp sys-uptime first
collect timestamp sys-uptime last
collect routing source as 4-octet
collect routing destination as 4-octet
!
flow exporter exporter1
description "exported to external"
destination x.x.x.x
source Loopback0
transport udp 2000
flow monitor v4r2
exporter external1
cache timeout active 120
record v4r2
sampler external1
mode random 1 out-of 1000
interface GigabitEthernet0/0/0
ip flow monitor v4r2 sampler external1 input

43.8. Flow Export on Juniper

interfaces {
      ge-0/1/0 {
              unit 0 {
                      family inet {
                              filter {
                                      input all;
                                      output all;
                              }
                              address 192.168.1.1/24;
                      }
              }
      }
}
firewall {
      filter all {
              term all {
                      then {
                              sample;
                              accept;
                      }
              }
      }
}
forwarding-options {
      sampling {
              input {
                      family inet {
                              rate 100;
                      }
              }
              output {
                      cflowd 192.168.1.100 {
                              port 2000;
                              version 5;
                      }
              }
      }
}

43.9. Flow Export on Juniper MX

Sample configuration for an inactive-timeout/active-timeout of 10 seconds. For these routers, it’s very important to set the Flow Timeout(s) parameter from the Flow Sensor configuration.

set services flow-monitoring version9 template AS65535-v4 flow-active-timeout 10
set services flow-monitoring version9 template AS65535-v4 flow-inactive-timeout 10
set services flow-monitoring version9 template AS65535-v4 ipv4-template
set services flow-monitoring version9 template AS65535-v6 flow-active-timeout 10
set services flow-monitoring version9 template AS65535-v6 flow-inactive-timeout 10
set services flow-monitoring version9 template AS65535-v6 ipv6-template

set forwarding-options sampling instance AS65535-sample input rate 512
set forwarding-options sampling instance AS65535-sample input run-length 0
set forwarding-options sampling instance AS65535-sample input max-packets-per-second 5000
set forwarding-options sampling instance AS65535-sample family inet output flow-server 192.0.2.1 port 9196
set forwarding-options sampling instance AS65535-sample family inet output flow-server 192.0.2.1 autonomous-system-type origin
set forwarding-options sampling instance AS65535-sample family inet output flow-server 192.0.2.1 no-local-dump
set forwarding-options sampling instance AS65535-sample family inet output flow-server 192.0.2.1 version9 template AS65535-v4
set forwarding-options sampling instance AS65535-sample family inet output inline-jflow source-address 192.0.2.99
set forwarding-options sampling instance AS65535-sample family inet6 output flow-server 192.0.2.1 port 9196
set forwarding-options sampling instance AS65535-sample family inet6 output flow-server 192.0.2.1 autonomous-system-type origin
set forwarding-options sampling instance AS65535-sample family inet6 output flow-server 192.0.2.1 no-local-dump
set forwarding-options sampling instance AS65535-sample family inet6 output flow-server 192.0.2.1 version9 template AS65535-v6
set forwarding-options sampling instance AS65535-sample family inet6 output inline-jflow source-address 192.0.2.99

set interfaces xe-0/1/0 unit 0 family inet sampling input
set interfaces xe-0/1/0 unit 0 family inet sampling output
set interfaces xe-0/1/0 unit 0 family inet6 sampling input
set interfaces xe-0/1/0 unit 0 family inet6 sampling output

A frequent issue with Juniper MX running Junos is the size of the flow table, which you can verify with the following command:

root> show services accounting status inline-jflow fpc-slot 0

If the size of the flow tables for IPv4 and IPv6 are really small, like 1024 for IPv4 and 512 for IPv6, there is a very high risk to overflow the tables. When there is no space in the table, the flow is dropped, and the error count is incremented. This may happen quite frequently, especially during DDoS attacks from randomized sources. You can check the number of active flows with:

root> show services accounting flow inline-jflow fpc-slot 0

If the max IPv4/IPv6 flow count was reached, the number of flows that were not created can be seen with:

root> show services accounting errors inline-jflow fpc-slot 0

When there are flow creation errors, the amount of data displayed by Flow Sensor will not match the actual data. There are two solutions:

43.9.1. Manual Flow Tables Sizing

You can manually configure the size of both IPv4 and IPv6 flow tables in units of 256k entries. Starting with Junos OS Release 16.1R1 and 15.1F2, by default, the software allocates 1K entries for IPv4 flow tables. To allocate eleven 256K IPv4 and four 256k IPv6 flow tables, enter the command:

root# set chassis fpc 0 inline-services flow-table-size ipv4-flow-table-size 11
root# set chassis fpc 0 inline-services flow-table-size ipv6-flow-table-size 4

Before Junos OS Release 16.1R1 and 15.1F2, any changes in the configured size of the flow table initiate an automatic reboot of the FPC. Therefore, it is highly recommended that you run this command in a maintenance window.

43.9.2. Flex Flow Tables Sizing

The MX series supports a flex-flow-sizing option that does not require manual sizing between IPv4 and IPv6 tables. To test this feature, delete the previous configuration and reset the counters:

root> clear services accounting statistics inline-jflow fpc-slot 0

Now, configure flexible size allocation of flow tables for all proto families.

root# set chassis fpc 0 inline-services flex-flow-sizing

Check with:

root> show services accounting status inline-jflow fpc-slot 0

43.10. Flow Export on Huawei

Sample configuration for a sampling value of 400.

ip netstream as-mode 32
ip netstream timeout active 1
ip netstream timeout inactive 15
ip netstream export version 9
ip netstream export index-switch 32
ip netstream export template timeout-rate 1
ip netstream sampler fix-packets 400 inbound
ip netstream sampler fix-packets 400 outbound
ip netstream export source xxxxxxxx
ip netstream export host xxxxxxx 5436
ip netstream export template option sampler
ip netstream export template option timeout-rate 1

43.11. Flow Export on Mikrotik

If you prefer to configure the Mikrotik through Winbox, click on IP -> Traffic Flow.

MTFS.png

In the Traffic Flow Settings window shown above, select the Enable checkbox, configure which interface(s) will export flows, set the Cache Entries to at least 1M (increase the value if your router’s memory allows), and set Active Flow Timeout to be 1 minute or even less in order to have traffic visibility in a timely manner. Inactive Flow Timeout value can remain at 15 seconds.

The next step is to configure the Targes which are the server(s) that will receive the flow data. Click on the Targets Option and then on Add.

MTFT.png

Set the Flow Sensor’s server as the Dst. Address, and continue configuring the Flow Sensor with the same port as defined here.