Routing & SwitchingSecurity

IOS Netflow configuration for Cisco routers

J
Posted onSep 23, 2018 at 11:12 PM
Updated onUpdated on Mar 15, 2020 at 3:32 PM

Using the example below you will be able to configure  a router with Netflow for Cisco Stealthwatch.

Netflow was developed by Cisco and it provides the ability to collect IP network traffic.

Cisco Netflow

Cisco Netflow

R1(config)#
R1(config)#ip flow-export ?
  destination      Specify the Destination IP address
  source           Specify the interface for source address
  version          Specify the version number
!
R1(config)#ip flow-export destination 192.168.49.56 2055
R1(config)#ip flow-export source loopback 0
R1(config)#ip flow-export version 9
!
!
R1(config)#ip flow-cache timeout ?
  active    Specify the active flow timeout
  inactive  Specify the inactive flow timeout
!
R1(config)#ip flow-cache timeout active 1
R1(config)#ip flow-cache timeout inactive 15
!
!
R1(config)#ip flow-capture ?
  mac-addresses    Capture src and dst MAC addresses
  vlan-id          Capture the VLAN id
!
R1(config)#ip flow-capture mac-addresses  !!Optional
R1(config)#ip flow-capture vlan-id  !!Optional
!
!
!!Enable Netflow on each L3 interface you want to monitor
R1(config)#int e0/0
R1(config-if)#ip flow ? 
  ingress  Enable inbound NetFlow 
R1(config-if)#ip flow ingress
!
!
R1(config)#do show run | s snmp
mmi snmp-timeout 180
snmp-server community cisco RO
snmp-server ifindex persist
snmp-server host 192.168.49.56 version 2c cisco !!FlowCollector IP

Configure SNMP for your exporters using the SMC Java Client

Verification

R1#show run | s ip flow
ip flow-cache timeout active 1
 ip flow ingress
ip flow-capture vlan-id
ip flow-capture mac-addresses
ip flow-export source Loopback0
ip flow-export version 9
ip flow-export destination 192.168.49.56 2055
!
!
R1#show ip int brief 
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0/0                192.168.49.200  YES NVRAM  up                    up      
Ethernet0/1                172.16.1.1      YES manual up                    up      
Ethernet0/2                unassigned      YES NVRAM  administratively down down    
Ethernet0/3                unassigned      YES NVRAM  administratively down down    
Loopback0                  172.16.100.1    YES manual up                    up      
!
!
R1#show ip cache flow 
IP packet size distribution (12307 total packets):
   1-32   64   96  128  160  192  224  256  288  320  352  384  416  448  480
   .000 .250 .002 .746 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000

    512  544  576 1024 1536 2048 2560 3072 3584 4096 4608
   .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000

IP Flow Switching Cache, 278544 bytes
  2 active, 4094 inactive, 91 added
  4165 ager polls, 0 flow alloc failures
  Active flows timeout in 1 minutes
  Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 34056 bytes
  6 active, 1018 inactive, 135 added, 51 added to flow
  0 alloc failures, 0 force free
  1 chunk, 1 chunk added
  last clearing of statistics never
Protocol         Total    Flows   Packets Bytes  Packets Active(Sec) Idle(Sec)
--------         Flows     /Sec     /Flow  /Pkt     /Sec     /Flow     /Flow
UDP-other           45      0.0         2    74      0.0       0.4      15.4
ICMP                44      0.0       277    90      2.3      71.0       5.9
Total:              89      0.0       138    89      2.3      35.3      10.7
          
SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP  Pkts

SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP  Pkts
Et0/0         192.168.49.1    Et0/1         172.16.1.6      01 0000 0800     9 
Et0/0         192.168.49.1    Null          224.0.0.251     11 14E9 14E9     1 
!
!
R1#show ip flow export 
Flow export v9 is enabled for main cache
  Export source and destination details : 
  VRF ID : Default
    Source(1)       172.16.100.1 (Loopback0)
    Destination(1)  192.168.49.56 (2055) 
  Version 9 flow records
  76 flows exported in 32 udp datagrams
  0 flows failed due to lack of export packet
  0 export packets were sent up to process level
  0 export packets were dropped due to no fib
  0 export packets were dropped due to adjacency issues
  0 export packets were dropped due to fragmentation failures
  0 export packets were dropped due to encapsulation fixup failures
!
!
R1#show ip flow interface 
Ethernet0/0
  ip flow ingress
!
!
R1#show ip flow export template 
   Template Options Flag = 0
   Total number of Templates added = 2
   Total active Templates = 2
   Flow Templates active = 2
   Flow Templates added = 2
   Option Templates active = 0
   Option  Templates added = 0
   Template ager polls = 2549
   Option Template ager polls = 0
Main cache version 9 export is enabled
 Template export information
   Template timeout = 30
   Template refresh rate = 20
 Option export information
   Option timeout = 30
   Option refresh rate = 20

After a few minutes you will start seeing flows in your Stealthwatch Management Console (SMC).

Stealthwatch SMC
Stealthwatch