Network performance vendor - Plixer International believes that Cisco's Flexible NetFlow (FNF) is the future of NetFlow technology. Continuing its role as "NetFlow's technology evangelist," Plixer developed the following tutorial on how to setup standard fields in FNF for inclusion in my ever growing collection of Cisco How-To Tutorials.
However, please keep in mind that Plixer is keenly aware I lack any kind of "technical aptitude" whatsoever, and that's why Plixer made a few LEGO Block comparisons along the way in order to help me achieve a better understanding of FNF:
Here are the 4 steps of an FNF configuration:
- Create an FNF 'record' and define the fields you want exported.
- Create an 'exporter' which tells the router where to send the Netflow 'record'.
- Create a 'monitor' which tells the router which 'records' to send from which 'exporter'.
- Apply the 'monitor' to the interfaces you want flows collected from.
Before getting into the 4 steps of an easy FNF configuration with LEGO blocks, let's make sure you comprehend traditional NetFlow which really begins with NetFlow v5 (as of 2009 the most common NetFlow version available on many routers from different vendors, but restricted to IPv4 flows) for network traffic analysis.
Since Flexible Netflow doesn’t have a simple default record that emulates backward compatibility, you need to understand what you're already getting out of "standard Netflow." So the first thing you should look at is what you get with "standard Netflow."
Let’s now inspect the standard Netflow V5 packet structure to understand and build a new record. Below is a chart of the fields from a Cisco Guide that contains information about Netflow v5's "fixed" packet format. "Fixed" just means that these records always have to be formed this way:
Think of all the different fields above as a box of LEGOs that Flexible Netflow can choose from, but FNF isn’t limited to the above.
Imagine that each LEGO has its own data that can be added to the record.
Let’s take a bucket of Netflow LEGOs and put together a Flexible Netflow ‘record’ that contains the same thing as shown above in the Netflow v5 table. When creating a record, you need to name it, then define what fields need to be included.
The record is really just creating a specialised flow cache on the router instead of a single flow cache so a user can have multiple caches exporting to different systems (i.e. more than 2 NetFlow collectors). A security appliance and a trending tool might have different data requirements!
1) Create an FNF ‘Record’
Below is the setup for an FNF record, Plixer's comments are italicised and highlighted in yellow:
Notice above that some of the fields in the record are prefixed with ‘match’ while some are prefixed with ‘collect’. Match just tells the router that the flow MUST contain this field (AKA “key fields”). If the data you are matching on is not in the flow, it won’t be cached and exported. Collect tells the router to include this data in the record if it is available (AKA "non-key fields"). Not all fields that can be used in ‘match’ can be used with ‘collect’ and vice-versa. Type in << match ? >> on the CLI to learn more.
Now we have all of the fields stacked up into a single ‘record’ that looks something like this:
Now that you've created a Netflow record, you can use this as a base configuration. Remember, you're not limited to the fields that are in NetFlow v5. You can create new and exciting records that can contain new LEGO blocks like MAC addresses and other helpful network information.
Now you're starting to see why FNF ROCKS!
The list of Flexible Netflow configuration options can be found on Cisco’s website.
2) Create an ‘Exporter’
You've only built the data export format. Now you have to define where it goes and on what interfaces. First you'll need to define where you want these to go. Of course, it is a bit more complicated than you're used to, this is because you've got many more options and you're not limited to just 2 exporters. In this section you're going to create an exporter that you'll be using. An Exporter tells the router where to send the Netflow (i.e. NetFlow Analyser):
You might be thinking that this is certainly a lot of work to get a simple NetFlow record, but keep in mind that you can save database space and CPU utilisation on your NetFlow collector if you remove information you don’t need. Additionally, this keeps the server receiving the flows at an optimal operating performance level.
3) Create a ‘Monitor’
You'll need a way to tell the router what record to send to what collector(s). This gives you the flexibility to mix and match your record and exporter configurations. The ‘Monitor’ is what you apply to your interfaces:
The above is starting to tie our LEGO parts together, but following the directions is very important here as these steps have to be done in order, or else, you'll have to take parts of the configuration apart and start over.
Basically these CLI commands say:
- This monitor called "standard-monitor" will use
- A flow record called ‘standard’ and the NetFlow is being sent to
- An exporter called "export-to-scrutinizer" and
- The records will be summarized and exported every 60 seconds
4) Apply the ‘Monitor’
Up to this point, the router’s NetFlow engine is doing nothing. All you've done is build a framework to export standard Netflow. Now you'll need to tell the router what interfaces you want your configuration on. Your monitor needs to be applied on all the interfaces you want data from. Here are the configuration commands from Plixer's Cisco 2811, it only has 2 interfaces, so this is easy:
The above completes the FNF engine and she's now firing on all cylinders (i.e. interfaces) and the monitor has been applied to. Remember in most cases, it’s best to apply the monitor to all interfaces.
Your Flexible NetFlow export is essentially the same as what you were getting with standard v5 export. Remember, you've many more options that can be added as you discover new reporting requirements and new features in collection software.
Hopefully, this tutorial has helped you setup your router to export FNF or at least encourage you to learn more about Flexible NetFlow’s capabilities.
Call Plixer's office if you have any questions. This new NetFlow protocol can be used on ingress and egress configuration. Get comfortable with FNF as it is showing up in NBAR, the ASA security platform and other Cisco technologies.