1. HelpSystems Community
  2. Knowledge Base
  3. Intermapper
  4. Intermapper Flows
  5. Intermapper Flows - Enabling NetFlow on Cisco Equipment

Intermapper Flows - Enabling NetFlow on Cisco Equipment

NetFlow provides detailed information about the sources and destinations of traffic flows on their network. Intermapper Flows acts as a NetFlow collector to receive the exported flow information and display it in an attractive user interface.

Cisco has written a white paper that has a list of Cisco equipment that supports NetFlow.

The Cisco Netflow Configuration Guide gives a detailed description of configuring Cisco gear. The section on NetFlow (URLs below) gives details on configuring NetFlow:

Quick Guide to Configuring NetFlow

As a quick guide, the following commands will generally configure a Cisco router or switch to send NetFlow "flow records" to Intermapper Flows. In this example, we configure:

  • NetFlow destination: the IP address/host name and the port of Intermapper Flows that will receive the flow records.
  • NetFlow source: is the IP address of the exporter itself, specified by the interface to be used. Flow records will appear to come from this source address; Intermapper Flows will show this as the address of the exporter.
  • NetFlow version: generally version 5 or 9. Version 7 is only for older Catalyst switches; version 1 is considered obsolete.
  • NetFlow timeouts: the router/switch will accumulate active and inactive flow information for the timeouts indicated, then forward the flow records to the specified destination.
  • Interfaces: You must configure every interface you want to report flow information with the ip route-cache flow command. The example shows Ethernet0 and Ethernet1 (eth0 & eth1).
  %  telnet 192.168.1.1 <== telnet to the router/switch
  Trying 192.168.1.1...
  Connected to 192.168.1.1.
  Escape character is '^]'.
  User Access Verification
  Password: Kerberos: No default realm defined for Kerberos! <== Type router password here
  cisco2514>  enable 
  
  Password: <== Type router password again
  cisco2514# configure terminal 
  
  Enter configuration commands, one per line. End with CNTL/Z.
  cisco2514(config)# ip flow-export destination IP/host port  <== e.g., 192.168.1.5 2055 or nf.example.com 2055
  cisco2514(config)# ip flow-export source interface <== e.g., Ethernet0 will be the "source"
  cisco2514(config)# ip flow-export version # <== e.g., 1, 5, 7, or 9
  cisco2514(config)# ip flow-cache timeout active 1  <== Active flows time out in 1 minute
  cisco2514(config)# ip flow-cache timeout inactive 15 <== Inactive flows time out in 15 seconds
  cisco2514(config)# int eth0 
  cisco2514(config-if)# ip route-cache flow 
  cisco2514(config-if)# exit 
  cisco2514(config)# int eth1 
  cisco2514(config-if)# ip route-cache flow 
  cisco2514(config-if)# exit 
  cisco2514(config)# ^Z <== Type Control-Z here
  cisco2514# write 
  Building configuration...
  [OK]
  cisco2514# exit 
  Connection closed by foreign host.
  %

Checking NetFlow Configuration

You can use the following commands to check the NetFlow configuration. The show ip flow export command shows that NetFlow version 5 records are being sent from the source address of Ethernet0 to on port 2055.

  cisco2514# show ip flow export
  Flow export is enabled
  Exporting flows to 192.168.1.45 (2055)
  Exporting using source interface Ethernet0
  Version 5 flow records
  Cache for as aggregation:
  Exporting flows to 192.168.1.45 (2055)
  18911421 flows exported in 676473 udp datagrams
  0 flows failed due to lack of export packet
  357386 export packets were sent up to process level
  0 export packets were dropped due to no fib
  0 export packets were dropped due to adjacency issues
  0 export packets were dropped due to fragmentation failures
  0 export packets were dropped due to encapsulation fixup failures

The show ip cache flow command shows information about the flows themselves, including the distribution of the packet sizes, number of flows seen, lost flow packets, and other statistics.

  cisco2514# show ip cache flow
  IP packet size distribution (55479535 total packets):
  1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
  .000 .882 .017 .023 .000 .001 .000 .001 .007 .011 .000 .000 .000 .000 .000
  512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
  .000 .000 .003 .000 .051 .000 .000 .000 .000 .000 .000
  IP Flow Switching Cache, 278544 bytes
  189 active, 3907 inactive, 18842664 added
  428276059 ager polls, 0 flow alloc failures
  Active flows timeout in 1 minutes
  Inactive flows timeout in 15 seconds
  last clearing of statistics never
  Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)
  -------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow
  TCP-Telnet 23 0.0 108 40 0.0 26.0 12.3
  TCP-FTP 770 0.0 12 63 0.0 0.1 6.1
  TCP-WWW 40186 0.0 12 937 0.2 9.7 15.4
  TCP-SMTP 2197 0.0 4 210 0.0 9.8 14.6
  TCP-other 3939 0.0 956 1026 1.6 6.8 9.1
  UDP-DNS 9151 0.0 1 100 0.0 2.4 15.4
  UDP-NTP 380 0.0 1 76 0.0 1.3 15.5
  UDP-TFTP 17768 0.0 1 70 0.0 2.2 15.5
  UDP-other 1663272 0.7 2 177 1.6 2.2 15.4
  ICMP 17104789 7.5 2 48 20.8 5.3 15.5
  Total: 18842475 8.2 2 131 24.3 5.0 15.4
  SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
  Et0 192.168.1.23 Null 192.168.1.255 11 F1CB 00A1 2
  Et0 192.168.1.45 Et1 10.10.1.25 01 0000 0800 1
  Et0 192.168.1.45 Null 10.10.1.21 01 0000 0800 2
  Et0 192.168.1.45 Et1 10.10.1.23 01 0000 0800 2
  ... etc...

Still have questions? We can help. Submit a case to Technical Support.

Last Modified On: February 14, 2019
+1 800-328-1000
info@helpsystems.com
Cybersecurity
Compliance & Audit Reporting
IT Operations Management
IT Infrastructure Monitoring
Business Intelligence
Document & Forms Management

Copyright © 2019 HelpSystems