How to setup Cisco's Flexible NetFlow (FNF) with LEGO Blocks

Learn the 4 steps of an FNF configuration.

Network performance vendor - Plixer International believes that Cisco's Flexible NetFlow (FNF) is the future of NetFlow technology. Continuing its role as "NetFlow's technology evangelist," Plixer developed the following tutorial on how to setup standard fields in FNF for inclusion in my ever growing collection of Cisco How-To Tutorials. However, please keep in mind that Plixer is keenly aware I lack any kind of "technical aptitude" whatsoever, and that's why Plixer made a few LEGO Block comparisons along the way in order to help me achieve a better understanding of FNF: Here are the 4 steps of an FNF configuration:

Before getting into the 4 steps of an easy FNF configuration with LEGO blocks, let's make sure you comprehend traditional NetFlow which really begins with NetFlow v5 (as of 2009 the most common NetFlow version available on many routers from different vendors, but restricted to IPv4 flows) for network traffic analysis. Since Flexible Netflow doesn’t have a simple default record that emulates backward compatibility, you need to understand what you're already getting out of "standard Netflow." So the first thing you should look at is what you get with "standard Netflow." Let’s now inspect the standard Netflow V5 packet structure to understand and build a new record. Below is a chart of the fields from a Cisco Guide that contains information about Netflow v5's "fixed" packet format. "Fixed" just means that these records always have to be formed this way:

Think of all the different fields above as a box of LEGOs that Flexible Netflow can choose from, but FNF isn’t limited to the above. Imagine that each LEGO has its own data that can be added to the record. Let’s take a bucket of Netflow LEGOs and put together a Flexible Netflow ‘record’ that contains the same thing as shown above in the Netflow v5 table. When creating a record, you need to name it, then define what fields need to be included. The record is really just creating a specialized flow cache on the router instead of a single flow cache so a user can have multiple caches exporting to different systems (i.e. more than 2 NetFlow collectors). A security appliance and a trending tool might have different data requirements! 1) Create an FNF ‘Record’ Below is the setup for an FNF record, Plixer's comments are italicized and highlighted in yellow: Notice above that some of the fields in the record are prefixed with ‘match’ while some are prefixed with ‘collect’. Match just tells the router that the flow MUST contain this field (AKA “key fields”). If the data you are matching on is not in the flow, it won’t be cached and exported. Collect tells the router to include this data in the record if it is available (AKA "non-key fields"). Not all fields that can be used in ‘match’ can be used with ‘collect’ and vice-versa. Type in < match ? >> on the CLI to learn more. Now we have all of the fields stacked up into a single ‘record’ that looks something like this: Now that you've created a Netflow record, you can use this as a base configuration. Remember, you're not limited to the fields that are in NetFlow v5. You can create new and exciting records that can contain new LEGO blocks like MAC addresses and other helpful network information. Now you're starting to see why FNF ROCKS! The list of Flexible Netflow configuration options can be found on Cisco’s web site. 2) Create an ‘Exporter’ You've only built the data export format. Now you have to define where it goes and on what interfaces. First you'll need to define where you want these to go. Of course, it is a bit more complicated than you're used to, this is because you've got many more options and you're not limited to just 2 exporters. In this section you're going to create an exporter that you'll be using. An Exporter tells the router where to send the Netflow (i.e. NetFlow Analyzer): You might be thinking that this is certainly a lot of work to get a simple NetFlow record, but keep in mind that you can save database space and CPU utilization on your NetFlow collector if you remove information you don’t need. Additionally, this keeps the server receiving the flows at an optimal operating performance level. 3) Create a ‘Monitor’ You'll need a way to tell the router what record to send to what collector(s). This gives you the flexibility to mix and match your record and exporter configurations. The ‘Monitor’ is what you apply to your interfaces:


The above is starting to tie our LEGO parts together, but following the directions is very important here as these steps have to be done in order, or else, you'll have to take parts of the configuration apart and start over. Basically these CLI commands say:

This monitor called "standard-monitor" will use
A flow record called ‘standard’ and the NetFlow is being sent to
An exporter called "export-to-scrutinizer" and
The records will be summarized and exported every 60 seconds

4) Apply the ‘Monitor’ Up to this point, the router’s NetFlow engine is doing nothing. All you've done is build a framework to export standard Netflow. Now you'll need to tell the router what interfaces you want your configuration on. Your monitor needs to be applied on all the interfaces you want data from. Here are the configuration commands from Plixer's Cisco 2811, it only has 2 interfaces, so this is easy: The above completes the FNF engine and she's now firing on all cylinders (i.e. interfaces) and the monitor has been applied to. Remember in most cases, it’s best to apply the monitor to all interfaces. Your Flexible NetFlow export is essentially the same as what you were getting with standard v5 export. Remember, you've many more options that can be added as you discover new reporting requirements and new features in collection software. Hopefully, this tutorial has helped you setup your router to export FNF or at least encourage you to learn more about Flexible NetFlow’s capabilities. Call Plixer's office if you have any questions. This new NetFlow protocol can be used on ingress and egress configuration. Get comfortable with FNF as it is showing up in NBAR, the ASA security platform and other Cisco technologies. View more Cisco How-To Tutorials.

What's your take, how helpful do you find this FNF tutorial?

BradReese.Com Cisco Refurbished - Enabling Affordable Cisco Networks Check with us, when you have failed Cisco equipment. We repair Cisco at the component level. Contact: Brad Reese

  1. Cisco CEO John Chambers sells 2.2 million shares of his Cisco stock 5 days after announcing Cisco was back to record profits
  2. 61 CCIEs dropped out of Cisco's highly coveted cert program over the last 30 days
  3. Cisco IP phones praised in email to then Alaska Governor Sarah Palin and First Dude, Todd Palin
  4. New markets for Cisco not generating revenue, Chambers says
  5. Cisco's F2Q10 accounts receivable soar $1.34 billion year over year!
  6. Cisco joins growing laundry list of entities paying Melissa Hathaway to be senior security advisor
  7. Turmoil at Vyatta as Cisco prepares to announce its Q2FY10 earnings?
  8. Brocade BCNE most valuable cert on earth
  9. Pineapple ratings get dished out to Cisco blogs that rock for 2010
  10. Avian Securities reiterates its negative opinion about Juniper Networks
  11. Riverbed expected to maintain its WAN optimization market share
  12. Cisco appears to have missed the newest market transition: Don't be evil
  13. Cyber attacks: Cisco appears to embrace China while Google fights China
  14. Cisco CCIE R&S count plummets -110
  15. Will Cisco gear become search engine toll collectors?
  16. Terry Eger was the Cisco executive who hired John Chambers
  17. How to absolutely guarantee QoS with network traffic
  18. John Chambers: Big is back... Cisco is the example
  19. Harvard Business Review: John Chambers trumps Steve Jobs in market cap change
  20. View Brad Reese on Cisco Story Archives
Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2010 IDG Communications, Inc.