Cool IOS Feature: Random NetFlow

Does anyone out there remember the show, "The Fall Guy" with Lee Majors and one of my big time young punk kid crushes, Heather Thomas. The theme song was as popular as the actual show (especially the later seasons which sucked worse then a "Think Outside the Box" workshop). Looking at Cisco Cat switches and routers, to me the true "unknown stuntman" of networking is Netflow. Netflow seems like a feature that only large networks and pre sales SE's use. Netflow is a large topic and an amazing traffic mining tool. A lot of that comes down to the massive amount of information that Netflow provides. Netflow will analyze traffic flows all across a network. I have used that data to track down bots, viruses, network intrusions, misconfig'ed QoS, etc. In short, Netflow is one of the single best reasons to purchase a Cisco switch. It is so awesome, that it is being used as the base for IETF standards based IPFIX. That's not how I always thought. I was a big big big fan of HP's EASE/XRMON, especially with HP Traffic Probe. Now, XRMON is often some what incorrectly referred to as SFlow. Without getting into a real pissin' match here between the two, the issue to me with BOTH is that they are taxing to the CPU. If your interested, We did a video segment of the differences between the two on TechWiseTV. Personally, I think its hard to beat NetFlow v9. It's more accurate, has a bunch of 3rd party collectors and yes it runs in hardware. But you have to be all Cisco (or some Enterasys) not counting the IPFIX stuff. So there are a ton of differences between the two, however, one major difference is the configuration options I have with Netflow. For example, sometimes Netflow gives me too much info and I just want to grab a sample of data for planning and traffic engineering. I can easily config this with the random netflow feature. Before we console in and start pluggin' away make sure you have a few things done first: - You gotta have CEF or dCEF enabled - Know your flow. Netflow versions 5 or 9 work if you need to export the data to look at it off device. Smokin' feature if you are using something like SolarWinds NetFlow Traffic Analyzer. With other versions you can view the data on the device. - You can not have Netflow enabled on a interface your want to run random Netflow on. A device will always give full Netflow precedence over random Netflow. - Different then full Netflow, enabling random Netflow on an interface does not enable it on a subinterface. After all that stuff is all checked out and ready to go, lets go ahead and config this up. This awesome feature is config'ed up in two phases; the map phase and the interface phase. Phase One: The Map Phase; Tellin' Netflow just how random to be. This command sets up the custom name of the map in conf t mode: TWTV2800(config)# flow-sampler-map TWTV This command sets up the actual sampling rate 1 out of 1-65535: TWTV2800(config-sampler)# mode random one-out-of 200 Save it TWTV2800(config-sampler)# do wr me Now on to the interface! Phase Two: Put the sampler map on the interface to drive the behavior. Go to your interface you want to enable this map for: TWTV2800(config)# int eth 0/1 Apply the map: TWTV2800(config-int)# flow-sampler TWTV Save it: TWTV2800(config-int)#do wr me Check your handy work to make sure: TWTV2800> sho flow-sampler TWTV There is also a debug command to debug this as well: debug flow-sampler in case you run into any problems. I use this command all the time when I am at a customer site just wanting to grab a sampling of frames in a production environment. This is real attractive to folks because random Netflow puts a much smaller tug on the CPU, uses a smaller cache so the memory impact is reduced AND you also cut back on the data exploit per interface big time. Random Netflow is another tool to keep in your toolbox; Hey sing it with me! 'cause I'm the unknown feature that made Cisco such a star!!" Jimmy Ray Purser Trivia File Transfer Protocol Nikola Tesla signed his name G.I. for Great Inventor. He could have signed A.K. for Amazing Kid. By the time he was five years old he invented a waterwheel and read the entire 100 volume set of the Complete Voltaire. Not to be out done, by the time I was five I could eat a half a jar of paste and 7 of 24 colors in a box of Crayons