How-to configure Cisco Flexible NetFlow for NBAR exports

Cisco has been committed to NBAR and NetFlow unification since 2003.

Plixer International President and CEO - Michael Patterson took time out this week to assemble the following "How-to" tutorial on configuring Cisco Flexible NetFlow for NBAR exports: "Cisco released in October 2009 an amazing new feature that ties together Cisco's NetFlow technology with NBAR (Network Based Application Recognition).

NBAR performs deep inspections of flows in order to identify the actual applications being used. "For example, H.323, Telnet, RTP, Exchange and Skype are now all identified and exported in NetFlow. Traditionally, only the source and destination port have been exported (e.g. TCP port 80) in NetFlow v5 and v9. Flexible NetFlow improves on NetFlow v9 to make NBAR exports possible, but you've got to upgrade the IOS (view Cisco's software upgrade procedure) on a router to version 15. "NBAR integration with NetFlow has been done with Cisco's Flexible NetFlow (FNF) technology, not traditional NetFlow, and because the configurations are a bit more involved, I've documented the commands below." NBAR NetFlow Commands "Type in the following NBAR NetFlow commands, but keep in mind that on Cisco routers, you've got to be in config mode:"

Command Note of Explanation
flow record nbar Creating a record, I’m naming it "nbar-mon."
description NBAR flow monitor Defining characteristics. The description as "NBAR flow monitor," (BTW: Cisco should export this).

The "match" statements below are key fields. Non key fields below don’t have to be matched.

Command Note of Explanation
match ipv4 tos Look for ToS fields.
match ipv4 protocol Etc. etc., make sure all of these "match" items are in the flows.
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface input
match application name This exports the NBAR application IDs.

Below tells the monitor what you want exported from the flows that "match" the above. For additional configuration options see this document.

Command Note of Explanation
collect routing destination as
collect routing next-hop address ipv4
collect ipv4 dscp
collect ipv4 id The following are the NetFlow fields I like exported. Some are absolutely necessary for NBAR.
collect ipv4 source prefix
collect ipv4 source mask
collect ipv4 destination mask
collect transport tcp source-port
collect transport tcp destination-port
collect transport tcp flags
collect transport udp source-port
collect transport udp destination-port
collect interface output
collect counter bytes
collect counter packets
collect timestamp sys-uptime first
collect timestamp sys-uptime last
collect datalink mac source address input Configures collection of Source MAC Addresses (output can be used to show the MAC address as it leaves the router, input shows the MAC as it enters the router).
collect datalink mac destination address input Configures collection of Source MAC Addresses.
collect flow direction Exports the direction of the flow.
collect flow sampler Exports the sampler ID. This can be used in conjunction with the "sampler-table" option template.

Again, the above is just saying: I want flows with this information. Now we need to create a flow exporter.

Command Note of Explanation
flow exporter export-to-andrew Creating a new exporter "export-to-andrew."
description flexible NF v9 Description for exporter "flexible NF v9."
destination Destination of the exports -> hopefully Scrutinizer.
source FastEthernet0/1 Source the export will leave on. Similar to traditional NetFlow.
transport udp 2055 Export port. Similar to traditional netflow.
template data timeout 60 How often the v9 template is exported in seconds.

We can apply the above to multiple flow monitors, very cool! Also, we could have multiple flow monitors with the same flow record and different exporters or multiple exporters in a single flow monitor. The following 3 templates are optional, but the first one is necessary for NBAR mapping.

Command Note of Explanation
option application-table NBAR table that lists the NBAR ID with the name of the application. This is necessary for the collector to identify NBAR applications by name.

Next are option templates (optional), however, I think they're cool.

Command Note of Explanation
option interface-table An export of the interface instances, names and descriptions (i.e. just like via SNMP).
option exporter-stats Information on what it's exporting (e.g. exported 500 flows in the last 60 seconds, etc.).

Time to tie the information above to an interface on the router.

Command Note of Explanation
flow monitor andrew-mon "Andrew-mon" is the monitor to apply to an interface.
cache active timeout 60 This summarizes long lived TCP connections every 60 seconds (1 minute).
description app traffic analysis Description of "andrew-mon" is "app traffic analysis."
record nbar-mon Map record "nbar-mon" to be used by this flow monitor "andrew-mon"
exporter export-to-andrew Map "andrew-mon" to the flow exporter "export-to-andrew." This is who gets the flows. IMPORTANT: You can specify unlimited "flow exporters" (i.e. send to multiple NetFlow collectors). Traditional NetFlow is limited to two destinations.

Time to map the some interfaces to the flow monitor "andrew-mon."

Command Note of Explanation
interface fa0/0 This is the interface I want to collect on.
ip flow monitor andrew-mon input Map the flow monitor "andrew-mon" to this interface and "input" means ingress flows.
interface fa0/1 This is the interface I want to collect on.
ip flow monitor andrew-mon input Map the flow monitor "andrew-mon" to this interface and "input" means ingress flows input or output can be configured. My Scrutinizer software supports both. Repeat the above for every interface. For egress flows use the word "output" in lieu of "input" at the end. NOTE: Only 4 flow monitors can be assigned per interface.

NOTE: "The maximum number of monitors an interface will allow is 4. So apparently, you can create as many exporters as you want, you just can’t use more than 4 on an interface." Now for Reporting "Most NetFlow reporting tools on the market do not have reporting support for NetFlow NBAR, however, a few have been very quick to implement it. Be sure to ask your vendor. "Make sure you can drill in on the NBAR application to see the actual flows. Some vendors only list the total bytes per application and you can’t drill in. "Setting thresholds for types of traffic or flow volumes are also important features. Make sure you know what you are buying. Some vendors skimp on features to rush the market." Way to go Cisco! "Cisco has been committed to NBAR and NetFlow unification since 2003. "What do you think? "Are you ready to upgrade the IOS (view Cisco's software upgrade procedure) on your router to version 15 in order to take advantage of NBAR via Flexible NetFlow?" View more Cisco How-To Tutorials.

BradReese.Com Cisco Refurbished - Enables affordable Cisco networks globally by assuring customer satisfaction with guaranteed one year warranties on both Cisco Repair as well as Refurbished Cisco. Contact: Brad Reese

  1. Cisco leads Avaya in Q3CY09 telephony system shipments
  2. Cisco CEO John Chambers is selectively hiring on certain projects
  3. Cisco shareholders insist on having a say on executive compensation
  4. Cisco raised a big stink over losing a longtime customer's $3.5M network upgrade deal to HP
  5. Verbal and visual mashup of HP's reasons for buying 3Com
  6. My theory on when to buy Cisco stock and when to sell
  7. Father of SIP bolts Cisco for Skype
  8. Cisco UC customers appear S.O.L. when in comes to deploying Windows 7
  9. Impressing Skype's buyout investors, Mike Volpi bragged he could get Cisco's top stars to jump ship
  10. John Chambers: Is America's best leader an investor's nightmare?
  11. Growth of the China CCIE count goes negative by -9
  12. Will the Cisco ASR 9000 kill the Juniper MX960?
  13. America's Best Leaders 2009: John Chambers led one of the biggest comebacks of modern times
  14. What are key Cisco NetFlow limitations?
  15. Cisco ISR G2 model comparison and module support
  16. Will Tandberg be tied solely to Cisco's call management platform?
  17. Woman accused of stealing $23M from Cisco bragged about her success on
  18. Outside of rah-rah talks from John Chambers, is Cisco wireless a disconnect?
  19. Cute adorable Cisco has become the target of data center switch vendor Arista Networks
  20. View Brad Reese on Cisco Story Archives
Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2009 IDG Communications, Inc.