This document explains how to configure network devices such as Switches to send NetFlow or sFlow statistics to a Monitoring Server like blësk. Please take note that commands, as explained in this document, may vary according to your device version and models.
To ensure that the necessary hardware is enabled, issue the show module command, as follows:
show module all
Mod Submodule Model Serial No. Hw Status
----+-----------------------+-----------------+------------+----+---------
1 Netflow Services Card WS-F4531 JAB062209CG 0.2 OkNote: If the NetFlow module is available, you should see something like the above.
The following sequence of IOS commands can be used as a model for configuring NetFlow.
router#enable
Password:*****
router#configure terminal
router-2621(config)#interface FastEthernet 0/1
router-2621(config-if)#ip route-cache flow
router-2621(config-if)#exit
router-2621(config)#ip flow-export destination x.x.x.x 6343
router-2621(config)#ip flow-export source FastEthernet 0/1
router-2621(config)#ip flow-export version 5
router-2621(config)#ip flow-cache timeout active 1
router-2621(config)#ip flow-cache timeout inactive 15
router-2621(config)#snmp-server ifindex persist
router-2621(config)#^Z
router#writeNote: In the above example, the ip flow-export destination « x.x.x.x » is the IP address of the blësk monitoring server. The « 6343 » in the IP flow-export destination command example corresponds to the Local Collector UDP Port number configured for the NetFlow plugin. The flow export source interface will vary, depending on the interface providing the source traffic.
Some time ago, Cisco has implemented NetFlow 9 for its popular ASA 5500 security and firewall appliances. But this implementation of NetFlow is quite different from what other Cisco devices provide. It is called “Netflow Security Event Logging” (NSEL) and was originally introduced on the Cisco ASA 5580. Now, with the latest firmware (ASA 8.2.x or later), it is now extended to other Cisco ASA models.
The data to be exported is defined by a Service policy that brings flow data to the analyzer server. The following code works fine if your ASA still uses the default global policy.
policy-map global_policy
class class-default
flow-export event-type all destination 1.2.3.4 6343Note: In the above example, the destination « 1.2.3.4 » is the IP address of the blësk monitoring server. The « 6343 » corresponds to the Local Collector UDP Port number configured on blësk.
If you are using the ASDM GUI, please go to Configuration-Firewall->Service Policy Rules and Click Add->select “Use class-default as the traffic class”->Next->Netflow (tab)->Add (check the collector(s) you want to use)->Finish->Apply.
Please keep the following facts in mind:
NetFlow can be configured in Dashboard on the Network-wide > Configure > General page. NetFlow configuration settings are found under the Reporting header, with the following options :
The following configuration enables sFlow monitoring of all interfaces on a Brocade FGS switch (24 ports), sampling packets at 1-in-10, polling counters every 20 seconds and sending the sFlow to an analyzer (10.0.0.5) on UDP port 6343 (the default sFlow port):
fgs(config)# int e 0/1/1 to 0/1/24
fgs(config-mif-0/1/1-0/1/24)# sflow forwarding
fgs(config-mif-0/1/1-0/1/24)# exit
fgs(config)# sflow destination 10.0.0.5 6343
fgs(config)# sflow sample 10
fgs(config)# sflow polling-interval 20
fgs(config)# sflow enableThe commands below only work on the 3500/5400/8200/6200 HP products.
1. Configure a destination :
hp (config)# sflow 2 destination x.x.x.x 6343Note: The above commands will send sFlow to the destination IP « x.x.x.x » which is the one used by blësk.
2. Enable sample rate and polling interval :
hp (config)# sflow 2 sampling all 10
hp (config)# sflow 2 polling all 20You can enable sample rate and polling interval depending on the accuracy of the received packet that you want to get. Use the « all » parameter in sampling and polling parameters to enable sFlow on all interfaces.
1. Configure a destination :
dell (config)# sflow 1 destination x.x.x.x
dell (config)# sflow 1 destination owner <owner_name> timeout 4294967295Note The above commands will send sFlow to the destination IP « x.x.x.x » which is the one used by blësk.
2. Enable sample rate and polling interval :
dell (config)# sflow 1 sampling ethernet 1/g1-1/g32 1024
dell (config)# sflow 1 polling ethernet 1/g1-1/g32 20Note: The above configures the sampling packets at 1-in-1024, and polling counters every 20 seconds.
1. The following commands configure a Force10 switch (10.0.0.245), sampling packets at 1-in-512, polling counters every 30 seconds and sending the sFlow to an analyzer (10.0.0.50) over UDP using the default sFlow port (6343) :
config> sflow collector 10.0.0.50 agent-addr 10.0.0.245
config> sflow sample-rate 512
config> sflow polling 30
config> sflow enable2. Then for each interface :
interface> sflow enable3. You can also use the following command to list the configuration settings :
show sflowAll Palo Alto Networks firewalls support NetFlow (Version 9) except the PA-4000 Series and PA-7000 Series firewalls. The firewalls support only unidirectional NetFlow, not bidirectional. The firewalls perform NetFlow processing on all IP packets on the interfaces and do not support sampled NetFlow. You can export NetFlow records for Layer 3, Layer 2, virtual wire, tap, VLAN, loopback, and tunnel interfaces.
To use a NetFlow collector for analyzing the network traffic on firewall interfaces, perform the following steps to configure NetFlow record exports.
Step 1 – Create a NetFlow server profile.
The profile defines which NetFlow collectors will receive the exported records and specifies export parameters.
1 – Select Device > Server Profiles > NetFlow and click Add.
2 – Enter a Name for the profile.
3 – Specify the rate at which the firewall refreshes NetFlow Templates in Minutes (default is 30) and Packets (exported records—default is 20). The firewall refreshes the templates after either threshold is passed.
4 – For the Active Timeout, specify the frequency in minutes at which the firewall exports records (default is 5).
5 – Select the PAN-OS Field Types check box if you want the firewall to export App-ID and User-ID fields.
6 – For each NetFlow collector (up to two per profile) that will receive fields, click Add and enter an identifying server Name, hostname or IP address ( NetFlow Server), and access Port 6343 (default is 2055).
7 – Click OK to save the profile.
Step 2 – Assign the NetFlow server profile to the interfaces that carry the traffic you want to analyze.
In this example, you assign the profile to an existing Ethernet interface.
1 – Select Network > Interfaces > Ethernet and click an interface name to edit it.
2 – In the NetFlow Profile drop-down, select the NetFlow server profile and click OK.
3 – Click Commit.
Recent FortiOS release adds sFlow support to Fortinet’s FortiGate® appliances. The following commands configure a FortiGate to sample packets at 1-in-10, poll counters every 20 seconds, and send sFlow to an analyzer (10.0.0.35) over UDP using the default sFlow port (6343) :
config system sflow
set collector-ip 10.0.0.35
set collector-port 6343
endThen for each interface :
config sys interface
edit interfacename
set sflow-sampler enable
set sample-rate 10
set sample-direction both
set polling-interval 20
next endConfigure sFlow monitoring on all interfaces on the switch for full visibility. Packet sampling is implemented in hardware so all the interfaces can be monitored with very little overhead.
The polling interval defines how often sFlow byte and packet counter data for a port are sent to the sFlow collector(s). If multiple ports are enabled for sFlow, the switch device staggers transmission of the counter data to smooth performance.
For example, if sFlow is enabled on two ports and the polling interval is 20 seconds, the switch device sends counter data every ten seconds. The counter data for one of the ports are sent after ten seconds, and counter data for the other port are sent after an additional ten seconds. Ten seconds later, new counter data for the first port are sent. Similarly, if sFlow is enabled on five ports and the polling interval is 20 seconds, the device sends counter data every four seconds.
The default polling interval is 20 seconds. You can change the interval to a value from 1 to any higher value. The interval value applies to all interfaces on which sFlow is enabled. If you set the polling interval to 0, counter data sampling is disabled.
The sampling rate is the average ratio of the number of packets incoming on a sFlow-enabled port, to the number of flow samples taken from those packets.
You can change the default (global) sampling rate. You also can change the rate on an individual port, overriding the default sampling rate of 512. With a sampling rate of 512, on average, one in every 512 packets forwarded on an interface is sampled.
The sampling rate is a fraction in the form of 1/N, meaning that, on average, one out of every N packet will be sampled. The sFlow sample command at the global level or port level specifies N, the denominator of the fraction.
Thus a higher number for the denominator means a lower sampling rate since fewer packets are sampled. Likewise, a lower number for the denominator means a higher sampling rate because more packets are sampled. For example, if you change the denominator from 512 to 128, the sampling rate increases because four times as many packets will be sampled.
The software rounds the value you enter to the next higher odd power of 2. This value becomes the actual default sampling rate and is one of the following.
• 2
• 8
• 32
• 128
• 512
• 2048
• 8192
• 32768
• 131072
• 524288
• 2097152
• 8388608
• 33554432
• 134217728
• 536870912
• 2147483648
For example, if the configured sampling rate is 1000, then the actual rate is 2048 and 1 in 2048 packets are sampled by the hardware.