Does my switch/router support Cisco Netflow?
If you’ve come here you already know what Cisco Netflow is and you are probably looking for the best way to collect Netflow stats for an unsupported layer 3 switch or router. Well you’ve come to the right place.
First off, check the list of Cisco switches and routers that DO support netflow here:
As you can see, basically only the top end routers and switches support Netflow as it’s very resource intensive.
What if my switch/router doesn’t support Netflow?
If you don’t have access to one of those expensive switches or routers, do not despair, you can port mirror one of your ports on you Cisco device and send your traffic to a Netflow translator that will convert your wire traffic into Netflow packets for collection.
Free Netflow Exporter
After evaluating a bunch of similar products I found this free Netflow exporter by FlowTraq that is very easy to use.
Hop over to their download page, spend 2 seconds to sign up and obtain the link to their download page. On their download page you will see that they have the binaries for many flavors of operating systems.
How to configure
1. If you happen to have a 64 bit Linux box like I did, get the Linux binary. It should be a single file named “flowexport_linux_x86_64.bin”.
2. Ensure you have a Linux box with two network interfaces. They should really be gigabit interfaces. You will be dedicating one for capturing the network traffic. If you are running a CentOS box like me, setup your interface with the defaults:
DEVICE=eth0 HWADDR=68:05:CA:03:5E:AA NM_CONTROLLED=yes ONBOOT=no BOOTPROTO=dhcp TYPE=Ethernet IPV6INIT=no USERCTL=no
3. Don’t forget to bring up the interface by issuing a “ifup ethx”
4. Copy over the binary to anywhere in your Linux system and move on to next step.
5. Now that your Linux box is ready, you may setup your Cisco Switch or router with the port mirror command to send the interested traffic to your Linux box. In case you’re confused, this is the traffic you wish to collect information on. For my case, I wanted to capture all traffic leaving and entering a port going towards my NAS.
On your destination port make sure all configurations are defaulted:
Router(config)#default interface GigabitEthernet2/0/25
Also give a description like SPAN PORT or something.
6. Next, set your monitor session source and destination ports. The below example should be pretty self explanatory.
monitor session 1 source interface Gi2/0/24 monitor session 1 destination interface Gi2/0/25
7. Now that the Cisco switch is setup. Head back to your Linux box. You should be able to confirm that you are receiving traffic. Just do a “ifconfig -a” to list your port and you should see your counters for RX/TX packets increasing. If you don’t go back to the previous steps and check if you have the right ports configured.
8. Providing you already have a Netflow Collector setup run the below command:
flowexport [OPTIONS]... -i iface -nf9 collectorip
I used eth0 as my capturing interface and the IP address of my Netflow collector
./flowexport_linux_x86_64.bin -i eth0 -nf9 10.1.0.139
9. That’s it! This process should run in the background.
If you are interested in the man page for the flowexport binary you may visit here
Bonus: This great little software supports a packet capture file (PCAP) as input if you are not interested in real time Netflow stats.