Cisco IPv6 flow export with “Flexible Netflow”

Sometime between IOS 12.4 and 15.x, IPv6 flow export configuration changed.  It used to be quite simple:

Pre-flexible-netflow configuration:


voilà….IPv4 and IPv6 flows exported to your favorite collector (mine being the wonderful and always useful  NFDUMP/NFSEN).

Somebody at Cisco obviously found this too easy, so it is now required to re-engineer this functionality into “Flexible Netflow”.  It does allow you, via the creation of a flow record, customize your own format, which is beyond this simple blog post and likely my current understanding as well ;).

For my purposes, I simply want to export IPv6 flows to my collector for business as usual.  This is done by defining a flow exporter and flow monitor, attaching the exporter to the monitor, in the gobal configuration, and applying it to the interface somewhat as before:

Flexible-netflow configuration:


Presto. The original-output defined in the flow monitor specifies using the predefined (?legacy?) record instead of specifying a flow record with user-defined parameters.

And as a side note, if you haven’t played with NFDUMP/NFSEN, you really should give it a try, its very useful as a tool for traffic analysis/DDoS/post-mortems.

 

2 thoughts on “Cisco IPv6 flow export with “Flexible Netflow”

  1. Thank you for your very helpful article.
    After an IOS upgrade, I am struggling to set up things to work correctly but I am having troubles. IPv6 FNF exporting using the configuration you describe above, does NOT produce the expected results in nfsen (which I am also using). Packets and traffic are hugely magnified. If you can help, you can find more details here:
    https://supportforums.cisco.com/discussion/12519461/3825-issues-after-ios-upgrade-cpu-netflow
    I would appreciate your help!
    Thanks,
    Nick

  2. well I just tested what you said. Initially I thought there was flow duplication, however it turns out my data seems OK

    I tested on an isolated network a download of a 696MB file (Centos ISO):

    wget http://[2001:41d0:1:c0c9::1]/ftp.centos.org/7.1.1503/isos/x86_64/CentOS-7-x86_64-Minimal-1503-01.iso
    --2015-06-02 12:20:11--  http://[2001:41d0:1:c0c9::1]/ftp.centos.org/7.1.1503/isos/x86_64/CentOS-7-x86_64-Minimal-1503-01.iso
    Connecting to 2001:41d0:1:c0c9::1:80... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 666894336 (636M) [application/x-iso9660-image]
    Saving to: “CentOS-7-x86_64-Minimal-1503-01.iso”
    
    100%[==========================================================>] 666,894,336 9.07M/s   in 78s
    
    2015-06-02 12:21:29 (8.18 MB/s) - “CentOS-7-x86_64-Minimal-1503-01.iso” saved [666894336/666894336]
    

    and when I use NFDUMP to list the flows:

    Top 10 IP Addr ordered by bytes:
    Date first seen          Duration Proto           IP Addr    Flows(%)     Packets(%)       Bytes(%)         pps      bps   bpp
    2015-06-02 12:20:11.469   230.199 any    2605:2a..ffd::10       50(100.0)    1.2 M(100.0)    1.4 G(100.0)     5054   49.3 M  1219
    2015-06-02 12:20:11.469    78.117 any    2001:41..c0c9::1        3( 6.0)    1.2 M(100.0)    1.4 G(100.0)    14894  145.3 M  1219
    

    It would appear that there was 1.4G of data from 2001:41d0:1:c0c9::1

    and if I isolate it:

    Date first seen          Duration Proto      Src IP Addr:Port          Dst IP Addr:Port   Packets    Bytes Flows
    2015-06-02 12:20:11.602    77.984 TCP   2605:2a..ffd::10.40734 -> 2001:41..c0c9::1.80      228606   16.6 M     1
    2015-06-02 12:20:11.666    77.920 TCP   2001:41..c0c9::1.80    -> 2605:2a..ffd::10.40734   467453  701.2 M     1
    2015-06-02 12:20:11.469    77.920 TCP   2001:41..c0c9::1.80    -> 2605:2a..ffd::10.40734   467453  701.2 M     1
    Summary: total flows: 3, total bytes: 1.4 G, total packets: 1.2 M, avg bps: 145.3 M, avg pps: 14894, avg bpp: 1219
    

    a -ha, there are 2 flows of 700M each. If I use an extended format to see what interfaces were used to record the flows ( fmt:%ts %td %pr %sap %in -> %dap %pkt %byt %fl %out ) then I see that I have 1 flow recorded by 2 different routers/interfaces:

        Date first seen          Duration Proto                             Src IP Addr:Port    Input                                Dst IP Addr:Port   Packets    Bytes Flows Output
    fmt:2015-06-02 12:20:11.602    77.984 TCP                   2605:2a00:ffff:fffd::10.40734      14 ->                     2001:41d0:1:c0c9::1.80      228606   16.6 M     1    232
    fmt:2015-06-02 12:20:11.666    77.920 TCP                       2001:41d0:1:c0c9::1.80        232 ->                 2605:2a00:ffff:fffd::10.40734   467453  701.2 M     1     14
    fmt:2015-06-02 12:20:11.469    77.920 TCP                       2001:41d0:1:c0c9::1.80         14 ->                 2605:2a00:ffff:fffd::10.40734   467453  701.2 M     1     41
    Summary: total flows: 3, total bytes: 1.4 G, total packets: 1.2 M, avg bps: 145.3 M, avg pps: 14894, avg bpp: 1219
    
    

    so each different flow source recorded the flow, each showing the total. Interface 14 on router1 and Interface 232 on router2 exported that flow to NFSEN.

    Is itpossible your amplification is caused by traffic going through multiple flow sources?

Leave a Reply

Your email address will not be published. Required fields are marked *

r u a bot? * Time limit is exhausted. Please reload CAPTCHA.