Configure netflow export
Netflow is a feature that provides the ability to collect IP network traffic as it enters or exits an interface. There're several version of netflow protocols available. The most commonly used version is version 5, which is supported by all mbox product family (CMG/HSG/HSA).
There're two key components involved in using netflow for analyzing IP traffic:
- netflow exporter. This is basically the gateway (CMG/HSG/HSA) that passes IP traffic. It aggregates packets into flows and exports flow records to external collector for human readable analysis. Because enabling netflow can have significant performance impact (higher CPU utilization), so sampling rate is necessary. By default our mbox uses sampling rate of 10, eg. 1 out of 10 packets is processed. Therefore, you will not get every packet details, but the result will provide you a good understanding of the overall traffic pattern and general application usage etc.
- netflow collector. This is typically a GUI application that collects netflow exports from exporters, and displays the flow data in graphical format for analysis and reporting. There're many opensource and commercial netflow collector software available in the market, and they all should be able to support exports from mbox gateways.
When configuring netflow on interfaces, please take note of followings
- CMG/HSG support multiple instances of netflow exports, eg. you can enable netflow on multiple interfaces and export them to different collectors. But in most cases, you would just run one instance and export to one collector.
- HSA only supports netflow on one interface (can be any interface), exporting to one collector only.
- If you enable netflow on WAN interface, and if there's PAT/NAT on that interface, you would only see source being the NATed IP address because NAT/PAT process takes precedence over netflow. So if you want to see the original source/destination IP address, it's recommended to configure netflow on LAN interface.
- netflow uses UDP protocol with a port number that's usually defined by the collector (collector will listen on that port to receive exports). So if there's any firewall in front of collector, please make sure firewall permits UDP/collectorport. And mbox must use the same collectorport to send flow exports to the collector.
Example on CMG/HSG:
mbox> enablembox#mbox# configurembox(config-if)# interface eth1mbox(config-if)# enablembox(config-if)# ip flow-export 184.108.40.206 9995
Example on HSA:
mbox> enablembox#mbox# configurembox(config-if)# interface br-lanmbox(config-if)# ip flow-export 220.127.116.11 9995
- 18.104.22.168 is the external collector IP address
- 9995 is the collectorport
- Use "show ip netflow details" to see the detail captured flows
- Use "show ip netflow stats" to see summary stats and export status
- Use "tcpdump interface eth0 port collectorport" to verify that your box is sending flows to your collector IP