Set the active time-out setting for flows to 60 seconds. Configure devices that support NetFlow v5, v7, or v9 with no aggregation. Riverbed recommends that you use v9 with no sampling if possible. Configure devices that support sFlow v2, v4, or v5 with the lowest possible sampling rate. Riverbed recommends that you use v5. Configure devices to export flow to the NetExpress management interface or the Flow Gateway management or auxiliary interface (but not both). Synchronize devices with an NTP source. Riverbed recommends that you synchronize devices with the same NTP source used by the NetProfiler. For proper operation and reporting, you must synchronize the time stamps on the network equipment and the NetExpress or Flow Gateway. Riverbed recommends that you do not adjust the inactive time-out setting from the default setting of 15 seconds. If you must, the timeout must be less than 60 seconds. When you use NetFlow v5, make sure to add the ip route-cache flow (or appropriate) command for all active interfaces and VLANs in addition to the ones you regularly use. Because NetFlow v5 is typically ingress only, you can calculate egress only by aggregating ingress from the other interfaces. If NetFlow v9 is available, you can selectively control which interfaces to use and specify both ingress and egress. Additionally, with NetFlow v9, you can configure the time to live (TTL) using the CLI. This enables ordered-path reporting in the NetProfiler. To enable TTL export, enter one of the following commands: If using standard NetFlow configuration, the command syntax from global configuration mode is ip flow-capture ttl. If using flexible NetFlow configuration, the command syntax within the flow record template is match ipv4 ttl maximum. Because by default flow data is nondeterministic (in that the flows do not specify client/server by default), Riverbed recommends that you enable the flow initiator indicator in NetFlow v9. Use the collect connection initiator command on Cisco routers and switches running the correct version of Cisco IOS software. Riverbed recommends that you configure SNMP access to any devices sending flow to the NetProfiler. Standard flow export provides information with only SNMP ifindex values. By enabling SNMP on these devices, the NetExpress or Flow Gateway can look up the actual names, descriptions, speeds, and other information about the interfaces. For more information about SNMP integration, see SNMP Integration for Flow Sources. If you use NetFlow on a Cisco 4500 switch, the Supervisor Engine IV or V must be equipped with a NetFlow Services daughter card and the required software versions. If you use NetFlow on a Cisco 6500 switch equipped with both Multilayer Switch Feature Card (MSFC) and Supervisor 1 (SUP1) modules, you must enable NetFlow on the router level and the switch level. The route-once-switch-many concept applies to this hardware configuration. A new flow is first routed by the MSFC module before it is placed in the MLS cache and is switched. The NetProfiler must receive NetFlow data from both modules to avoid missing any data. A similar concept applies to a chassis with SUP2 or 720 modules. If you use NetFlow with the Cisco Nexus 7000 series, and you are using NX-OS v4, you must have a minimum version of NX-OS v4.2(8). If you are using NX-OS v5, you must have a minimum version of NX-OS v5.2(1). Earlier NX-OS releases have incorrect packets-per-second and bits-per-second statistics. NetFlow export from the Cisco Adaptive Security Appliance (ASA) does not include standard NetFlow records. Cisco ASA exports NetFlow Secure Event Logging (NSEL) in a NetFlow wrapper. NSEL is event driven, exporting bytes only for the first and last packet in the flow. With early versions on Cisco ASA, there was no concept of an active timer, so you did not get regular updates. NSEL v10 introduced the ability to send updates on NSEL records. The NSEL records combined with NetProfiler v10.7 or later enable you to send flow data from a Cisco ASA to a NetProfiler and leverage the information available in the NSEL data. In addition to the usual information (source and destination IP, protocol, source and destination port, ingress and egress ifindex values), NetProfiler uses the following fields: ICMP type ICMP code High-level event code Milliseconds since UNIX Epoch that the event occurred Milliseconds since the UNIX Epoch that the flow was created Delta number of bytes from source to destination Delta number of bytes from destination to source Packets in flow Total number of Layer-3 bytes in packets in the flow SysUptime at the start of the flow SysUptime at the time the last packet of the flow was received Cumulative TCP flags IP Type of Service Some Cisco devices support NetFlow export for Layer-2 switched traffic in addition to Layer-3 traffic. Generally, Layer-2 switched NetFlow is available for forwarding ASICs PFC3B, PFC3BXL, or PFC3C. For verification on whether your hardware or software supports Layer-2 NetFlow, see Cisco documentation. Use the following command to enable NetFlow export for Layer-2 (if your hardware or software supports Layer-2 traffic export):
|
|