Filter Netflow to only send specifc flows from/to certain subnets

Isaac Smith · ‎02-05-2016

We are testing out a new NPM solution for a specifc project. Right now we have all our netflow (netflow9) flows pointing to our scrutinizer box. The new NPM box is small and can only handle so many flows per second. We're trying to figure otu a way to have it so flows get exported to a secondary collector but only those flows that match 4 specific subnets. I would assume there would be a way to do it via an ACL/Class maps but documentation for this specific thing is hard to cipher.

Any ideas?

Currently this is our netflow setup that is sending all flows to a specific collector:

X.X.X.X is the current main flow collector for all our enterprise - Y.Y.Y.Y is the new flow collector that can only handle so many flows and we only want to filter flow data to only send if traffic matches specific subnets. We have WAN optimizers inline on half of our offices that can do this easily with a click of a button and specifying the subnets but can't figure out how to do this via a router.

flow record TCP-UDP
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface input
match ipv4 tos
match flow direction
match application name
collect interface output
collect routing source as
collect routing destination as
collect routing next-hop address ipv4
collect ipv4 dscp
collect ipv4 id
collect ipv4 ttl
collect ipv4 ttl minimum
collect ipv4 source prefix
collect transport tcp source-port
collect transport tcp destination-port
collect transport tcp sequence-number
collect transport tcp flags
collect transport udp source-port
collect transport udp destination-port
collect counter bytes
collect counter packets
collect timestamp sys-uptime first
collect timestamp sys-uptime last
collect timestamp absolute first
collect timestamp absolute last
collect timestamp absolute monitoring-interval start

flow exporter COMPANY-Flow
description FNF-Exporter
destination X.X.X.X
source Loopback0
dscp 16
transport udp 2055
template data timeout 60
option interface-table timeout 60
option exporter-stats timeout 60
option vrf-table timeout 60
option application-table timeout 60
option application-attributes timeout 60

flow exporter COMPANY-Flow-Profiler
description FNF-Exporter
destination Y.Y.Y.Y
source Loopback0
dscp 16
transport udp 2055
template data timeout 60
option interface-table timeout 60
option exporter-stats timeout 60
option vrf-table timeout 60
option application-table timeout 60
option application-attributes timeout 60

flow monitor TCP-UDP
exporter COMPANY-Flow
exporter COMPANY-Flow-Profiler
cache timeout active 60
cache entries 25000
statistics packet protocol
record TCP-UDP

Giuseppe Larosa · ‎02-06-2016

Hello Isaac,

support for multiple collectors (2) was added for some platforms, but a selective sending based on IP subnet of the observed flow to a single collector server is something new to me.

I don't think there is a way to achieve this.

see

NetFlow Multiple Export Destinations: Benefits

The NetFlow Multiple Export Destinations feature enables configuration of multiple destinations for the NetFlow data. With this feature enabled, two identical streams of NetFlow data are sent to the destination host. Currently, the maximum number of export destinations allowed is two.

The NetFlow Multiple Export Destinations feature improves the chances of receiving complete NetFlow data because it provides redundant streams of data. Because the same export data is sent to more than one NetFlow collector, fewer packets are lost.

http://www.cisco.com/c/en/us/td/docs/ios/netflow/configuration/guide/12_2sr/nf_12_2sr_book/cfg_nflow_data_expt.html#wp1057619

Hope to help

Giuseppe

Isaac Smith · ‎05-20-2016

I had opened a ticket with TAC and they suggested a solution involving matching an ACL but I haven't gotten a chance to test it out. If I ever get around to it I'll update this.