24.01.2019

FastNetMon Netflow v9 configuration for Cisco ASR 9000

Cisco ASR 9000 series routers have solid support for Netflow and can generate Netflow for quite big amount of traffic without any issues. But considering amount of available port capacity on these routers, we suggest using sampling by default to avoid control plane CPU overload.

We can suggest following configuration from ASR 9000 series of Cisco routers:

flow exporter-map FASTNETMON-EXPORTER
 version v9
  options interface-table timeout 60
  options sampler-table timeout 60
  template timeout 60
  template data timeout 60
  template options timeout 60
 !
 transport udp 2055
 source Loopback0
 destination 10.0.0.1
!
flow monitor-map SECOND-MAP
 record ipv4
 exporter FASTNETMON-EXPORTER
 cache entries 200000
 cache timeout active 30
 cache timeout inactive 30
!
sampler-map FIRST-SAMPLER
 random 1 out-of 1024

If you prefer IPFIX you can replace “v9” by “ipfix” in this configuration. Also, please replace “10.0.0.1” in this configuration by address of machine where you have FastNetMon.

Also, please set this option for all interfaces:

flow ipv4 monitor exporter-map sampler FIRST-SAMPLER ingress

FastNetMon can detect sampling rate from routers automatically in almost all cases. You can check detected sampling rate per router this way:

sudo fcli show netflow_sampling_rates

It may detect sampling rate incorrectly when you have multiple samplers configured on routers. That’s technical restriction, please avoid this configuration. FastNetMon can detect sampling rate when your have only single sampler. As option, if you need multiple samplers, please set them to same sampling rate.

Also, you may check system counters to confirm that FastNetMon received and decoded sampling announcements from routers:

sudo fcli show system_counters |grep netflow9 |grep sampling
netflow9_custom_sampling_rate_received           8688 
netflow9_sampling_rate_changes                   1

If you see zero values you may check that FastNetMon received options Netflow packets (they carry all meta information about Netflow exporters):

sudo fcli show system_counters |grep netflow9 |grep options
netflow9_options_templates_number                844 
netflow9_options_packet_number                   1448

As fallback option you can configure sampling rate manually in FastNetMon this way:

sudo fcli set main netflow_sampling_ratio 1000

For specified active and inactive timeouts we can suggest using following average calculation time values:

sudo fcli set main average_calculation_time 60
sudo fcli set main average_calculation_time_for_subnets 60
sudo fcli commit

If you noticed incorrect bandwidth calculation, we can suggest using visual traffic for debugging purposes, please enable export of system counters to InfluxDB:

sudo fcli set main influxdb_export_system_counters enable
sudo fcli commit

And after that, please check out dashboard “Netflow v9 metrics” from default dashboard list.

Few times on routers with significant amount of traffic we noticed that router exports only quite small amount of all flows and FastNetMon see very small traffic.

It may be caused by internal rate limit about number of flows exported per second.

You can increase it this way using undocumented engineering command:

cache timeout rate-limit 4096

Please be careful with this command and increase it in multiple stages. We tried values up to 32 000 and it works pretty well.

If you have any plans to use Netflow with ASN information, you will need to enable following option in BGP section:

bgp attribute-download