10.05.2020

FastNetMon VyOS Netflow configuration

You can use FastNetMon Advanced with VyOS routing platform. It’s open source platform but you can buy support directly from developers. In this guide we will provide detailed instructions about this process All these instructions were tested with VyOS 1.2.5 LTS.

As first step, please login to VyOS over SSH using default login and password: vyos/vyos and then switch to configuration mode:

conf

Then select interfaces to enable Netflow export, we recommend exporting traffic from upstream ports (please replace ports to your specific values):

set system flow-accounting interface eth0
set system flow-accounting interface eth1

As next step, please configure basic flow tracking configuration:

set system flow-accounting buffer-size 64
set system flow-accounting netflow engine-id 5
set system flow-accounting disable-imt
set system flow-accounting netflow max-flows 640000
set system flow-accounting netflow version 5

As next step, you need to specify IP address of machine with FastNetMon installed:

set system flow-accounting netflow server FastNetMon_IP_address

You will need to specify local IP address from VyOS machine which will be used for Netflow export:

set system flow-accounting netflow source-ip IP_Address_of_VyOS_installation

Next step is extremely important to receive precise information about traffic, we need to configure all timeouts:

set system flow-accounting netflow timeout expiry-interval 30
set system flow-accounting netflow timeout flow-generic 30
set system flow-accounting netflow timeouticmp 30
set system flow-accounting netflow timeout max-active-life 30
set system flow-accounting netflow timeout tcp-fin 30
set system flow-accounting netflow timeout tcp-generic 30 
set system flow-accounting netflow timeout tcp-rst 30
set system flow-accounting netflow timeout udp 30   

Specify sampling rate, for production setups it’s very important to avoid router overload:

set system flow-accounting netflow sampling-rate 100

VyOS supports Netflow v5, Netflow v9 and IPFIX but we recommend using Netflow v5 because it uses much simpler logic to encode sampling rate. If you need IPv6 support then you may switch it to version 9 (do not forget to specify sampling rate directly in FastNetMon’s configuration):

set system flow-accounting netflow version 9

After that, apply changes:

save
commit

After that, I recommend checking full flow documentation:

show system flow-accounting 

 buffer-size 64
 disable-imt
 interface eth0
 interface eth1
 netflow {
     engine-id 5
     max-flows 640000
     sampling-rate 100
     server 192.168.1.134 {
     }
     source-ip 192.168.1.213
     timeout {
         expiry-interval 30
         flow-generic 30
         max-active-life 30
         tcp-fin 30
         tcp-generic 30
         tcp-rst 30
         udp 30
     }
     version 5
 }

As final step, please configure average calculation time which reflects timeouts configured on previous steps:

sudo fcli set average_calculation_time 60
sudo fcli set average_calculation_time_for_subnets 60
sudo fcli set main average_calculation_time_for_hostgroups 60
sudo fcli commit