Netflow local on the router

Enable Netflow to a destination
ip flow-export destination 10.10.1.2 9996
ip flow-export source loopback0
ip flow-cache timeout active 1
ip flow-cache timeout inactive 15

The 9996 is the port that the Netflow application at 10.10.1.2 is listening on.
Under each interface you must also add:
ip route-cache flow

Enable Netflow locally
ip flow-top-talkers
 top 10
 sort-by bytes

You still need to add ip route-cache flow under the interfaces

Viewing Netflow Information
show ip flow top-talkers

RTR-7206VXR#show ip flow top-talkers 
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Bytes
Se1/0 69.51.51.6 Local 69.51.51.5 2F 0000 0000 2448M
Gi0/2 10.1.240.78 Tu0 10.125.1.5 06 05DC 26D9 708M
Se1/0 69.51.51.6 Local 69.51.51.5 32 E556 29EA 431M
Tu0 10.125.1.5 Gi0/1 10.1.240.78 06 26FD 05DC 362M
Tu0 10.125.1.5 Gi0/1 10.1.240.78 06 26FC 05DC 343M
Tu0 10.125.1.5 Gi0/1 10.1.240.78 06 26ED 05DC 332M
Tu0 10.125.1.5 Gi0/1 10.1.240.78 06 2701 05DC 329M
Tu0 10.125.1.5 Gi0/1 10.1.240.78 06 26FB 05DC 300M
Tu0 10.125.1.5 Gi0/1 10.1.240.78 06 26F9 05DC 294M
Tu0 10.125.1.5 Gi0/1 10.1.240.78 06 26D9 05DC 163M
10 of 10 top talkers shown. 2598 flows processed.

You can see the source and destination IP’s, Ports, and the volume. Note that the ports are in hexadecimal.

Update: I saw someone posted an EEM applet that will do the above but put it in a nice format and translate the hex. I’ll try it out and post the results.

Leave a Reply

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.