Netflow local on the router

Enable Netflow to a destination
ip flow-export destination 9996
ip flow-export source loopback0
ip flow-cache timeout active 1
ip flow-cache timeout inactive 15

The 9996 is the port that the Netflow application at is listening on.
Under each interface you must also add:
ip route-cache flow

Enable Netflow locally
ip flow-top-talkers
 top 10
 sort-by bytes

You still need to add ip route-cache flow under the interfaces

Viewing Netflow Information
show ip flow top-talkers

RTR-7206VXR#show ip flow top-talkers 
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Bytes
Se1/0 Local 2F 0000 0000 2448M
Gi0/2 Tu0 06 05DC 26D9 708M
Se1/0 Local 32 E556 29EA 431M
Tu0 Gi0/1 06 26FD 05DC 362M
Tu0 Gi0/1 06 26FC 05DC 343M
Tu0 Gi0/1 06 26ED 05DC 332M
Tu0 Gi0/1 06 2701 05DC 329M
Tu0 Gi0/1 06 26FB 05DC 300M
Tu0 Gi0/1 06 26F9 05DC 294M
Tu0 Gi0/1 06 26D9 05DC 163M
10 of 10 top talkers shown. 2598 flows processed.

You can see the source and destination IP’s, Ports, and the volume. Note that the ports are in hexadecimal.

Update: I saw someone posted an EEM applet that will do the above but put it in a nice format and translate the hex. I’ll try it out and post the results.

Leave a Reply