Ctrlk
WebsiteBlogLogin
For the complete documentation index, see llms.txt. This page is also available as Markdown.

Collect data from Cisco NetFlow

See the changelog of the Cisco NetFlow Listener here.

The Cisco NetFlow Listener is a Pull Listener and therefore should not be used in environments with more than one cluster.

Overview

Onum supports integration with Cisco NetFlow.

Cisco NetFlow is a network protocol developed by Cisco for collecting and analyzing IP network traffic data. It enables network administrators to understand traffic patterns, identify potential issues, and optimize network performance.

Select Cisco NetFlow from the list of Listener types and click Configuration to start.

Cisco NetFlow setup

In order to begin listening for data, you must first:

  • Enable IP routing

  • Enable Cisco Express Forwarding (CEF)

See the Cisco Netflow configuration guide for help with this.

Onum setup

1

Log in to your Onum tenant and click Listeners > New listener.

2

Double-click the Cisco NetFlow Listener.

3

Enter a Name* for the new Listener. Optionally, add a Description and some Tags to identify the Listener.

4

In the Socket section, enter the following:

  • Transport protocol* - Currently, Onum only supports the UDP protocol.

  • Port* - Enter the required IP port number. By default, Cisco NetFlow typically uses UDP port 2055 for exporting flow data.

5

Configure the Flow parameters:

  • Protocols to process* - Select the required protocol(s) from the list:

    • NetflowV5 is the most widely used version.

    • NetflowV9 is more customizable than v5.

    • IPFIX is based on the IPFIX standard (IP Flow Information Export).

    • sFlowv5 is another flow monitoring protocol that is typically used in high-speed networks.

  • Fields to include* - Select all the fields you wish to include in the output data.

Field selection should match the fields actually present in your data. Selecting non-existing fields will result in null values and may cause unexpected behavior. Check the table below for safe field sets proposals for each protocol.

6

Choose your Access control type* to selectively monitor traffic based on specific IPs:

  • None - allows all IPs.

  • Whitelist - allows certain IPs through.

  • Blacklist - blocks certain IPs from being captured or exported.

7

Enter the IPs you wish to apply the access control to. Click Add element to add as many as required.

8

Finally, click Create labels. Optionally, you can set labels to be used for internal Onum routing of data. By default, data will be set as Unlabeled. Click Create listener when you're done.

Learn more about labels in this article.

9

Click Create listener when you're done.

Proposed field sets

Check the following table for recommended safe field sets per protocol (NetflowV5, NetflowV9, IPFIX and sFlowv5). We recommend using as a baseline to work from rather than selecting all available fields by default.

For NetflowV9 and IPFIX, since both are template-based protocols, the safe field set will always depend on the fields declared in the exporter's template.

As a general rule, only select fields that you have confirmed are present in your exporter's template. Selecting fields not declared in the template will result in those fields decoding as null and may cause unexpected behavior during Listener recovery or restart.

NetflowV5

NetflowV5 has a completely fixed format with no templates, meaning the following fields are always present and safe to use in any standard implementation:

  • SrcAddr

  • DstAddr

  • SrcPort

  • DstPort

  • Proto

  • Bytes

  • Packets

  • TimeFlowStart

  • TimeFlowEnd

  • InIf

  • OutIf

  • IPTos

  • SequenceNum

  • SamplingRate

  • SamplerAddress

  • TimeReceived

NetflowV9

NetflowV9 is dynamic and depends on the template declared by the exporter. The fields most commonly exported by standard Cisco devices and considered safe as a baseline are:

  • SrcAddr

  • DstAddr

  • SrcPort

  • DstPort

  • Proto

  • Bytes

  • Packets

  • TimeFlowStart - flowStartMilliseconds

  • TimeFlowEnd - flowEndMilliseconds

  • InIf

  • OutIf

  • IPTos

  • SequenceNum

  • SamplerAddress

  • TimeReceived

These groups of fields that should not be selected unless explicitly declared in the exporter's template:

  • MPLS

  • PPP

  • encap

  • IPv6

  • VLAN

  • MAC

  • Fragment

  • VRF

IPFIX

Like NetflowV9, IPFIX is template-based. The recommended core safe fields are practically the same:

  • SrcAddr

  • DstAddr

  • SrcPort

  • DstPort

  • Proto

  • Bytes

  • Packets

  • TimeFlowStart

  • TimeFlowEnd

  • InIf

  • OutIf

  • IPTos

  • SequenceNum

  • SamplerAddress

  • TimeReceived

sFlowv5

sFlow is a sampling protocol with a different structure to NetFlow. The most commonly available fields are:

  • SrcAddr

  • DstAddr

  • SrcPort

  • DstPort

  • Proto

  • Bytes

  • Packets

  • InIf

  • OutIf

  • TimeReceived

  • SamplingRate

  • SamplerAddress

PreviousCollect data from Amazon SQSNextCollect data from Cloudflare

Last updated

Was this helpful?