This article describes how to set up a device to export NetFlow data to NTA. As a feature to facilitate traffic analysis on Cisco IOS enabled devices, NetFlow begins its work at the network device itself. Any device that is NetFlow enabled, in order to communicate the traffic related data it is holding about that device, must be configured to send, push, or export that data to specific collection targets.
Orion NTA collects NetFlow data (by default, on port 2055) only if a network device is specifically configured to send to it. As a NetFlow collector, Orion NTA can receive exported NetFlow verion 5 data and NetFlow version 9 data that includes all fields of the NetFlow version 5 template. Once it collects NetFlow traffic data, Orion NTA analyzes device bandwidth usage in terms of the source and destination endpoints of conversations reflected in the traffic.
Verify the following for NTA to correctly process NetFlow data and process relevant traffic statistics:
- Each device must be configured to export Netflow data to Orion NTA.
- Each device that exports NetFlow data to Orion NTA must be monitored in Orion NPM.
- Traffic from a device that is not monitored in Orion NPM appears only in aggregate as traffic from unmonitored devices. If the device is setup to export data to Orion NTA, but is unmonitored in NPM, the collector may receive the data without being able to meaningfully analyze it.
- The specific interface through which a device exports NetFlow data must be monitored in Orion NPM; and interface index number for this interface in the Orion database (interface table) must match the index number in the collected flow data.
- Log in to the network device.
- Use the following commands to enable NetFlow on a Cisco device:
ip flow-export source
ip flow-export version 5
ip flow-export destination 2055
ip flow-cache timeout active 1
ip flow-cache timeout inactive 15
snmp-server ifindex persist
For detailed information see Enabling NetFlow for Cisco IOS.
For information on enabling NetFlow on Cisco ASA devices, consult this SolarWinds Knowledge Base article that provides an example NetFlow Config - Cisco ASA.
Otherwise, consult these examples as relevant to your device:
Foundry sFlow Configuration
Extreme sFlow Configuration
HP sFlow Configuration
If your network device is of a different vendor, consult that vendor’s documentation.
- Verify that your device and its NetFlow exporting interface are being monitored in Orion.
- To verify that a device is exporting data as expected, use a packet capture tool (for example, WireShark) to search for packets sent from the network device to the Orion server.
To verify that the IP address of the exporting interface on the network device is the one being monitored in Orion:
- Open a CLI and log in to the network device.
- Type show run to see the device’s running configuration.
- Scroll to the lines where the export source interface is defined. For example, we see ip flow-export source Ethernet0/0.
- To discover the IP address for this interface, type show run int Ethernet0/0. You should be able to see that the interface’s IP address is being monitored in the Orion server.
In the Orion Web Console, in NetFlow module, you should see NetFlow enabled nodes listed in the NetFlow Sources resources.