NetFlow is a protocol for exporting metrics for IP traffic flows. NetFlow data is sent from a flow exporter to a flow collector. Services and applications that serve as NetFlow collectors are desgined to receive the NetFlow data sent from exporters, aggregate the information, and provide data visualization and exploration tool sets.
Exporting NetFlow data about traffic on an MX or Z1 network can be useful in a variety of scenarios, including the following:
MX and Z1 NetFlow functionality is only available on newer firmware versions. You can validate the firmware is up to date from the Appliance Status page.
There have been several different versions of NetFlow introduced since its original inception. All MX models and Z1s operate using NetFlow version 9.
One of the new NetFlow version 9 features is the use of templates. In NetFlow v9 the NetFlow exporter sends a schema outlining the fields that will be be included in subsequent NetFlow flow updates. Data fields that an MX or Z1 will export via NetFlow are:
The fields exported are based on the NetFlow Version 9 Flow-Record Format. The following image shows an example packet capture of a NetFlow Template:
NetFlow updates for a given flow are sent periodically as data becomes available. The maximum frequency in which an update will be sent for a single flow is 3 seconds. These updates are also batched together when possible to try to minimize the traffic footprint.
The following image shows example contents of multiple flow updates in a single packet:
NetFlow can be configured in Dashboard on the Network-wide > Configure > General page. NetFlow configuration settings are found under the Reporting header, with the following options:
NetFlow data can be exported to a collector on the LAN of an MX, across a site-to-site VPN connection, or over the public Internet.
While NetFlow data can be sent to a collector available over the public Internet, NetFlow traffic is not inherently encrypted or obfuscated, so it may be possible for a man in the middle to intercept and view the NetFlow data sent to the collector.
The current Meraki-specific requirements for NetFlow are as follows:
There are a number of server options available for NetFlow collection. Cisco Meraki recommends configuring an "ELK" stack, referring to a combination of the services ElasticSearch, LogStash, and Kibana to provide parsing, data storage, and visualization.
Please refer to your NetFlow collector's documentation for configuration specifics, this article provides an example ELK stack configuration.
In some circumstances, a NetFlow collector may not receive NetFlow updates. To mitigate this, the following troubleshooting steps are recommended:
Check the configured NetFlow collector IP and NetFlow collector port configured in Dashboard (Network-wide > Configure > General). Ensure that the IP address and port number entered in Dashboard match the current IPv4 address of the NetFlow collector, and the current UDP port the NetFlow collector is listening on.
If the communication path between an MX/Z1 and the NetFlow collector is not operational, the collector may not receive NetFlow updates. If the NetFlow collector is configured to respond to ICMP messages, a ping test to the NetFlow collector's IP address from the Ping Live Tool (Security appliance / Teleworker gateway > Monitor > Appliance Status) will verify IP connectivity between the MX/Z1 and the NetFlow collector. If the ping test fails, it is recommended to perform the same test with another client device.
If the NetFlow collector is not configured to respond to ICMP messages, but has other services configured (e.g. web or SSH), try to access those services from a client device behind the MX or Z1.
If the MX/Z1 can send traffic to the collector but NetFlow data is still not populating, verify that NetFlow traffic is flowing as expected.
To confirm that the MX or Z1 is sending NetFlow traffic, take a packet capture on the appropriate interface. It is recommended to set the output to "Download .pcap file (for Wireshark)."
In the packet capture, we would expect to see periodic UDP traffic sent to the configured NetFlow collector IP and port.
If the NetFlow collector is across a Non-Meraki VPN tunnel, it will not be possible to decrypt the ESP traffic to view the NetFlow updates directly.
If NetFlow updates are being sent from the MX or Z1 to the correct IP address and port for the NetFlow collector, it is also recommended to perform a packet capture on the NetFlow collector. If the NetFlow collector is not receiving the updates sent from the MX or Z1, any hops between the MX or Z1 and NetFlow collector should be investigated to ensure that NetFlow updates are not being dropped or routed incorrectly. This could occur if a firewall between the two devices is not configured correctly.
Please consider the following additional notes when using NetFlow.
In many cases, Wireshark will not be able to natively render the NetFlow payload:
If Wireshark does not render the payload as NetFlow data, a small configuration change of Wireshark will be needed. This can be achieved using the following steps:
Wireshark will now correctly interpret this data as NetFlow data
SolarWinds NTA ignores NetFlow packets that do not contain either an SNMP ingress or egress interface index. The MX supports export of an SNMP ingress or egress interface index via NetFlow.