CA Network Flow

Analysis - 9.3.3
Set Up the Routers

Date:

25-Oct-2016

CA Network Flow Analysis - 9.3.3

This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as
the Documentation) is for your informational purposes only and is subject to change or withdrawal by CA at any time. This
Documentation is proprietary information of CA and may not be copied, transferred, reproduced, disclosed, modified or
duplicated, in whole or in part, without the prior written consent of CA.
If you are a licensed user of the software product(s) addressed in the Documentation, you may print or otherwise make
available a reasonable number of copies of the Documentation for internal use by you and your employees in connection with
that software, provided that all CA copyright notices and legends are affixed to each reproduced copy.
The right to print or otherwise make available copies of the Documentation is limited to the period during which the applicable
license for such software remains in full force and effect. Should the license terminate for any reason, it is your responsibility to
certify in writing to CA that all copies and partial copies of the Documentation have been returned to CA or destroyed.
TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENTATION AS IS WITHOUT WARRANTY OF ANY
KIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE, OR NONINFRINGEMENT. IN NO EVENT WILL CA BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY LOSS OR DAMAGE,
DIRECT OR INDIRECT, FROM THE USE OF THIS DOCUMENTATION, INCLUDING WITHOUT LIMITATION, LOST PROFITS, LOST
INVESTMENT, BUSINESS INTERRUPTION, GOODWILL, OR LOST DATA, EVEN IF CA IS EXPRESSLY ADVISED IN ADVANCE OF THE
POSSIBILITY OF SUCH LOSS OR DAMAGE.
The use of any software product referenced in the Documentation is governed by the applicable license agreement and such
license agreement is not modified in any way by the terms of this notice.
The manufacturer of this Documentation is CA.
Provided with Restricted Rights. Use, duplication or disclosure by the United States Government is subject to the restrictions
set forth in FAR Sections 12.212, 52.227-14, and 52.227-19(c)(1) - (2) and DFARS Section 252.227-7014(b)(3), as applicable, or
their successors.
Copyright 2016 CA. All rights reserved. All trademarks, trade names, service marks, and logos referenced herein belong to
their respective companies.

25-Oct-2016

3/6

Table of Contents

Set Up the Routers 4

CA Network Flow Analysis - 9.3.3

Set Up the Routers

Enable NetFlow on each CA Network Flow Analysis router by completing the following steps. You can
configure routers to export any of the following flow protocols:
NetFlow v5, v7, v9, and Random Sampled NetFlow
sFlow version 5
IPFIX, J-Flow, cFlow, and NetStream flow that complies with the standards for NetFlow v5, v7, or
v9
Notes:
Configure flow from each source to be exported to a single Harvester. If flow from one source is
exported to multiple Harvesters, a number of problems result. If this occurs, contact CA Support (
http://www.ca.com/support) for help.
NetFlow provides a broad view of your network packet streams by creating flow records for all
packets. The data from these flow records represents all packets. Sampled NetFlow/IPFIX and
sFlow take samples from your packet streams, producing fewer flow records and lessening the
impact to a collector. The lower your sampling rate, the less precise the data is likely to be.
Cisco documentation notes that "Sampled NetFlow does not allow random sampling and thus can
make statistics inaccurate when traffic arrives in fixed patterns." Therefore, if you choose
NetFlow v9 Sampling, you must use Random Sampled NetFlow. Refer to the Cisco documentation
for your hardware and IOS version for more details.
In order for data from non-sampled flows to appear in reports of 15-minute (historical) data, the
following minimum fields are required:
One of the following:
1 - IN_BYTES
85 - IN_PERMANENT_BYTES
231 - FW_INITIATOR_OCTETS
232 - FW_RESPONDER_OCTETS
4 - PROTOCOL
7 - L4_SRC_PORT
8 - IPV4_SRC_ADDR
10 - INPUT_SNMP
11 - L4_DST_PORT

25-Oct-2016

5/6

CA Network Flow Analysis - 9.3.3

12 - IPV4_DST_ADDR
14 - OUTPUT_SNMP
Follow these steps:
1. Back up the current router configuration.
2. Configure NetFlow export for each interface individually:
a. Set the flow export version.
b. Set the flow source IP address. Cisco recommends that you configure a loopback
source interface. The IP addresses of non-loopbacked interfaces can change.
c. Set the flow destination IP address and set the destination port to 9995. If you are
using a custom value for the harvester listening port, use that value as the destination
port. The port values must match or the Harvester does not receive flow data.
d. Set the flow expiration timeout to 1 minute.
3. Enable flow for each interface.
NetFlow v5 or v5-compatible flow:
Monitoring multiple interfaces on a router: Use either all ingress or all egress. Use the
same option for all of the interfaces. Ingress and egress values may vary slightly due to
routers dropping packets and changing ToS values as traffic travels between
interfaces.
Monitoring a single known interface on a router: Use ingress and egress. This option
results in fewer total flows from the router to the Harvester and puts less load on the
network and the Harvester.
NetFlow v9 or v9-compatible flow:
The Harvester identifies and deduplicates multiple flows on a single router, so you can use
ingress and egress on multiple interfaces. You may find it most efficient to use this option
for two or three interfaces. You have the option to enable ingress and egress across all
interfaces, but this configuration may put an unnecessary burden on the Harvester.
4. Configure SNMP index persistence on each router that supports this feature.

More information:
NetFlow Version 9 Flow-Record Format (http://www.cisco.com/en/US/technologies/tk648
/tk362/technologies_white_paper09186a00800a3db9.html)

25-Oct-2016

6/6