Documentation forNetFlow Traffic Analyzer
Analyzing network traffic and bandwidth is a key capability of SolarWinds Observability Self-Hosted (formerly Hybrid Cloud Observability) and is available in the Advanced edition. NetFlow Traffic Analyzer (NTA) is also available in a standalone module.

Cisco ASA NetFlow implementation requirements

When implementing ASA NetFlow, this paper should be used only in conjunction with the step-by-step instruction provided in the SolarWinds KB Configuring Cisco ASA devices for use with SolarWinds NTA.

For an ASA device to export NetFlow data, the ASA must be configured with specific commands. Some of these commands are independent CLI commands, meaning that the commands are not dependent on other commands in terms of order or precedence.

Before an ASA can be added to NTA, it must first be managed by the SolarWinds Platform. This will require the normal steps to adding a node in the SolarWinds Platform and the SolarWinds Platform server must be a known host to the ASA SNMP server. The following command must be placed on the ASA config before adding the ASA in the SolarWinds Platform.

(config)# snmp-server host {InterfaceName} {OrionServerIPAddress} community {Read-onlyCommunityString}

The independent CLI commands are used to configure the export of flow templates only. These commands are:

(config)# flow-export destination {InterfaceName} {OrionServerIPAddress} 2055
(config)# flow-export template timeout-rate {#Minutes}
(config)# flow-export delay flow-create {#Seconds}

The first command is mandatory and starts the export of flow templates to the collector. To export to multiple collectors, repeat this command with once for each collector, using an IP address of a unique collector each time. The second and third commands are used to alter template timers from their default values.

The next set of commands implements the flow exports using the Modular Policy Framework from Cisco. Modular Policy Framework is used to implement several security and QoS features and it consists of the following three entities:

  • Traffic identification using a class map
  • Actions to be taken as described by a policy map
  • Application of the policy to an interface using a service policy

Because of the inherent hierarchy in this configuration, the commands are not independent. You cannot create a policy map without an existing class map and the service policy is dependent on both class and policy maps being in place. Depending on the software version, there are six to seven individual commands that implement the three mappings. These are:

(config)# access-list netflow-export extended permit ip any any
(config)# class-map netflow-export-class
(config-cmap)# match access-list netflow-export
(config)# policy-map {existing global policy map name}
(config-pmap)# class netflow-export-class
(config-pmap-c)# flow-export event-type all destination {OrionServerIPAddress}

This command can be used to export flows to one or more NetFlow collectors. To export to multiple collectors either repeat this command with a unique collector IP address each time, or issue the command once leaving a space between each collector’s unique IP address at the end of the command.

Example 1

(config-pmap-c)# flow-export event-type all destination 10.110.21.5
(config-pmap-c)# flow-export event-type all destination 10.110.21.65

Example 2

(config-pmap-c)# flow-export event-type all destination 10.110.21.5 10.110.21.65

Support for multiple collectors may vary by ASA version.

Version 8.1 exporters require the flow-export enable command. This command was deprecated in version 8.2. This command is independent of other commands and is entered at the (config) prompt.

The last step in Modular Policy Framework is normally to map the policy to an interface. With ASA NetFlow this is achieved differently. The existing global policy is already mapped to the service policy. So by referring to the existing global policy the connection is made. Service policy commands to map the NetFlow policy to a particular interface directly are not supported in ASAs. The NetFlow policy map is linked to the global policy and the global policy’s service policy and applied to all interfaces automatically.

It can be difficult to remember the format for these commands and where hyphens should be used. The rule for hyphen use is that if there are two or more words that specify a single entity or a single action, they are hyphenated. For example, a class map is a single entity; therefore it is specified as class-map in CLI. Netflow-export-class refers to the class defined in the (config)# class-map netflow-export-class command and so is also a single entity. Flow-export specifies a single action as does flow-create and are hyphenated as well.