๐ Integrations
Huawei
origin-as
It is important to note that for ASNs (Autonomous System Numbers) to be exported, the router must have at least one full routing table.
- Example of an approved configuration.
Router (Root/Admin)
slot 0 <0-10>
ip netstream sampler to slot self
ipv6 netstream sampler to slot self
Router (Root/Admin/VS)
ip netstream export version 9 origin-as bgp-nexthop ttl
ip netstream export template sequence-number fixed
ip netstream export index-switch 32
ip netstream as-mode 32
ip netstream timeout active 1
ip netstream timeout inactive 15
ip netstream export template timeout-rate 1
ip netstream export template option timeout-rate 1
ip netstream export template option application-label
ip netstream sampler fix-packets 1024 inbound
ip netstream sampler fix-packets 1024 outbound
ip netstream export source IP_ORIGEM
ip netstream export host IP_DO_RR_FLOW_API 3055
ipv6 netstream export version 9 origin-as bgp-nexthop ttl
ipv6 netstream export template sequence-number fixed
ipv6 netstream export index-switch 32
ipv6 netstream as-mode 32
ipv6 netstream timeout active 1
ipv6 netstream timeout inactive 15
ipv6 netstream export template timeout-rate 1
ipv6 netstream export template option timeout-rate 1
ipv6 netstream sampler fix-packets 1024 inbound
ipv6 netstream sampler fix-packets 1024 outbound
ipv6 netstream export source IP_ORIGEM
ipv6 netstream export host IP_DO_RR_FLOW_API 3055
# Sampling serรก fixo:
undo ip netstream export template option sampler
undo ipv6 netstream export template option sampler
# Adicione as interfaces de upstream.
interface Virtual-Ethernet0/1/101.408
description Operadora_1_IPv4
ip netstream inbound
ip netstream outbound
interface Virtual-Ethernet0/1/101.409
description Operadora_1_IPv6
ipv6 netstream inbound
ipv6 netstream outbound
interface 40GE0/1/49.2114
description Operadora_2_IPv4e6
ip netstream inbound
ip netstream outbound
ipv6 netstream inbound
ipv6 netstream outbound
To view your settings as above, use the command:
display netstream all
If your Huawei router is configured to provide CGNAT services, it is possible to enable log export. However, note that detailed logging of NAT sessions can generate a substantial volume of data.
Configuration example:
nat instance INSTANCE-NAME id 1 simple-configuration
nat log host RR_FLOW_API_IP 3055 source ORIGIN_IP 3055 name RR_FLOW
nat log session enable netstream
It is extremely important that the time/UTC of the flow exporting router is properly configured.
display clock
To adjust the time:
system-view immediately
UTC for your region, for example -3:
clock timezone 1 minus 03:00:00
Set the time manually:
run clock datetime HH:MM:SS YYYY-MM-DD
run clock datetime 12:10:30 2024-04-24
Synchronize with the ntp.br time server (https://ntp.br/)
ntp-service server disable
ntp-service ipv6 server disable
ntp-service server source-interface all disable
ntp-service ipv6 server source-interface all disable
ntp-service unicast-peer 200.160.0.8
ntp-service unicast-server 200.160.0.8
ntp-service unicast-server 200.160.7.186
ntp-service unicast-server 200.189.40.8
ntp-service refclock-master 2
ntp-service sync-interval 180
ntp-service source-interface <public_ip_interface>
Frequently Asked Questions
ORIGIN_IP - Usually the IP of the Loopback interface.
RR_FLOW_API_IP IP address of the RR Flow server that will receive the data.
In both cases, you can configure only IPv4 or IPv6, for example:
ip netstream export source 10.50.50.50
ip netstream export host 172.16.0.100 3055
ipv6 netstream export source 10.50.50.50
ipv6 netstream export host 172.16.0.100 3055
Or
ip netstream export source 2001:db8:ffff:ffff::ffff
ip netstream export host 2001:db8:cafe:d0ce::50 3055
ipv6 netstream export source 2001:db8:ffff:ffff::ffff
ipv6 netstream export host 2001:db8:cafe:d0ce::50 3055
ip netstream inbound | ip netstream outbound Associate with the interfaces configured with IPv4 that will send the flows. Usually only the upstream interfaces.
interface 40GE0/1/49.32
vlan-type dot1q 32
description ISP_IPv4
ip address 10.10.10.6 255.255.255.252
statistic enable
ip netstream inbound
ip netstream outbound
ipv6 netstream inbound | ipv6 netstream outbound Associate with the interfaces configured with IPv6 that will send the flows. Usually only the upstream interfaces.
interface 40GE0/1/49.128
vlan-type dot1q 128
description ISP_IPv6
ipv6 enable
ipv6 address 2001:DB8:1:1:1::2/64
statistic enable
ipv6 netstream inbound
ipv6 netstream outbound
If the interface has both IPv4 and IPv6
interface 40GE0/1/49.3264
vlan-type dot1q 3264
description ISP_IPv6
ip address 10.10.10.6 255.255.255.252
ipv6 enable
ipv6 address 2001:DB8:1:1:1::2/64
statistic enable
ipv6 netstream inbound
ipv6 netstream outbound
Juniper
Contribution by @Maykbn using MX204.
set services flow-monitoring version-ipfix template ipv4 flow-active-timeout 60
set services flow-monitoring version-ipfix template ipv4 flow-inactive-timeout 15
set services flow-monitoring version-ipfix template ipv4 template-refresh-rate seconds 30
set services flow-monitoring version-ipfix template ipv4 option-refresh-rate seconds 30
set services flow-monitoring version-ipfix template ipv4 ipv4-template
set services flow-monitoring version-ipfix template ipv6 flow-active-timeout 60
set services flow-monitoring version-ipfix template ipv6 flow-inactive-timeout 15
set services flow-monitoring version-ipfix template ipv6 template-refresh-rate seconds 30
set services flow-monitoring version-ipfix template ipv6 option-refresh-rate seconds 30
set services flow-monitoring version-ipfix template ipv6 ipv6-template
set services flow-monitoring version-ipfix template ipv6 flow-key flow-direction
set forwarding-options sampling instance netflow input rate 1024
set forwarding-options sampling instance netflow input run-length 0
set forwarding-options sampling instance netflow family inet output flow-active-timeout 60
set forwarding-options sampling instance netflow family inet output flow-server DESTINATION_IP port DESTINATION_PORT
set forwarding-options sampling instance netflow family inet output flow-server DESTINATION_IP autonomous-system-type origin
set forwarding-options sampling instance netflow family inet output flow-server DESTINATION_IP no-local-dump
set forwarding-options sampling instance netflow family inet output flow-server DESTINATION_IP version-ipfix template ipv4
set forwarding-options sampling instance netflow family inet output inline-jflow source-address SOURCE_IP
set forwarding-options sampling instance netflow family inet6 output flow-active-timeout 60
set forwarding-options sampling instance netflow family inet6 output flow-server DESTINATION_IP port DESTINATION_PORT
set forwarding-options sampling instance netflow family inet6 output flow-server DESTINATION_IP autonomous-system-type origin
set forwarding-options sampling instance netflow family inet6 output flow-server DESTINATION_IP no-local-dump
set forwarding-options sampling instance netflow family inet6 output flow-server DESTINATION_IP version-ipfix template ipv6
set forwarding-options sampling instance netflow family inet6 output inline-jflow source-address SOURCE_IP
set chassis fpc 0 sampling-instance netflow
set chassis fpc 0 inline-services flow-table-size ipv4-flow-table-size 10
set chassis fpc 0 inline-services flow-table-size ipv6-flow-table-size 5
# Add the upstream interfaces.
set interfaces ge-0/0/0 unit 0 family inet sampling input
set interfaces ge-0/0/0 unit 0 family inet sampling output
set interfaces ge-0/0/0 unit 0 family inet6 sampling input
set interfaces ge-0/0/0 unit 0 family inet6 sampling output
Contribution by @charles_barreto using MX104/MX80.
set services flow-monitoring version-ipfix template ipv4 flow-active-timeout 60
set services flow-monitoring version-ipfix template ipv4 flow-inactive-timeout 15
set services flow-monitoring version-ipfix template ipv4 template-refresh-rate seconds 30
set services flow-monitoring version-ipfix template ipv4 option-refresh-rate seconds 30
set services flow-monitoring version-ipfix template ipv4 ipv4-template
set services flow-monitoring version-ipfix template ipv6 flow-active-timeout 60
set services flow-monitoring version-ipfix template ipv6 flow-inactive-timeout 15
set services flow-monitoring version-ipfix template ipv6 template-refresh-rate seconds 30
set services flow-monitoring version-ipfix template ipv6 option-refresh-rate seconds 30
set services flow-monitoring version-ipfix template ipv6 ipv6-template
set services flow-monitoring version-ipfix template ipv6 flow-key flow-direction
set forwarding-options sampling instance netflow input rate 1024
set forwarding-options sampling instance netflow input run-length 0
set forwarding-options sampling instance netflow family inet output flow-active-timeout 15
set forwarding-options sampling instance netflow family inet output flow-server DESTINATION_IP port DESTINATION_PORT
set forwarding-options sampling instance netflow family inet output flow-server DESTINATION_IP autonomous-system-type origin
set forwarding-options sampling instance netflow family inet output flow-server DESTINATION_IP no-local-dump
set forwarding-options sampling instance netflow family inet output flow-server DESTINATION_IP version-ipfix template ipv4
set forwarding-options sampling instance netflow family inet output inline-jflow source-address SOURCE_IP
set forwarding-options sampling instance netflow family inet6 output flow-active-timeout 15
set forwarding-options sampling instance netflow family inet6 output flow-server DESTINATION_IP port DESTINATION_PORT
set forwarding-options sampling instance netflow family inet6 output flow-server DESTINATION_IP autonomous-system-type origin
set forwarding-options sampling instance netflow family inet6 output flow-server DESTINATION_IP no-local-dump
set forwarding-options sampling instance netflow family inet6 output flow-server DESTINATION_IP version-ipfix template ipv6
set forwarding-options sampling instance netflow family inet6 output inline-jflow source-address SOURCE_IP
set chassis afeb slot 0 sampling-instance netflow
# Add the upstream interfaces.
set interfaces xe-2/0/1 unit 0 family inet sampling input
set interfaces xe-2/0/1 unit 0 family inet sampling output
set interfaces xe-2/0/1 unit 1 family inet6 sampling input
set interfaces xe-2/0/1 unit 1 family inet6 sampling output
Cisco
Example 1
Contribution by @leofurtadonyc.
!
flow record RR_FLOW_RECORD_V4
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match bgp source-as
match bgp destination-as
collect counter bytes long
collect counter packets long
collect timestamp sys-uptime first
collect timestamp sys-uptime last
!
flow record RR_FLOW_RECORD_V6
match ipv6 source address
match ipv6 destination address
match transport source-port
match transport destination-port
match bgp source-as
match bgp destination-as
collect counter bytes long
collect counter packets long
collect timestamp sys-uptime first
collect timestamp sys-uptime last
!
!
flow exporter RR_FLOW_EXPORTER
destination RR_FLOW_API_IP
source SOURCE_IP
transport udp 3055
template data timeout 60
!
!
flow monitor RR_FLOW_MONITOR_V4
exporter RR_FLOW_EXPORTER
cache timeout active 60
cache timeout inactive 15
record RR_FLOW_RECORD_V4
!
flow monitor RR_FLOW_MONITOR_V6
exporter RR_FLOW_EXPORTER
cache timeout active 60
cache timeout inactive 15
record RR_FLOW_RECORD_V6
!
!
! Apply NetFlow to the upstream interfaces, examples:
!
!
interface GigabitEthernet0/0/0
ip address 10.0.0.1 255.255.255.252
ip flow monitor RR_FLOW_MONITOR_V4 input
ip flow monitor RR_FLOW_MONITOR_V4 output
!
interface GigabitEthernet0/0/1
ipv6 address 2001:DB8:ABCD::1/64
ipv6 flow monitor RR_FLOW_MONITOR_V6 input
ipv6 flow monitor RR_FLOW_MONITOR_V6 output
!
interface GigabitEthernet0/0/2
ip address 10.0.0.1 255.255.255.252
ipv6 address 2001:DB8:ABCD::1/64
ip flow monitor RR_FLOW_MONITOR_V4 input
ip flow monitor RR_FLOW_MONITOR_V4 output
ipv6 flow monitor RR_FLOW_MONITOR_V6 input
ipv6 flow monitor RR_FLOW_MONITOR_V6 output
!
Example 2
!
flow record RR_FLOW_RECORD_V4
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface input
match flow direction
collect routing source as
collect routing destination as
collect routing next-hop address ipv4
collect ipv4 dscp
collect ipv4 id
collect ipv4 source prefix
collect ipv4 source mask
collect ipv4 destination mask
collect transport tcp flags
collect interface output
collect flow sampler
collect counter bytes
collect counter packets
collect counter bytes long
collect timestamp sys-uptime first
collect timestamp sys-uptime last
!
flow record RR_FLOW_RECORD_V6
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface input
match flow direction
collect routing source as
collect routing destination as
collect routing next-hop address ipv4
collect ipv4 dscp
collect ipv4 id
collect ipv4 source prefix
collect ipv4 source mask
collect ipv4 destination mask
collect transport tcp flags
collect interface output
collect flow sampler
collect counter bytes
collect counter packets
collect counter bytes long
collect timestamp sys-uptime first
collect timestamp sys-uptime last
!
!
flow exporter RR_FLOW_EXPORTER
destination RR_FLOW_API_IP
source SOURCE_IP
transport udp 3055
template data timeout 60
!
!
flow monitor RR_FLOW_MONITOR_V4
exporter RR_FLOW_EXPORTER
cache timeout active 60
cache timeout inactive 15
record RR_FLOW_RECORD_V4
!
flow monitor RR_FLOW_MONITOR_V6
exporter RR_FLOW_EXPORTER
cache timeout active 60
cache timeout inactive 15
record RR_FLOW_RECORD_V6
!
!
! Apply NetFlow to the upstream interfaces, examples:
!
!
interface GigabitEthernet0/0/0
ip address 10.0.0.1 255.255.255.252
ip flow monitor RR_FLOW_MONITOR_V4 input
ip flow monitor RR_FLOW_MONITOR_V4 output
!
interface GigabitEthernet0/0/1
ipv6 address 2001:DB8:ABCD::1/64
ipv6 flow monitor RR_FLOW_MONITOR_V6 input
ipv6 flow monitor RR_FLOW_MONITOR_V6 output
!
interface GigabitEthernet0/0/2
ip address 10.0.0.1 255.255.255.252
ipv6 address 2001:DB8:ABCD::1/64
ip flow monitor RR_FLOW_MONITOR_V4 input
ip flow monitor RR_FLOW_MONITOR_V4 output
ipv6 flow monitor RR_FLOW_MONITOR_V6 input
ipv6 flow monitor RR_FLOW_MONITOR_V6 output
!
Nokia
Contribution by Mateus Canto
NetFlow configuration
configure system security source-address application cflowd <SOURCE_IP>
configure cflowd
active-flow-timeout 60
nactive-flow-timeout 15
cache-size 102400
overflow 10
template-retransmit 60
sample-profile 1 create
sample-rate 1024
exit
collector <RR_FLOW_API_IP>:<RR_FLOW_API_PORT> version 9
description "RR_FLOW_API"
router Base
no shutdown
exit
Enable collection on Upstream interfaces.
configure router interface "UPSTREAM_ISP"
cflowd-parameters
sampling unicast type interface direction ingress sample-profile 1
Commands for debugging
show cflowd status
show cflowd collector
show cflowd collector detail
show cflowd interface
Suggestion to adjust the Time (NTP)
configure system time ntp no shutdown
configure system time zone BRT -03
configure system time ntp server 200.160.7.186
configure system time ntp server 201.49.148.135
Manual Time Set
admin set-time 2025/02/13 12:01:00
Linux
No ASN Data Support
The softflowd and fprobe packages do not export ASN data in the flows, which can compromise the full display of information on the dashboards.
To resolve this limitation, it is recommended to use the proxyflow feature, which automatically injects ASN data.
When configuring source_path to integrate your Linux in config.json, set the sampling to value 1:
"sampling": 1
Using softflowd
Installation
Debian and Ubuntu:
apt update
apt install softflowd
Fedora:
dnf install softflowd
CentOS and RHEL:
yum install epel-release
yum install softflowd
Arch Linux:
yay -S softflowd
OpenSUSE:
zypper install softflowd
Configuration and Execution
To start softflowd monitoring the eth0 interface and exporting data to RR Flow API, use the following command:
softflowd -i eth0 -v 9 -t general=15s -t maxlife=60s -n <RR_FLOW_IP>:<RR_FLOW_API_PORT>
Example:
softflowd -i eth0 -v 9 -t general=15s -t maxlife=60s -n 10.20.30.40:3055
Parameters:
-i eth0: Specifies the network interface to be monitored.-v 9: Sets NetFlow version to 9.-t general=15s: Sets the inactivity timeout after which a flow is considered expired.-t maxlife=60s: Sets the maximum lifetime of a flow.-n <RR_FLOW_IP>:<PORT>: Specifies the RR Flow API IP address and port that will receive the data.
Continuous Execution
To ensure that softflowd runs continuously and starts automatically after reboots, create a service in systemd:
- Create the service file:
nano /etc/systemd/system/softflowd.service
- Add the following content:
[Unit]
Description=Softflowd NetFlow Exporter
After=network.target
[Service]
ExecStart=/usr/sbin/softflowd -i eth0 -v 9 -t general=15s -t maxlife=60s -n <RR_FLOW_IP>:<RR_FLOW_API_PORT>
Restart=on-failure
[Install]
WantedBy=multi-user.target
-
Save and exit the editor.
-
Enable and start the service:
systemctl enable softflowd
systemctl start softflowd
Using fprobe
Installation
Debian and Ubuntu:
apt update
apt install fprobe
Fedora:
dnf install fprobe
CentOS and RHEL:
yum install epel-release
yum install fprobe
Arch Linux:
yay -S fprobe
OpenSUSE:
zypper install fprobe
Configuration and Execution
To start fprobe monitoring the eth0 interface and exporting data to RR Flow API, use the following command:
fprobe -i eth0 -f ip -d 15 -e 60 <RR_FLOW_IP>:<RR_FLOW_API_PORT>
Example:
fprobe -i eth0 -f ip -d 15 -e 60 10.20.30.40:3055
Parameters:
-i eth0: Specifies the network interface to be monitored.-f ip: Filters IP packets.-d 15: Sets the inactivity timeout after which a flow is considered expired.-e 60: Sets the maximum lifetime of a flow.
Continuous Execution
To ensure that fprobe runs continuously and starts automatically after reboots, create a service in systemd:
- Create the service file:
bash
nano /etc/systemd/system/fprobe.service
- Add the following content:
[Unit]
Description=fprobe NetFlow Exporter
After=network.target
[Service]
ExecStart=/usr/sbin/fprobe -i eth0 -f ip -d 15 -e 60 <RR_FLOW_IP>:<RR_FLOW_API_PORT>
Restart=on-failure
[Install]
WantedBy=multi-user.target
-
Save and exit the editor.
-
Enable and start the service:
systemctl enable fprobe
systemctl start fprobe
Verification
To check if softflowd or fprobe are running correctly, use:
systemctl status softflowd
or
systemctl status fprobe
References
By implementing these instructions, you ensure that softflowd or fprobe will run continuously and restart automatically after system reboots, as well as provide users with a clear understanding of the parameters used.
RouterOS
Currently, RouterOS does not send ASN data in its flow, which results in missing information on the dashboards. If you want this feature, be sure to request it from the developers in the forum in this topic here
To overcome this limitation, I recommend using the proxyflow feature, which automatically injects ASN data.
Configuration
/ip traffic-flow set \
active-flow-timeout={COLLECTION_INTERVAL_VALUE e.g. 1m}\
inactive-flow-timeout=15 \
cache-entries={128k to 1M is a good value} \
enabled=yes
interfaces={UPSTREAM_INTERFACES}
/ip traffic-flow target add \
dst-address={RR_NFDUMP_API_IP} \
port={RR_NFDUMP_API_PORT} \
src-address={YOUR_ROUTER_SOURCE_IP} \
version={ipfix/9}
Example RouterOS v7
/ip traffic-flow set \
active-flow-timeout=1m \
inactive-flow-timeout=15 \
cache-entries=512k \
enabled=yes \
interfaces=sfp-sfpplus1.406,sfp-sfpplus2.407 \
sampling-interval=10 \
sampling-space=5
/ip traffic-flow target add \
dst-address=172.16.10.17 \
port=3055 \
src-address=10.50.50.6 \
version={ipfix/9}
If you only want to collect CGNAT logs to have a smaller amount of data while saving disk space, enable only nat-events=yes and disable the rest.
/ip traffic-flow ipfix set
nat-events=yes \
bytes=no \
dst-address=no \
dst-address-mask=no \
dst-mac-address=no \
dst-port=no \
first-forwarded=no \
gateway=no \
icmp-code=no \
icmp-type=no \
igmp-type=no \
in-interface=no \
ip-header-length=no \
ip-total-length=no \
ipv6-flow-label=no \
is-multicast=no \
last-forwarded=no \
nat-dst-address=no \
nat-dst-port=no \
nat-src-address=no \
nat-src-port=no \
out-interface=no \
packets=no \
protocol=no \
src-address=no \
src-address-mask=no \
src-mac-address=no \
src-port=no \
sys-init-time=no \
tcp-ack-num=no \
tcp-flags=no \
tcp-seq-num=no \
tcp-window-size=no \
tos=no \
ttl=no \
udp-length=no
Adjust your config.json
sampling must be the same value as collection_interval, and also the same value as active-flow-timeout in min from RouterOS.
...
"source_path": [
{
"buffer": "67108864",
"compress": "lz4",
"maximum_days": 365,
"name": "Cgnat",
"port": 3056,
"sampling": 1,
"snmp": [
{
"community": "public",
"ip": "10.0.0.6",
"port": 161,
"version": 2
}
],
"type": "netflow",
"vendor": "routeros"
}
]
...
Hard Offload
If you are using RouterOS v7 with Hard Offload enabled, the Traffic Flow (NetFlow) feature may not work properly.
With Hard Offload, the router uses the switch chip (or NPU) to forward packets directly in hardware, bypassing the CPU. Since Traffic Flow collects data at the CPU, any traffic routed only by hardware will not be exported to RR Flow.
Peer BGP RouterOS
To get peer data via SNMP (IPv4 only) on RouterOS, it is possible from version 7.10 or higher.
Proxy Flow
Starting from version 1.8.0, support for the combined use of rr-flow-collector with rr-flow-exporter was implemented, allowing for the automatic enrichment of data with ASN information. However, this functionality requires higher CPU usage.
Example source_path configuration:
{
"buffer": "67108864",
"compress": "lz4",
"name": "RouterOS",
"port": 4055,
"proxyflow": {
"port": 3055
},
"sampling": 1,
"snmp": [
{
"community": "public",
"ip": "10.0.0.1",
"port": 161,
"version": 2
}
],
"type": "netflow",
"vendor": "routeros"
},
In this example your router should export to port 3055.
The rr-flow-collector does not support identifying original IP addresses in NAT (Network Address Translation) scenarios.
When a router performs address translation (NAT) โ for example, replacing an internal IP like 192.168.0.10 with a public IP โ the packets exported via NetFlow usually contain only the already translated addresses. This means RR Flow will receive and log the public IP, not the client’s real IP.