How to configure Netflow on Cisco Catalyst 3650/3850 switch


Prerequisites

Not all Cisco switches support Netflow. Cisco Catalyst 3650 and 3850 runs IOS XE and supports Full Netflow (not sampled) capability. This feature is only supported from IPBASE license and up. In order to enable this, use the below command to activate your IPBASE license.

license right-to-use activate ipbase all acceptEULA

Configuration Flexible Netflow

1. Setup the flow record

This step defines the Netflow record format and fields that are to be collected and exported. The match and collect commands specify which fields to be included in the Netflow PDU.

NetFlow is based on 7 key fields (7-tuple). If one of these fields is difference, a new flow record is created in the flow cache table:

  • Source IP address
  • Destination IP address
  • Source port number
  • Destination port number
  • Layer-3 protocol type (ex., TCP, UDP)
  • ToS (type of service) byte
  • Input logical interface

Below is an example of the formats and fields used for a Stealthwatch deployment.

flow record FLOWRECORD
 description IPv4flow
 match datalink vlan input
 match datalink mac source address input
 match datalink mac destination address input
 match ipv4 tos
 match ipv4 ttl
 match ipv4 protocol
 match ipv4 source address
 match ipv4 destination address
 match transport source-port
 match transport destination-port
 match interface input
 match flow direction
 collect transport tcp flags
 collect interface output
 collect counter bytes long
 collect counter packets long
 collect timestamp absolute first
 collect timestamp absolute last
 collect counter bytes layer2 long

2. Define a Flow Exporter

The flow exporter is a very confusing term as an exporter should be the Cisco device itself. What this exporter Cisco is referring to is the collector – the device destination where the netflow packets are sent to. Multiple collectors can be defined here if you have more than one.

Set the protocol to IPFIX – aka Netflow Version 10 – Flexible Netflow. It is best to source NetFlow export from an interface that will never go down, such as Loopback0.

flow exporter FLOWEXPORTER
 description IPFIX
 destination x.x.x.x
 source Loopback0
 transport udp 2055
 export-protocol ipfix

3. Configure a Flow Monitor

The monitor represents the router/switch’s memory-resident Netflow Database. Always set the active cache timeout to 60 seconds as this is the amount of time the device will flush the cache of information pertaining to active flow conversations.

flow monitor FLOWMONITOR
 description IPv4Monitor
 exporter FLOWEXPORTER
 cache timeout active 60
 record FLOWRECORD

4. Enable Netflow on all Layer 3 interfaces and/or Layer 2 VLANS

Netflow should be enabled on every entry point into the router/switch. Setting it to “input” is sufficient and ensures both sides of the communication are captured. You do not need to set “output” as that will effectively double the amount of reported bandwidth.

For Layer 3 interface
interface FastEthernet0/1
 ip address 10.209.10.1 255.255.255.0
 ip flow monitor FLOWMONITOR input          
 duplex auto
 speed auto
For Layer 2 VLAN
vlan configuration 1-4094
ip flow monitor FLOWMONITOR input
Related Posts with Thumbnails