Prerequisites
Not all Cisco switches support Netflow. Cisco Catalyst 3650 and 3850 runs IOS XE and supports Full Netflow (not sampled) capability. This feature is only supported from IPBASE license and up. In order to enable this, use the below command to activate your IPBASE license.
license right-to-use activate ipbase all acceptEULA
Configuration Flexible Netflow
1. Setup the flow record
This step defines the Netflow record format and fields that are to be collected and exported. The match and collect commands specify which fields to be included in the Netflow PDU.
NetFlow is based on 7 key fields (7-tuple). If one of these fields is difference, a new flow record is created in the flow cache table:
- Source IP address
- Destination IP address
- Source port number
- Destination port number
- Layer-3 protocol type (ex., TCP, UDP)
- ToS (type of service) byte
- Input logical interface
Below is an example of the formats and fields used for a Stealthwatch deployment.
flow record FLOWRECORD description IPv4flow match datalink vlan input match datalink mac source address input match datalink mac destination address input match ipv4 tos match ipv4 ttl match ipv4 protocol match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port match interface input match flow direction collect transport tcp flags collect interface output collect counter bytes long collect counter packets long collect timestamp absolute first collect timestamp absolute last collect counter bytes layer2 long
2. Define a Flow Exporter
The flow exporter is a very confusing term as an exporter should be the Cisco device itself. What this exporter Cisco is referring to is the collector – the device destination where the netflow packets are sent to. Multiple collectors can be defined here if you have more than one.
Set the protocol to IPFIX – aka Netflow Version 10 – Flexible Netflow. It is best to source NetFlow export from an interface that will never go down, such as Loopback0.
flow exporter FLOWEXPORTER description IPFIX destination x.x.x.x source Loopback0 transport udp 2055 export-protocol ipfix
3. Configure a Flow Monitor
The monitor represents the router/switch’s memory-resident Netflow Database. Always set the active cache timeout to 60 seconds as this is the amount of time the device will flush the cache of information pertaining to active flow conversations.
flow monitor FLOWMONITOR description IPv4Monitor exporter FLOWEXPORTER cache timeout active 60 record FLOWRECORD
4. Enable Netflow on all Layer 3 interfaces and/or Layer 2 VLANS
Netflow should be enabled on every entry point into the router/switch. Setting it to “input” is sufficient and ensures both sides of the communication are captured. You do not need to set “output” as that will effectively double the amount of reported bandwidth.
For Layer 3 interface
interface FastEthernet0/1 ip address 10.209.10.1 255.255.255.0 ip flow monitor FLOWMONITOR input duplex auto speed auto
For Layer 2 VLAN
vlan configuration 1-4094 ip flow monitor FLOWMONITOR input