In recent years, the concepts of Artificial Intelligence (AI) and Machine Learning (ML)...
Cisco Catalyst 9200 / 9300 / 9400 / 9500 NetFlow Configuration
Most network devices support NetFlow in some way, especially Cisco routers and switches. Cisco developed the original NetFlow standard and contributed to the standards that are still in use today. As you’d expect, Cisco’s latest Catalyst switches have comprehensive NetFlow support. The exact features and versions supported depend on your hardware and license level.
Cisco Catalyst 9200 / 9300 / 9400 / 9500 NetFlow License Requirements
For basic NetFlow v5 or v9 on Catalyst switches, any license will do. If you want full support for Flexible NetFlow, you’ll need either a DNA Essentials or DNA Advantage license. The following configuration is for NetFlow v9, so anyone with a Catalyst 9000 series switch should be able to follow along.
If you want to configure Flexible NetFlow, adjust the configuration to fit your needs. You won’t be able to add a NetFlow sampler or fully control your key fields unless you have Flexible NetFlow support. As always, make sure the features you need are supported on your specific platform, software version, and license level.
Components of a NetFlow Configuration
Flow Record
This is where you define the key IP fields you are matching, and which you are collecting for export. The key fields define which packets are part of an existing flow, and which are added to a new flow. The fields you collect are then sent to your NetFlow server.
Flow Exporter
This is where you define your NetFlow server, and specify the source of your NetFlow data. Your source must be a layer 3 interface, so you can not use a regular L2 switchport. On Catalyst switches, you can use a loopback, SVI, or a physical L3 interface with an IP address assigned to it.
Flow Monitor
This is where you select the flow record and flow monitor you want to use in your NetFlow configuration. The flow monitor is also where you specify cache timeout values.
Apply Flow Monitor to Interfaces
After you combine your record, exporter, and timeout values into a monitor, you can apply the flow monitor to an interface. While applying the monitor, you have to specify a direction, either monitoring input or output. You typically only want to monitor in one direction to avoid duplicate data, so keep that in mind when choosing which interfaces and which direction to apply your NetFlow monitor.
Example Cisco Catalyst NetFlow Configuration
For this example, let’s imagine you have a small remote site where you want to monitor all IPv4 traffic. This configuration is using a Catalyst 9300 with Network Advantage licensing, so NetFlow v5 and v9 NetFlow features are included, but not Flexible NetFlow. This configuration should be customized as needed but should provide a good basis for your network.
Flow Record
flow record RemoteFlow description IPv4 remote site match ipv4 destination address match ipv4 source address match ipv4 protocol match interface input match transport destination-port match transport source-port collect counter bytes long collect counter packets long collect interface output collect transport tcp flags collect timestamp absolute first collect timestamp absolute last
In this flow record named RemoteFlow, we are setting up the fields that we want to match and create and end flows based on. The match statements are what attributes we are looking at to determine what is a new flow and what matches an existing flow. If one attribute is different, a new flow is created.
Here, we are looking at the IPv4 source and destination address, the interface the flow is coming in on, as well as the source and destination port. This will result in fairly specific and granular flows. If you want broader coverage for individual flows, adjust as needed.
The collect statements are for configuring what the flow records contain. In our example, we are only looking at the size of the packets, the interface, the tcp flags, and the time the flow started and ended. You can also add application-specific fields, flow direction, and other attributes.
Flow Exporter
flow exporter RemoteFlowExport description Export to NetFlow server destination 10.96.13.52 source gigabitEthernet 1/0/48 transport udp 4739 ttl 60
The flow exporter is more straightforward. This is where you define the IP address of the NetFlow server you are sending to, and what interface you want to send from. Keep in mind you can not source from a normal switchport, you need some type of L3 interface. In our example, we are using g1/0/48, which we configured to be an L3 interface. You can also source from a loopback address or specific VLAN virtual interface if desired. We also specified a UDP port and time-to-live value, which are optional.
Flow Sampler
Flow samplers are one of the benefits of Flexible NetFlow. On the Catalyst line of switches, Flexible NetFlow requires a DNA Essentials or DNA Advantage license.
A flow sampler allows you to limit the flow records that are sent, which can help with limiting the amount of resources that are consumed on the switch. It can also help with preventing overloading your NetFlow server. The configuration of them is straightforward. You just need to pick a mode, and how large of a sample you want to send. You then need to specify the sampler you want to use when applying your Flow monitor to an interface.
Flow Monitor
flow monitor RemoteFlowMonitor description Remote site NetFlow monitor exporter RemoteFlowExport record RemoteFlow cache timeout active 60 cache timeout inactive 15
The flow monitor combines your flow record and flow exporter, and sets the maximum amount of time a flow will cover. The cache timeout arguments are measured in seconds. Here, we are saying if a flow lasts longer than 60 seconds, create a new flow. If a flow is idle for 15 seconds, consider it inactive, and export that to the server. You can also set a maximum number of entries in the flow if desired.
At this point, the flow monitor is made and it just needs to be applied to the interfaces you want to monitor for it to be a working configuration.
Apply the Flow Monitor to Interfaces
interface range g1/0/1-47 ip flow monitor RemoteFlowMonitor input
If you were applying a sampler, you would add that after the monitor, but before the direction.
At this point, you should be getting records sent to your NetFlow server such as Noction Flow Analyzer. It will require some traffic passing and caches timing out before you’re able to see anything on the graphs. If you want to check on the status of the current flows on the switch, you can use show commands such as show flow exporter statistics. If you want to check the configuration of your flow monitor or flow record, you can always look at your running configuration, or use the show flow monitor or show flow record commands.
Now that NetFlow is configured, you can explore the Noction Flow Analyzer dashboard and customize it to provide the data you want to see. If needed, you can always go back to your NetFlow configuration and add or remove parts as needed.
SUBSCRIBE TO NEWSLETTER
You May Also Like
When Critical Infrastructure is Vulnerable: Rethinking Network Resilience
Recent disruptions to two undersea internet cables in the Baltic Sea have yet again highlighted a pressing issue for...
From Idle to Established: BGP states, BGP ports and TCP interactions
Understanding BGP states is essential to grasp how BGP operates. Similar to interior gateway protocols (IGPs) like...
ACK and NACK in Networking
In networking, communication between devices relies on the efficient exchange of data packets. Among the essential...