facebook
irp demo
Request Noction IRP Demo

Request a personalized demo/review session of our Intelligent Routing Platform

irp trial
Start Noction IRP Trial

Evaluate Noction IRP, and see how it meets your network optimization challenges

nfa demo
Noction Flow Analyzer Demo

Schedule a one-on-one demonstration of our network traffic analysis product

nfa trial
Free Noction Flow Analyzer Trial

Test drive NFA today with your own fully featured 30-day free trial

Cisco Catalyst 9200 / 9300 / 9400 / 9500 NetFlow Configuration

cisco catalystNetFlow is a great way to gather traffic statistics from your network. With Noction Flow Analyzer, you can view all your NetFlow data in a clear and customizable way. You can create trend reports and gather protocol and interface statistics in near real-time. It can also act as a security tool for finding network anomalies and allows you to be notified when critical network events happen. For the best results and accurate reporting, you’ll need to have the correct NetFlow configuration on your network equipment first.

Most network devices support NetFlow in some way, especially Cisco routers and switches. Cisco developed the original NetFlow standard and contributed to the standards that are still in use today. As you’d expect, Cisco’s latest Catalyst switches have comprehensive NetFlow support. The exact features and versions supported depend on your hardware and license level.

Cisco Catalyst 9200 / 9300 / 9400 / 9500 NetFlow License Requirements

For basic NetFlow v5 or v9 on Catalyst switches, any license will do. If you want full support for Flexible NetFlow, you’ll need either a DNA Essentials or DNA Advantage license. The following configuration is for NetFlow v9, so anyone with a Catalyst 9000 series switch should be able to follow along.

If you want to configure Flexible NetFlow, adjust the configuration to fit your needs. You won’t be able to add a NetFlow sampler or fully control your key fields unless you have Flexible NetFlow support. As always, make sure the features you need are supported on your specific platform, software version, and license level.

Components of a NetFlow Configuration

Flow Record

This is where you define the key IP fields you are matching, and which you are collecting for export. The key fields define which packets are part of an existing flow, and which are added to a new flow. The fields you collect are then sent to your NetFlow server.

Flow Exporter

This is where you define your NetFlow server, and specify the source of your NetFlow data. Your source must be a layer 3 interface, so you can not use a regular L2 switchport. On Catalyst switches, you can use a loopback, SVI, or a physical L3 interface with an IP address assigned to it.

Flow Monitor

This is where you select the flow record and flow monitor you want to use in your NetFlow configuration. The flow monitor is also where you specify cache timeout values.

Apply Flow Monitor to Interfaces

After you combine your record, exporter, and timeout values into a monitor, you can apply the flow monitor to an interface. While applying the monitor, you have to specify a direction, either monitoring input or output. You typically only want to monitor in one direction to avoid duplicate data, so keep that in mind when choosing which interfaces and which direction to apply your NetFlow monitor.

Example Cisco Catalyst NetFlow Configuration

For this example, let’s imagine you have a small remote site where you want to monitor all IPv4 traffic. This configuration is using a Catalyst 9300 with Network Advantage licensing, so NetFlow v5 and v9 NetFlow features are included, but not Flexible NetFlow. This configuration should be customized as needed but should provide a good basis for your network.

Flow Record

 flow record RemoteFlow
  description IPv4 remote site
  match ipv4 destination address
  match ipv4 source address
  match ipv4 protocol
  match interface input
  match transport destination-port
  match transport source-port
  collect counter bytes long
  collect counter packets long
  collect interface output
  collect transport tcp flags
  collect timestamp absolute first
  collect timestamp absolute last

In this flow record named RemoteFlow, we are setting up the fields that we want to match and create and end flows based on. The match statements are what attributes we are looking at to determine what is a new flow and what matches an existing flow. If one attribute is different, a new flow is created.

Here, we are looking at the IPv4 source and destination address, the interface the flow is coming in on, as well as the source and destination port. This will result in fairly specific and granular flows. If you want broader coverage for individual flows, adjust as needed.

The collect statements are for configuring what the flow records contain. In our example, we are only looking at the size of the packets, the interface, the tcp flags, and the time the flow started and ended. You can also add application-specific fields, flow direction, and other attributes.

Flow Exporter

 flow exporter RemoteFlowExport
  description Export to NetFlow server
  destination 10.96.13.52
  source gigabitEthernet 1/0/48
  transport udp 4739
  ttl 60

The flow exporter is more straightforward. This is where you define the IP address of the NetFlow server you are sending to, and what interface you want to send from. Keep in mind you can not source from a normal switchport, you need some type of L3 interface. In our example, we are using g1/0/48, which we configured to be an L3 interface. You can also source from a loopback address or specific VLAN virtual interface if desired. We also specified a UDP port and time-to-live value, which are optional.

Flow Sampler

Flow samplers are one of the benefits of Flexible NetFlow. On the Catalyst line of switches, Flexible NetFlow requires a DNA Essentials or DNA Advantage license.

A flow sampler allows you to limit the flow records that are sent, which can help with limiting the amount of resources that are consumed on the switch. It can also help with preventing overloading your NetFlow server. The configuration of them is straightforward. You just need to pick a mode, and how large of a sample you want to send. You then need to specify the sampler you want to use when applying your Flow monitor to an interface.

Flow Monitor

 flow monitor RemoteFlowMonitor
  description Remote site NetFlow monitor 
  exporter RemoteFlowExport
  record RemoteFlow
  cache timeout active 60
  cache timeout inactive 15

The flow monitor combines your flow record and flow exporter, and sets the maximum amount of time a flow will cover. The cache timeout arguments are measured in seconds. Here, we are saying if a flow lasts longer than 60 seconds, create a new flow. If a flow is idle for 15 seconds, consider it inactive, and export that to the server. You can also set a maximum number of entries in the flow if desired.

At this point, the flow monitor is made and it just needs to be applied to the interfaces you want to monitor for it to be a working configuration.

Apply the Flow Monitor to Interfaces

 interface range g1/0/1-47
  ip flow monitor RemoteFlowMonitor input

If you were applying a sampler, you would add that after the monitor, but before the direction.

At this point, you should be getting records sent to your NetFlow server such as Noction Flow Analyzer. It will require some traffic passing and caches timing out before you’re able to see anything on the graphs. If you want to check on the status of the current flows on the switch, you can use show commands such as show flow exporter statistics. If you want to check the configuration of your flow monitor or flow record, you can always look at your running configuration, or use the show flow monitor or show flow record commands.

Now that NetFlow is configured, you can explore the Noction Flow Analyzer dashboard and customize it to provide the data you want to see. If needed, you can always go back to your NetFlow configuration and add or remove parts as needed.

noction flow analyzer price
Tags: NetFlow

SUBSCRIBE TO NEWSLETTER

You May Also Like

ACK and NACK in Networking

ACK and NACK in Networking

In networking, communication between devices relies on the efficient exchange of data packets. Among the essential...