Configuring and Troubleshooting NetFlow Part 2

This is a continuation of my previous post. In this post, I'll go over NetFlow configuration on NX-OS and IOS Catalyst switches

NX-OS Flexible Netflow Configuration for 7.x:

NX-OS supports the Flexible NetFlow feature that enables enhanced network anomalies and security detection. Flexible NetFlow allows you to define an optimal flow record for a particular application by selecting the keys from a large collection of predefined fields. 

creating a flow records in nx-os:

  • Enable the NetFlow feature:
    feature netflow
     
  • Create a flow record and enter the flow record config mode:
    flow record name
     
  • (Optional) Create a description:
    description description
     
  • Specify a match key:
    • match
      • p {protocol | tos} - Specifies the IP protocol or ToS fields as keys
      • ipv4 {destination address | source address} - Specifies the IPv4 source or destination address as a key
      • ipv6 {destination address | source address | flow-label | options} - Specifies the IPv6 key
      • transport {destination-port | source-port} - Specifies the transport source or destination port as a key
      • datalink {mac source-address | mac destination-address | ethertype | vlan} - Specifies the Layer 2 attribute as a key
         
  • Specify the collection field:
    • collect
      • counter {bytes | packet} [long] - Collects either packet-based or byte counters from the flow. You can optionally specify that 64-bit counters are used
      • flow sampler id - Collects the sampler identifier used for the flow
      • timestamp sys-uptime {first | last} - Collects the system uptime for the first and last packet in the flow
      • transport tcp flags - Collects the TCP transport layer flags for the packets in the flow
      • ip version - Collects the IP version for the flo
         
  • Verify: show flow record
     

Creating a flow exporter in nx-os:

  • Creates a flow exporter and enter the flow exporter config mode:
    flow exporter name
     
  • (Optional) Create a description:
    description description
     
  • Specify the destination IPv4 or IPv6 address for the flow exporter. You can optionally configure the VRF to use to reach the NetFlow collector:
    destination ip-addr
     
  • Specify the interface to use to reach the NetFlow collector at the configured destination:
    source type mod/num
     
  • Specify the UDP port to use to reach the NetFlow collector:
    transport udp port

    Default port is 9995
  • Specify the NetFlow export version:
    version 9
     
  • Set the flow exporter statistics resend timer:
    option {exporter-stats | interface-table | sampler-table} timeout sec
     
  • Set the template data resend timer:
    template data timeout sec
     

creating a flow monitor in nx-os:

  • Create a flow monitor and enter the flow monitor config mode:
    flow monitor name
     
  • (Optional) Create a description:
    description description
     
  • Associate a flow exporter with the flow monitor:
    exporter name
     
  • Associate a flow record with the specified flow monitor:
    record {name | netflow-original | netflow protocol-port | netflow {ipv4 | ipv6} {original-input | original-output}} 
     
  • Verify: show flow monitor

 

applying a flow monitor to an interface in Nx-os:

You can not apply a flow monitor to an egress interface, only ingress Netflow is supported.

  • Enter the interface config mode:
    interface interface-type slot/port
     
  • (Optional) Associate an IPv4 flow monitor:
    ip flow monitor name input
     
  • (Optional) Associate an IPv6 flow monitor:
    ipv6 flow monitor name input
     
  • (Optional) Associate a Layer 2-switched flow monitor to the interface for input packets:
    layer2-switched flow monitor name input
     
  • (Optional) Force MAC classification of packets:
    mac packet-classify
     
  • Verify: show flow interface

 

troubleshooting netflow on nx-os:

  • show flow exporter name - Displays information about NetFlow flow exporters and statistics
  • show flow interface - Displays information about NetFlow interfaces
  • show flow record - Displays information about NetFlow flow records
  • show flow record netflow layer2-switched input - Displays information about Layer 2 NetFlow 
  • show flow timeout - Displays information about NetFlow timeouts
  • show hardware ip flow - Displays information about NetFlow hardware IP flows

Reference Documentation: Cisco Nexus 7000 NX-OS NetFlow Configuration Guide

 

IOS NetFlow Configuration for 15.2(3)E and Later:

Create a flow record:

  • Create a flow record and enter the flow record config mode:
    flow record name
     
  • (Optional) Create a description:
    description description
     
  • Configure one or mode source fields in the flow as counter fields, timestamp fields, or interface fields:
    • match
      • ipv4 {destination | source} address
      • ipv6 {destination | source} address
      • datalink {destination-vlan-id | dot1q | ethertype |mac|source-vlan-id} 
      • transport {icmp | igmp | source-port |tcp|udp}      
         
  • Specify the collection fields:
    • collect
      • interface {input | output}      
      • counter {bytes [ exported | long] flows [exported]|packets} [ exported | long]  \
      • timestamp sys-uptime {first | last}  

 

create a flow exporter:

  • Create a flow exporter and enter flow exporter config mode:
    flow exporter name
     
  • (Optional) Create a description:
    description description
     
  • Set the IPv4 destination address or hostname for this exporter:
    destination {hostname | ipv4-addr} [vrf vrf-name]
     
  • Specify the interface to use to reach the NetFlow collector:
    source type mod/num
     
  • Configure options data parameters for the exporter:
    option {exporter-stats | interface-table | sampler-table} [timeout sec]

    Default is 600
     
  • Configure resending of templates based on a timeout:
    template data timeout sec

    Default is 600
     
  • Specify the UDP port to use to reach the NetFlow collector:
    transport udp port
     
  • Specify the version of Netflow:
    export-protocol netflow-v9
     
  • Verify: show flow exporter
     

Create a flow monitor:

  • Create a flow monitor and enter flow monitor config mode:
    flow monitor name
     
  • (Optional) Create a description:
    description description
     
  • Associate a record to the flow monitor:
    record name
     
  • Configure the flow monitor cache parameters:
    • cache
      • imeout active sec - Configure the active flow timeout
      • entries num - Configure the number of cache entries between 16 and 1048576
      • type normal - Configure normal flow removal from the flow cache
         
  • Associate an exporter:
    exporter name
     
  • Verify: show flow monitor
     

 

applying a flow to an interface:

  • Enter the interface config mode:
    interface type mod/num
     
  • Associate an IPv4 or IPv6 flow monitor:
    {ip flow monitor | ipv6 flow monitor} name [layer2-switched | multicast | unicast name] {input}
     
  • Verify: show flow interface
     

troubleshooting netflow in ios:

  • show flow exporter [broker | export-ids | name | name | statistics | templates]  - Displays information about NetFlow flow exporters and statistics
  • show flow exporter [ name name] - Displays information about NetFlow flow exporters and statistics
  • show flow interface - Displays information about NetFlow interfaces.
  • show flow monitor [ name name] Displays information about NetFlow flow monitors and statistics
  • show flow monitor statistics - Displays the statistics for the flow monitor       
  • show flow monitor cache format {table | record | csv} - Displays the contents of the cache for the flow monitor, in the format specified.
  • show flow record [ name name] - Displays information about NetFlow flow records

Reference Documentation: Flexible Netflow Configuration Guide for IOS Release 15.2(3)E