Flexible Net-flow configuration on Cisco 3850 switch
Today I am going to talk about the Flexible Netflow configuration on Cisco catalyst 3850 switch. Cisco catalyst 3850 switch only supports Flexible Net-flow (FNF), hence commands for Traditional Netflow (TNF) are not available (i.e. ip flow ingress, ip flow-export, etc. By default the Export Protocol uses Version 9 (Version 5 is not supported on Cisco catalyst 3850 switch).
Thanks for supporting the Networks- Baseline projects
www.routexp.com
www.xproute.com
www.networksbaseline.com
Cisco Catalyst 3850 switch hardware supports FNF natively, there is no need of a separate hardware module as opposed to devices like the 3750 switch.
Below is the basic network topology showing the Net flow collector connected to the Cisco catalyst 3850 Switch. I will talk about the configuration on the Cisco catalyst 3850 switch which includes Flow record, Flow Exporter, Flow Monitor and then applying Net-Flow on the device.
Flow Record
First, we need to create the Flow Record in which we'll define the Key fileds (Match) and Non-Key fields (Collect). These parameters are needed to identify the packets in the flow and to gather the desired data. Any combination of Key and Non-Key fields can be used but at leat one Key attribute must be selected
Thanks for supporting the Networks- Baseline projects
www.routexp.com
www.xproute.com
www.networksbaseline.com
Cisco Catalyst 3850 switch hardware supports FNF natively, there is no need of a separate hardware module as opposed to devices like the 3750 switch.
Below is the basic network topology showing the Net flow collector connected to the Cisco catalyst 3850 Switch. I will talk about the configuration on the Cisco catalyst 3850 switch which includes Flow record, Flow Exporter, Flow Monitor and then applying Net-Flow on the device.
 |
| Fig 1.1- NetFlow on Cisco 3850 Switch |
Flow Record
First, we need to create the Flow Record in which we'll define the Key fileds (Match) and Non-Key fields (Collect). These parameters are needed to identify the packets in the flow and to gather the desired data. Any combination of Key and Non-Key fields can be used but at leat one Key attribute must be selected
RouteXP_3850(config)#flow record RouteXP_3850-FNF-Record
RouteXP_3850(config-flow-record)#description Netflow Record
RouteXP_3850(config-flow-record)#match ipv4 protocol
RouteXP_3850(config-flow-record)#match ipv4 source address
RouteXP_3850(config-flow-record)#match ipv4 destination address
RouteXP_3850(config-flow-record)#match transport source-port
RouteXP_3850(config-flow-record)#match transport destination-port
RouteXP_3850(config-flow-record)#match interface input
RouteXP_3850(config-flow-record)#match flow direction
RouteXP_3850(config-flow-record)#collect transport tcp flags
RouteXP_3850(config-flow-record)#collect interface output
RouteXP_3850(config-flow-record)#collect counter bytes long
RouteXP_3850(config-flow-record)#collect counter packets long
RouteXP_3850(config-flow-record)#exit
Flow Exporter
As a second step (which is considered optional however is the most commonly used) is to configure a Flow Exporter. On this step we will define the IP address of the server where the Netflow data will be sent as well as the port where the application will be listening on to collect the information; this server is also known as "Netflow Collector"
RouteXP_3850(config)#flow exporter RouteXP_3850-FNF-Exporter
RouteXP_3850(config-flow-exporter)#description Netflow Exporter
RouteXP_3850(config-flow-exporter)#destination 10.10.10.10
RouteXP_3850(config-flow-exporter)#transport udp 9996
RouteXP_3850(config-flow-record)#exit
FLOW MONITOR
As a third step, we need to create a Flow Monitor where we need to reference the previously configured Record and Exporter. The Flow Monitor is the one that has to be applied on the interfaces where Netflow data needs to be collected.
RouteXP_3850(config)#flow monitor RouteXP_3850-FNF-Monitor
RouteXP_3850(config-flow-monitor)#description Netflow Monitor
RouteXP_3850(config-flow-monitor)#record RouteXP_3850-FNF-Record
RouteXP_3850(config-flow-monitor)#exporter RouteXP_3850-FNF-Exporter
RouteXP_3850(config-flow-record)#exit
APPLYING NETFLOW
And last but no least, we need to apply the Flow Monitor into the desired interface (note that RouteXP_3850 supports FNF on L2/L3 interfaces, L2 VLAN and WLAN however SVI and Tunnel interfaces are not supported). In this particular example we are configuring "Bridged Netflow" hence collecting Netflow information from VLAN 1 (this is a good alternative when customer is trying to apply Netflow on the SVI but not supported on the platform)
RouteXP_3850(config)#vlan configuration 1
RouteXP_3850(config-vlan-config)#ip flow monitor RouteXP_3850-FNF-Monitor input
RouteXP_3850(config-vlan-config)#end
Verify
So now let's verify all the configurations we did on the Cisco Catalyst 3850 switch
RouteXP_3850#show run flow monitor RouteXP_3850-FNF-Monitor
Current configuration:
!
flow monitor RouteXP_3850-FNF-Monitor
description Netflow Monitor
exporter RouteXP_3850-FNF-Exporter
record RouteXP_3850-FNF-Record
!
RouteXP_3850#show run flow exporter RouteXP_3850-FNF-Exporter
Current configuration:
!
flow exporter RouteXP_3850-FNF-Exporter
description Netflow Exporter
destination 10.10.10.10
transport udp 9996
!
RouteXP_3850#show run flow record RouteXP_3850-FNF-Record
Current configuration:
!
flow record RouteXP_3850-FNF-Record
description Netflow Record
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface input
match flow direction
collect transport tcp flags
collect interface output
collect counter bytes long
collect counter packets long
!
RouteXP_3850#
RouteXP_3850#show flow exporter RouteXP_3850-FNF-Exporter statistics
Flow Exporter RouteXP_3850-FNF-Exporter:
Packet send statistics (last cleared 01:14:42 ago):
Successfully sent: 21 (2956 bytes)
Client send statistics:
Client: Flow Monitor RouteXP_3850-FNF-Monitor
Records added: 20
- sent: 20
Bytes added: 780
- sent: 780
RouteXP_3850#show flow record RouteXP_3850-FNF-Record
flow record RouteXP_3850-FNF-Record:
Description: Netflow Record
No. of users: 1
Total field space: 39 bytes
Fields:
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface input
match flow direction
collect transport tcp flags
collect interface output
collect counter bytes long
collect counter packets long
RouteXP_3850#show flow monitor RouteXP_3850-FNF-Monitor cache format record
Cache type: Normal (Platform cache)
Cache size: Unknown
Current entries: 2
Flows added: 27
Flows aged: 25
- Inactive timeout ( 15 secs) 25
IPV4 SOURCE ADDRESS: 10.10.10.1
IPV4 DESTINATION ADDRESS: 10.10.10.10
TRNS SOURCE PORT: 23
TRNS DESTINATION PORT: 49377
INTERFACE INPUT: Gi1/0/1
FLOW DIRECTION: Input
IP PROTOCOL: 6
tcp flags: 0x1B
interface output: LIIN0
counter bytes long: 313
counter packets long: 6
IPV4 SOURCE ADDRESS: 10.10.10.10
IPV4 DESTINATION ADDRESS: 10.10.10.1
TRNS SOURCE PORT: 49377
TRNS DESTINATION PORT: 23
INTERFACE INPUT: Gi1/0/2
FLOW DIRECTION: Input
IP PROTOCOL: 6
tcp flags: 0x1B
interface output: LIIN0
counter bytes long: 306
counter packets long: 6
