Cisco Nexus Series 7000 NX-OS and NetFlow
Posted in NetFlow on December 21st, 2009 by scottr
I took a call the other day from a customer who asked, “How do I set up my router to send NetFlow to Scrutinizer?” This is a question that I get on a pretty regular basis, so I strapped on my router config hat and got ready to throw out the typical IP FLOW commands to get the flows going. But then I asked for the model of the router. “It’s a Cisco Nexus 7000,” the customer told me. I found that this device does not run the usual IOS that we have all come to know and love. It runs Cisco’s NX-OS. And Cisco’s NX-OS CLI is completely different.
Cisco NX-OS supports a flexible architecture that allows a user to collect different data for different applications per interface. It allows you to define an optimal flow record for a particular application by selecting the keys from a large collection of predefined fields, whereas the Cisco IOS Software supports one flow mask and export pair for the entire chassis.
In Cisco NX-OS, the flexible architecture that is used consists of flow records, flow exports, and flow monitors. The NetFlow command-line interface (CLI) configuration and verification commands are not available until you enable the NetFlow feature with the feature netflow command. If the feature netflow command is removed, all relevant NetFlow configuration information is also removed.
The Cisco NX-OS/IOS NetFlow Comparison document provides a complete NX-OS/IOS comparison.
To configure NetFlow, follow these steps:
Step 1 Enable the NetFlow feature. (You must globally enable NetFlow before you can configure any flows.)
switch(config)#feature netflow
Step 2 Define a flow record by specifying keys to match on and fields to collect in the flow.
switch(config)#flow record internet
switch(config-flow-record)# description Ipv4 Flow
switch(config-flow-record)# match [command] [option]
switch(config-flow-record)# collect [command] [option]
show flow record internet (displays the information about the NetFlow flow record – internet)
You must configure at least one of the following match parameters for flow records:
Flow Record Match Parameter Options
| Command | Purpose |
|---|---|
| match ip {protocol | tos} | Specifies the IP protocol or ToS fields as keys |
| match ipv4 {destination|source address} | Specifies the IPv4 source or destination address as a key |
| match ipv6 {destination|source address|flow-label|options} | Specifies the IPv6 key |
| match transport {destination-port | source-port} | Specifies the transport source or destination port as a key |
| match datalink {mac source-address | mac destination-address | ethertype | vlan} | Specifies the Layer 2 attribute as a key |
You must configure at least one of the following collect parameters for flow records:
Flow Record Collect Parameter Options
| Command | Purpose |
|---|---|
| collect counter {bytes | packets} [long] | Collects either packet-based or byte counters from the flow. You can optionally specify that 64-bit counters are used. |
| collect flow {direction | sampler id | Collects the direction of the flow or the sampler identifier used for the flow |
| collect interface {input | output} | Collects the input or output interface attribute |
| collect routing {destination | source} as [peer] | Collects the source or destination AS number of the local device or the peer. |
| collect routing forwarding-status | Collects the forwarding status of the packet |
| collect routing next-hop address ipv4 [bgp] | Collects the next-hop IPv4 address |
| collect routing next-hop address ipv6 [bgp] | collect routing next-hop address ipv6 [bgp] |
| collect timestamp sys-uptime {first | last} | Collects the system up time for the first or last packet in the flow |
| collect transport tcp flags | Collects the TCP transport layer flags for the packets in the flow |
Cisco has made available Pre-Defined Flow records to make the migration to this new configuration easier.
Step 3 Define an optional flow exporter by specifying the export format, protocol, destination, and other parameters.
switch(config)#flow exporter scrutinizer
switch(config-flow-exporter)# destination 192.0.2.1
switch(config-flow-exporter)# source ethernet 2/1
switch(config-flow-exporter)# description ExportV9
switch(config-flow-exporter)# transport udp 2055
switch(config-flow-exporter)# version 9
show flow exporter scrutinizer (Displays Information about the NetFlow flow exporter – scrutinizer)
Step 4 Define a flow monitor based on the flow record and flow exporter.
switch(config)#flow monitor MonitorTest
switch(config-flow-monitor)# description Ipv4Monitor
switch(config-flow-monitor)#exporter scrutinizer
switch(config-flow-monitor)#record internet
show flow monitor MonitorTest (Displays information about the NetFlow flow monitor – MonitorTest)
Step 5 Apply the flow monitor to a source interface, subinterface, VLAN interface, or a VLAN.
switch(config)# interface Ethernet 2/1
switch(config-if)# ip flow monitor MonitorTest input
or
switch(config-if)# ipv6 flow monitor MonitorTest input
ip flow monitor MonitorTest input (Associates an IPv4 flow monitor to the interface for input or output packets)
ipv6 flow monitor MonitorTest input (Associates an IPv6 flow monitor to the interface for input or output packets)
You can apply a flow monitor and an optional sampler to a VLAN
switch(config)# vlan 30
switch(config-vlan)# ip flow monitor MonitorTest input
show flow interface Ethernet 2/1 (Displays information about NetFlow on the interface – Ethernet 2/1)
Here is a sample config:
flow exporter scrutinizer
destination 192.0.2.1
transport udp 2055
source loopback0
version 9
flow record internet
description internet traffic
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
collect counter bytes
collect counter packets
flow monitor MonitorTest
description Internet traffic sent to scrutinizer
record internet
exporter scrutinizer
interface Ethernet2/1
description Connected to d87-mdf-fw01
no switchport
ip flow monitor MonitorTest input
ip flow monitor MonitorTest output
ip address 10.1.1.3
no shutdown
For more information on configuring NetFlow on Layer 2 interfaces, NetFlow Timeouts, and NetFlow Samplers, please refer to the Cisco Nexus 7000 Series NX-OS System Management Configuration Guide.
Cisco’s Flexible NetFlow architecture broadens the scope of the information that can be made available for traffic analysis. I invite you to check Mike Patterson’s blog on How-to Configure Cisco Flexible NetFlow for NBAR Exports to see just how powerful this information can be. And with Plixer’s latest NetFlow and sFlow analysis tool, you have the ability to process it all.
-Scott
Tags: Cisco Nexus 7000, Cisco NX-OS, NBAR, NetFlow, NetFlow and sFlow analysis tool, NX-OS, NX-OS NetFlow comparison, plixer, Scrutinizer
[...] learn more about “collect vs. match,” I suggest reading Scott’s Systrax blog on the Nexus 7000. Scott’s approach is a bit different than this blog, however, you should have better luck [...]
[...] learn more about "collect vs. match," I suggest reading Scott's Systrax blog on the Nexus 7000. Scott's approach is a bit different than this blog, however, you should have better luck with this [...]