In my previous blog, Cisco ACI NetFlow Support, I went over the Cisco ACI benefits that set it apart from other Software-Defined Network architectures. Now it is time for us to discuss in more detail its unifying point of automation and management, the Application Policy Infrastructure Controller (APIC).  We will also go over Cisco APIC NetFlow support and limitations.

Get visibility into the ACI fabric

What is so special about Cisco APIC?

Cisco APIC is a centralized application-level policy engine for physical, virtual, and cloud infrastructures. Designed around open standards and APIs, it optimizes the application lifecycle for scale and performance as well as provides detailed visibility, telemetry, and health scores by application and by tenant. Cisco APIC can be easily integrated with VMware, Microsoft, and OpenStack. It supports both a command-line interface (CLI) and graphical user interface (GUI). Yet another great feature of Cisco APIC is that it is completely removed from the data path, i.e. the fabric can still forward traffic even when communication with the controller is lost.

Is there NetFlow support for Cisco APIC?

If you have ever enabled NetFlow monitoring of the traffic going through your data centers, you can get the same level of visibility for the traffic flowing through the Cisco ACI fabric. The difference is that the supervisor engine processes and exports the records to standard NetFlow collectors instead of hardware directly exporting the records to a collector.

As everything good in life, Cisco APIC NetFlow support has its limits:

  • The hardware does not support any active/inactive timers. The records are exported every minute as the flow table records are aggregated and the table gets flushed.
  • At every export interval, software cache gets flushed and the records that are exported in the next interval will have a reset packet/byte count and other statistics.
  • The filter TCAM has no labels for bridge domain or interfaces. This means that if you add a NetFlow monitor to two bridge domains, the NetFlow monitor uses two rules for IPv4, or eight rules for IPv6.
  • ARP/ND are handled as IP packets and their target protocol addresses are put in the IP fields with the  special protocol numbers from 249 to 255 as protocol ranges. Some NetFlow collectors might not translate this handling.
  • NetFlow on spine switches with X9732C-EX or X9732C-S line cards is not supported. Tenant-level information can’t be discovered locally from the packet on the spine.

How to configure Cisco APIC NetFlow tenant support

There are three Cisco APIC NetFlow configuration methods: you can set up NetFlow using the NX-OS style CLI, the GUI, or the REST API. In this blog, we will focus on configuring NetFlow support for tenants using GUI.

First, we will set up a NetFlow tenant monitor, then configure an exporter and a monitor.

To create a NetFlow monitor, select Tenants > All Tenants on the menu bar and then double-click the tenant’s name. Go to Tenant tenant_name > Application Profiles > application_profile_name. Right-click NetFlow Monitors and choose Create Flow Monitor. In the Create NetFlow Monitor dialog box, fill in the fields accordingly. You can associate a maximum of two flow exporters with the monitor policy.

To create a tenant NetFlow record, choose Tenants > All Tenants on the menu bar and double-click the tenant’s name in the Work pane. In the Navigation pane, select Tenant tenant_name > Analytics > NetFlow Records. Right-click NetFlow Monitors and choose Create Flow Record. In the Create NetFlow Record dialog box, fill in the fields as required. If you choose multiple parameters for Match and Collect statements, your choices must be one of the following combinations or a subset of one of the combinations:

  • Source IPv4, Destination IPv4, Source Port, Destination Port, IP Protocol, VLAN, IP TOS
  • Source IPv6, Destination IPv6, Source Port, Destination Port, IP Protocol, VLAN, IP TOS Ethertype, Source MAC, Destination MAC, VLAN
  • Source IP, Destination IP, Source Port, Destination Port, IP Protocol, VLAN, IP TOS.

Finally, yet importantly, choose Tenant tenant_name > Analytics > NetFlow Exporters to set up a tenant Exporter policy. Right-click NetFlow Exporters and choose Create External Collector Reachability. In the Create External Collector Reachability dialog box, fill in the fields. Version 9 is the only supported choice for the NetFlow Exporter Version Format buttons. You can leave the EPG Type checkboxes unchecked, or you can put a check in one box, but you cannot pick multiple options.

What is the Next Step?

Want to get better visibility into the traffic flowing through the Cisco Application Centric Infrastructure fabric, but don’t know where to start?  Reach out to our support team if you want to learn more or need help with configurations.

Anna McElhany

Anna is a Quality Assurance Analyst at Plixer. She is dedicated to creating customer-facing documentation and identifying any potential problems that users might encounter. Anna holds a degree in Computer Technology, the AWS Certified SysOps Administrator - Associate, CCNA R&S, CCNA Security, and CompTIA Network + and Security + certifications, as well as NSTISSI Security INFOSEC Professional recognition. In her free time, Anna enjoys spending time with friends and family, flying drones, and hiking.