The Cisco Catalyst 2960-CX/3560-CX Series Switches are the next generation of the world’s most widely deployed access switches, providing Layer 2 and Layer 3 access features. Designed for operational simplicity to lower TCO, this platform also offers superior security capabilities. Also, the Cisco Catalyst Compact Switches easily extend your Catalyst switching infrastructure outside the wiring closet to enable new workspaces, extend wireless LANs, and connect PoE devices. These fanless, small form-factor switches are ideal for space-constrained deployments where multiple cables runs would be challenging. Today, I am going to explain how to configure NetFlow on the Catalyst 2960-CX/3560-CX.

Enabling NetFlow Lite on the Catalyst 2960-CX/3560-CX

Step 1: Create a flow record

flow record flow-mon 
match datalink ethertype 
match datalink mac source address input 
match datalink mac destination address input 
match ipv4 tos 
match ipv4 protocol 
match ipv4 source address 
match ipv4 destination address 
match transport source-port 
match transport destination-port 
collect transport tcp flags 
collect interface input 
collect interface output 
collect flow sampler 
collect counter bytes long 
collect counter packets long 
collect timestamp sys-uptime first 
collect timestamp sys-uptime last 
! 
!

Step 2: Create a flow exporter

flow exporter export-to-inside
description flexible NF
destination 10.1.4.66
source Vlan1
transport udp 2002
template data timeout 60
option interface-table
option exporter-stats
option sampler-table timeout 60
option application-table
!
!

Step 3: Create a flow monitor

flow monitor myflowmon
exporter export-to-inside
cache timeout active 60
statistics packet protocol
record flow-mon
!
!

Step 4: Apply the flow monitor to each interface

! we are using random sampling because it is the most statistically accurate of the two.
sampler my-random-sampler
  mode random 1 out-of 100

interface GigabitEthernet0/1
  ip flow monitor myflowmon sampler my-random-sampler input
interface GigabitEthernet0/7
  ip flow monitor myflowmon sampler my-random-sampler input

Enabling NetFlow on the Catalyst 2960-CX/3560-CX for Performance Monitoring

Step 1: Create a flow record for performance monitoring

flow record type performance-monitor TCP
match ipv4 protocol 
match ipv4 source address 
match ipv4 source prefix 
match ipv4 destination address 
match ipv4 destination prefix 
match transport source-port 
match transport destination-port 
match interface input 
match interface output 
match flow direction 
collect routing forwarding-status 
collect ipv4 dscp 
collect ipv4 ttl 
collect ipv4 source mask 
collect ipv4 destination mask 
collect transport round-trip-time 
collect transport event packet-loss counter 
collect transport tcp flags 
collect counter bytes 
collect counter packets 
collect timestamp sys-uptime first 
collect timestamp sys-uptime last 
collect timestamp interval 
collect application media bytes counter 
collect application media packets rate 
collect application media event
collect policy performance-monitor classification hierarchy
!
!
flow record type performance-monitor RTP
match ipv4 protocolmatch ipv4 source address 
match ipv4 prefix
match ipv4 destination address
match ipv4 destination prefix
match transport source-port
match transport destination-port
match transport rtp ssrc
match interface input
match interface output
match flow direction
collect routing forwarding-status
collect ipv4 dscp
collect ipv4 ttl
collect ipv4 source mask
collect ipv4 destination mask
collect transport packets expected counter
collect transport packets lost counter
collect transport packets lost rate
collect transport event packet-loss counter
collect transport rtp jitter mean
collect transport rtp jitter minimum
collect transport rtp jitter maximum
collect counter bytes
collect counter packets
collect timestamp sys-uptime first
collect timestamp sys-uptime last
collect timestamp interval
collect application media bytes counter
collect application media bytes rate
collect application media packets counter
collect application media packets rate
collect application media event
!
!

Step 2: Create a flow exporter

flow exporter export-to-inside
description flexible NF
destination 10.1.4.66
source Vlan1
transport udp 2002
template data timeout 60
option interface-table
option exporter-stats
option sampler-table timeout 60
option application-table
!
!

Step 3: Create Performance Monitoring flow monitor

flow monitor type performance-monitor TCP
destination TCP stats
record TCP
exporter export-to-inside
cache entries 10000
cache timeout synchronized 60
!
!
flow monitor type performance-monitor RTP
description RTP stats
record RTP
export-to-inside
cache entries 10000
cache timeout synchronized 60
!
!
flow monitor myflowmon
exporter export-to-inside
cache timeout active 60
statistics packet protocol
record flow-mon
!
!

Step 4: Create a policy map that defines what monitors will be monitoring different types of traffic

policy-map type performance-monitor RTPMON 
 description RTP stats 
 class realtime 
 flow monitor RTP 
  monitor metric rtp 
  min-sequential 10 
  max-dropout 10 
  max-reorder 10 
  ssrc maximum 10 
  monitor metric ip-cbr 
  rate layer3 packet 500 
 class tcpclass 
  flow monitor TCP

Step 5: Add Service Policy to interfaces where performance monitors are desired

interface GigabitEthernet0/1 
 service-policy type performance-monitor input RTPMON 

interface GigabitEthernet0/7 
 service-policy type performance-monitor input RTPMON

 

If you have any questions getting NetFlow running, reach out to our support team.

Justin

Justin Jett is Director of Audit and Compliance at Plixer with roles ranging from system administration of web services to technical product marketing for Plixer’s incident response system, Scrutinizer. Jett, a graduate of the University of Maine at Farmington, is an avid learner of all things security, with a particular interest in TLS and DNS attacks.

Related