Cisco Catalyst 3850 NetFlow configuration

We have received numerous requests for assistance with the Cisco Catalyst 3850 NetFlow configuration recently, and in researching this particular configuration, uncovered a licensing requirement. One of the customers that we worked with had the LAN base license level. NetFlow exports are not supported for that licensing level, rather, an IP base license level is included in the Cisco 3850 NetFlow requirements.

Once that requirement is met, we can then move on to configuring Flexible NetFlow.

As with any Flexible NetFlow configuration, there are 4 main steps:

Define the Flow Record – defines which fields are exported
Define the Flow Exporter – defines where flows are exported to
Define the Flow Monitor – joins the Flow Record(s) and Flow Exporter(s) together
Apply the Flow Monitor to the interface(s)

Here is a sample 3850 NetFlow configuration. Note that there are 2 flow record definitions and 2 flow monitor definitions. That is because only one flow monitor per interface and per direction is supported. (Another Flexible NetFlow restriction for the Catalyst 3850). So there is one record definition for ingress flows another one for egress, and also two flow monitors, one each for ingress and egress flows.

***********************************************************************************

flow record FNF-input

description IPv4 NetFlow
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match ipv4 protocol
match interface input
match ipv4 tos
match flow direction

collect interface output
collect counter bytes long
collect counter packets long
collect transport tcp flags
collect timestamp absolute first
collect timestamp absolute last

flow record FNF-output

collect interface input
collect counter bytes long
collect counter packets long
collect transport tcp flags
collect timestamp absolute first
collect timestamp absolute last

flow exporter Scrutinizer

description Export to Scrutinizer
destination 10.1.1.10
source gigabitEthernet1/0/1
transport udp 2055

flow monitor Scrut_mon_input

description IPv4 FNF ingress exports
exporter Scrutinizer
record FNF-input
cache timeout active 60

flow monitor Scrut_mon_output

description IPv4 FNF egress exports
exporter Scrutinizer
record FNF-output
cache timeout active 60

Applying the flow monitor(s) to interface(s). This last step is repeated for all interfaces that are to be monitored.

interface GigabitEthernet1/0/1
ip flow monitor Scrut_mon_input input
ip flow monitor Scrut_mon_output output

To verify that the correct information was entered for each of the Flexible NetFlow configuration steps, the following commands can be run on the Catalyst 3850.

show flow record [record-name]
example: show flow record FNF

show flow exporter [exporter-name]
example: show flow exporter Scrutinizer

show flow monitor [monitor-name]
example: show flow monitor FNF_Scrutinizer

show flow interface [interface-type number]
example: show flow interface GigabitEthernet1/0/1

***********************************************************************************

Now that you have Flexible NetFlow configured, what benefits are available to you with Cisco 3850 NetFlow support?

Well, by combining the Flexible NetFlow exporting capabilities of the 3850 with a powerful advanced flow reporting and analyzing solution, reporting such as displayed in the example below is just one of the possibilities.

This particular flow report gives a translation table of MAC addresses and IP Addresses for host to host conversations. Other standard flow reports such as Conversations, Top Source/Destination Hosts, Top Countries, etc., are also available. Also, any advanced flow analyzing, providing additional network security, can also be applied to the flow data received from the 3850 NetFlow exports.

The Cisco Catalyst 3850 Flexible NetFlow exports open the door to some amazing flow reporting. If you need any additional help with getting this set up, please let us know.

Subscribe

Search Plixer