Blog :: Network Operations :: Security Operations

Cisco Catalyst 6509: NetFlow Configuration

Cisco 6509 - NetFlow Configuration I have taken many calls regarding NetFlow traffic monitoring as it relates to the Cisco Catalyst 6500 switch.

This device even became the subject of a Mix Master Mitch video.

We have been talking a great deal lately about the introduction of Flexible NetFlow, and how it has allowed for the flow technology to move toward more advanced NetFlow analysis and reporting.

Good News!

The Supervisor Engine 2T introduces support for Flexible NetFlow to the Cisco Catalyst 6500 Series switch. Flexible NetFlow provides a NetFlow architecture that can track multiple NetFlow applications simultaneously. For example, a user can create simultaneous and separate Flow Monitors for security analysis and traffic analysis. Previous generations of Supervisors for the Cisco Catalyst 6500 Series Switch were unable to provide this level of flexibility.

You are no longer limited to the ingress monitoring only option that NetFlow version 5 and the ip route-cache flow config parameter offered. If you are running Supervisor Engine 2T on your Catalyst 6500, you can take advantage of the advanced reporting options that Flexible NetFlow makes available. You now can monitor all traffic, both ingress and egress, assign different flow monitoring parameters to different interfaces, and take advantage of Cisco’s latest flow export technologies like Cisco TrustSec (CTS) support.

The  support of Egress NetFlow gives IT organizations the ability to more easily manage their NetFlow infrastructures, and allows for more visibility after forwarding decisions have been made.

Consider the situation  where a customer is marking the Differentiated Services Code Point (DSCP) before traffic leaves the system.

Egress NetFlow to Monitor QoS MarkingIf this customer uses Ingress NetFlow to monitor their QoS operations, they will only see traffic with DSCP = 40 in their records. This occurs because the NetFlow information is gathered before the DSCP remarking operations have occurred. If the customer wants to monitor their QoS to verify that their remarking is proceeding successfully, Egress NetFlow can now be used, since the collection of NetFlow information occurs after the DSCP is changed to 45.

You are going to need an advanced NetFlow analysis tool to take advantage of the latest in flow monitoring technology.

Reach out to us if you need any help getting your switches configured to start advanced network traffic monitoring –  call 207-324-8805 x4.