Blog :: Configuration :: Network Operations :: Security Operations

Cisco UCS NetFlow Support

Cisco UCS Netflow Support was recently added with the release of version 2.2(2c).  NetFlow exports can be configured either in the GUI or the CLI.  The configuration is somewhat different from the typical Flexible NetFlow configuration.  In this blog we will take a look at the CLI configuration method and some of the different aspects of this new NetFlow export!

Cisco UCS NetFlow Support

Figure 1: Cisco UCS NetFlow Support [Source]

Cisco UCS NetFlow CLI Configuration:

The fundamentals of typical IOS Flexible NetFlow configuration are present in this new export as you configure a record, exporter, and monitor – then apply that monitor to what interface you want to see metrics on.  The commands, though, are quite different.

First off, we need to build the Flow Record; in this case I built two, one for IPv4 and one for layer two traffic:

scope eth-flow-mon
enter flow-record flow-record-ipv4
set keytype ipv4keys
set ipv4keys ipv4-src-address ipv4-dest-address src-port dest-port ip-protocol ip-tos
set nonkeys counter-bytes-long counter-packets-long sys-uptime-first sys-uptime-last
commit-buffer
scope eth-flow-mon
enter flow-record flow-record-l2
set keytype l2keys
set l2keys src-mac-address dest-mac-address ethertype
set nonkeys counter-bytes-long counter-packets-long sys-uptime-first sys-uptime-last
commit-buffer

Next, we need to configure a NetFlow Exporter Profile.  This differs from FNF and is specific for the Cisco UCS.  This profile contains the networking properties used to export NetFlow packets and is a global configuration.

scope eth-flow-mon
scope flow-profile flow-exporter-profile
enter vlan xxx
enter fabric a
set addr xx.xx.xx.xx subnet 255.255.255.0
up
enter fabric b
set addr xx.xx.xx.xx subnet 255.255.255.0
commit-buffer

Now we need to specify the NetFlow Collector.  Each flow collector contains an IP address, port, external gateway IP, and VLAN that defines where the flows are sent.

scope eth-flow-mon
enter flow-collector flow-collector
set dest-port 2055
set vlan vlanxxx
enter ip-if
set addr xx.xx.xx.xx
set exporter-gw xx.xx.xx.xx
commit-buffer

After that we can return to a more configuration that resembles a Flexible NetFlow Configuration, and configure the Flow exporter, which includes the template timeouts.  Please note that this not the active timeout!!  We will get to that later in the configuration.

scope eth-flow-mon
enter flow-exporter flow-exporter
set dscp x
set flow-collector flow-collector
set exporter-stats-timeout 300
set interface-table-timeout 300
set template-data-timeout 300
commit-buffer

Next, we need to configure a Flow Monitor(s).  A flow monitor consists of a flow record, one or two flow exporters, and a timeout policy.  Note: Each flow monitor operates in either the ingress or egress direction because we do not match and collect interface information.

scope eth-flow-mon
enter flow-monitor flow-monitor-ipv4
set flow-record flow-record-ipv4
create flow-exporter flow-exporter
commit-buffer

scope eth-flow-mon
enter flow-monitor flow-monitor-l2
set flow-record flow-record-l2
create flow-exporter flow-exporter
commit-buffer

If we have two flow records and two monitors, we can create a Flow Monitor Session:

scope eth-flow-mon
scope flow-mon-session flow-monitor-session
create flow-monitor flow-monitor-ipv4
create flow-monitor flow-monitor-l2
commit-buffer

Configuring NetFlow Cache Active and Inactive Timeout:

scope eth-flow-mon
scope flow-timeout default
set cache-timeout-active 60
set cache-timeout-inactive 15
commit-buffer

Associating a Flow Monitor Session to a vNIC:

Scope org /
Scope service-profile flow-service-profile
Scope vnic ethx
enter flow-mon-src flow-monitor-session
commit-buffer

Cisco UCS NetFlow Reporting:

Once you have all the configuration out of the way, you should see NetFlow in your collector.  The below figure is a typical export from a Cisco UCS Netflow export:
Cisco UCS NetFlow Reporting

Figure 2: Cisco UCS NetFlow Reporting

A couple of notes on this export.  There are no Deep Packet Inspection capabilities so don’t expect NBAR or AVC Support like there is with FNF.  Also, VLAN’s must be defined as an exporter interface before they can be used with a flow collector.  There are some specific limitations based on UCS Fabric and VIC adaptors as well:

NetFlow monitoring is not supported on:
Cisco UCS 6100 Series Fabric Interconnect

NetFlow monitoring is only supported on:
Cisco UCS VIC 1240
Cisco UCS VIC 1280
Cisco UCS VIC 1225
First generation or non-Cisco VIC adapters are not supported.

More on Cisco UCS NetFlow

Exporting NetFlow on your Cisco UCS gives you another vantage point into traffic on the network.   Do you have questions on exporting Cisco UCS NetFlow?

Contact our team to learn more on Cisco UCS and about how exporting NetFlow from every point capable on the network can help security monitoring and the mitigation of threats.

Related

Cisco Zone-Based Firewall Reporting

Today, I will be talking about the Cisco Zone-Based Firewall, including their differences and advantages compared to a Cisco ASA. I will also walk

::

Find Pokemon GO Network Traffic with NetFlow

Monitor Pokemon Go Network Traffic So there I am monitoring my network with NetFlow and a wild application appears! Pokemon GO hit the scene

::

Configure Cisco ISE NetFlow

EDIT 5/30/18: There is a newer version of this article available. In order to configure Cisco ISE NetFlow, we’re going to take advantage of

::