Recently I was visiting a customer on site when they mentioned they felt like they were not getting accurate information from their Cisco Catalyst 4510. Upon investigation, their flow record, monitor, and exporter all looked correct. Puzzled, my colleague and I took a look at Cisco’s website and found some interesting information regarding the configuration.

What Flow Data Can I Get From the Catalyst?

The Catalyst 4500 series switch supports ingress flow Cisco Neon Signstatistics collection for switched and routed traffic; however, it does not support flexible NetFlow on egress traffic. Flow collection is also supported on multiple targets; these targets can either be on the VSS active or the VSS standby. It is important to note that there is no difference in monitoring between SUP-7E and 8-E, but 7E, 8E, 7L-E, and Catalyst 4500X do not support predefined records like traditional routers and flow-based samplers. If you’d like to read about the other caveats for this configuration you can go to this link on Cisco’s website.

After reading the caveats and requirements, this seems like a pretty standard flexible Netflow configuration. So what’s different? On VLAN interfaces, when you use the interface option with CoS, ToS, TTL, or packet length options, the system will display inaccurate results for the input field. That’s a pretty important piece of information, especially if you’re monitoring VLANs!

So What Is the Best Configuration to Use?

After some experimentation and configuring a switch to not use the aforementioned fields, we came up with a flow record that gave us the best results.

FLOW RECORDHelping you configure your network devices
flow record FNF-input
description IPv4 NetFlow
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match mac destination-address
match mac source-address
match transport source-port
match transport destination-port
match interface input
collect interface output
collect counter bytes long
collect counter packets long
!
!
flow record FNF-output
description IPv4 NetFlow
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface output
collect interface input
collect counter bytes long
collect counter packets long
!
!
flow exporter FLOW COLLECTOR
description Export to COLLECTOR
destination IP.OF.FLOW.COLLECTOR
source Loopback0
transport udp 2055
!
!
flow monitor MONITOR_NAME_input
description IPv4 FNF ingress exports
exporter Scrutinizer
cache timeout active 60
record FNF-input
!
!
flow monitor MONITOR_NAME_output
description IPv4 FNF egress exports
exporter Scrutinizer
cache timeout active 60
record FNF-output
interface GigabitEthernet3/2
description to-fw-ssg350a-eth0
no switchport
bandwidth 40960
ip flow monitor MONITOR_NAME_INPUT layer2-switched input

There you have it! You can also look at this configuration from Cisco to see what best fits your environment.

Now that you have your device configured, give Scrutinizer a try and see how valuable your flow data really is.

Happy monitoring!

Joanna Buckley

Joanna is a technical support specialist here at Plixer. During the work day, Joanna works with customers from all over the world to resolve their tech issues to assure that they are working with the latest and greatest that Plixer has to offer. Joanna may have a Bachelor of Fine Arts in History from the University of Southern Maine but that hasn't slowed her passion for tech and working with it hands on. Outside of work she enjoys video games, living history, gardening, crafting and working with her second home The Brick Store Museum here in Kennebunk.

Related