Last week, on a call with a customer, I had the pleasure of learning more about the Cisco 6500 Flexible NetFlow record configuration. And today I will share that information with you.
Flexible NetFlow was already configured on the Cisco 6500, but the predefined platform-original Flexible NetFlow record was not providing all of the information that they required. Which led us to creating a custom record.
How do you create a custom flexible NetFlow record?
The first step is to determine what you want for reporting from Flexible NetFlow. A good NetFlow reporting solution will be able to provide reporting tailored to the flow elements exported. So you determine what you want to report on, and build your Flexible NetFlow record with the elements required for that reporting.
In our case, our customer wanted QoS reporting and also subnet reporting. The elements required for this reporting were not available in the platform-original record, so by following the guidelines in the Flexible NetFlow Key and Non-Key Fields section of the Cisco 6500 Sup2T NetFlow documentation, we found the supported elements for this device.
From the list of key and non-key fields, we came up with the following custom flow record.
flow record NetFlow
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match ipv4 protocol
match interface input
match interface output
match ipv4 tos
match flow direction
collect counter bytes
collect counter packets
collect routing source as
collect routing destination as
collect routing next-hop address ipv4
collect transport tcp flags
collect ipv4 source prefix
collect ipv4 destination prefix
collect timestamp sys-uptime first
collect timestamp sys-uptime last
The key fields are defined in the ‘match’ statements and define how each flow is aggregated in the flow cache table. All packets with the same ‘matching’ attributes are grouped into a flow, then the ‘collect’ statements define what additional information is added to those flow records.
In this example, our key fields include source and destination addresses, source and destination transport ports, protocol, input and output interfaces, type of service, and flow direction. Then we added counters for both bytes and packets so that we can track network bandwidth utilization. In addition to Type of Service, which was one of the critical elements for this customer, our collect statements also include the source and destination prefixes, which allow for subnet reporting. We also added a few additional elements for good measure, as they were available and even if they weren’t on their critical list, they were definitely ‘nice to haves’. For that list, we added Autonomous System elements, and Next Hop addresses.
End result was that we provided our customer with QoS reporting between two of his key locations. The reporting example below shows a Grouped Flows (TOS) report, showing source/destination IP Address pairs with Type of Service per flow also.
By using the full power of Flexible NetFlow, we were able to provide our customer with exactly what he was looking for. For more information and complete steps for the Cisco 6500 Sup2T Flexible NetFlow configuration, please read Paul’s configuring Sup2T NetFlow blog.
If you are interested what else you can do with Flexible NetFlow, I invite you to check out this article on Cisco Application Visibility and Control.