Recently I was visiting a customer on site when they mentioned they felt like they were not getting accurate information from their Cisco Catalyst 4510. Upon investigation, their flow record, monitor, and exporter all looked correct. Puzzled, my colleague and I took a look at Cisco’s website and found some interesting information regarding the configuration.
What Flow Data Can I Get From the Catalyst?
The Catalyst 4500 series switch supports ingress flow statistics collection for switched and routed traffic; however, it does not support flexible NetFlow on egress traffic. Flow collection is also supported on multiple targets; these targets can either be on the VSS active or the VSS standby. It is important to note that there is no difference in monitoring between SUP-7E and 8-E, but 7E, 8E, 7L-E, and Catalyst 4500X do not support predefined records like traditional routers and flow-based samplers. If you’d like to read about the other caveats for this configuration you can go to this link on Cisco’s website.
After reading the caveats and requirements, this seems like a pretty standard flexible Netflow configuration. So what’s different? On VLAN interfaces, when you use the interface option with CoS, ToS, TTL, or packet length options, the system will display inaccurate results for the input field. That’s a pretty important piece of information, especially if you’re monitoring VLANs!
So What Is the Best Configuration to Use?
After some experimentation and configuring a switch to not use the aforementioned fields, we came up with a flow record that gave us the best results.
FLOW RECORD flow record FNF-input description IPv4 NetFlow match ipv4 tos match ipv4 protocol match ipv4 source address match ipv4 destination address match mac destination-address match mac source-address match transport source-port match transport destination-port match interface input collect interface output collect counter bytes long collect counter packets long ! ! flow record FNF-output description IPv4 NetFlow match ipv4 tos match ipv4 protocol match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port match interface output collect interface input collect counter bytes long collect counter packets long ! ! flow exporter FLOW COLLECTOR description Export to COLLECTOR destination IP.OF.FLOW.COLLECTOR source Loopback0 transport udp 2055 ! ! flow monitor MONITOR_NAME_input description IPv4 FNF ingress exports exporter Scrutinizer cache timeout active 60 record FNF-input ! ! flow monitor MONITOR_NAME_output description IPv4 FNF egress exports exporter Scrutinizer cache timeout active 60 record FNF-output interface GigabitEthernet3/2 description to-fw-ssg350a-eth0 no switchport bandwidth 40960 ip flow monitor MONITOR_NAME_INPUT layer2-switched input
There you have it! You can also look at this configuration from Cisco to see what best fits your environment.
Now that you have your device configured, give Scrutinizer a try and see how valuable your flow data really is.