Table of Contents

Cisco Flexible Netflow configuration

Flexible Netflow (FNF) is a Cisco IOS technology that allows you more freedom to collect exactly the type of information you want in the Netflow records. 1)

Some of the popular models that support FNF are the Catalyst range of switches such as the Catalyst 3850 series, Catalyst 4500 series, etc. This article tells you how to configure Flexible Netflow.

Ingress only mode

The recommended mode is to enable ingress only on all the interfaces.

The collector IP Let us assume Trisul Network Analytics (R) - the “Collector” is on IP 10.10.100.100 Port 2055

You have to configure 3 items.

  1. Export – where to send the Netflow,the Collector
  2. Record – what data items to match and collect and put into the netflow record. I
  3. Monitor – combination of Export and Record that will be applied on interface

Then apply a Monitor on each interface. Note that if you want to use both Ingress and Egress netflow you need to create two separate records and two separate monitors. In this example we only need Ingress.

The following example taken from the Cisco Docs

Switch(config)# flow export exportTrisul
Switch(config-flow-exporter)# destination 10.10.100.100
Switch(config-flow-exporter)# transport udp 2055
Switch(config-flow-exporter)# exit
 
Switch(config)# flow record basicRecord
Switch(config-flow-record)# match ipv4 source address
Switch(config-flow-record)# match ipv4 destination address
Switch(config-flow-record)# match ipv4 protocol
Switch(config-flow-record)# match transport source-port 
Switch(config-flow-record)# match transport destination-port 
Switch(config-flow-record)# collect counter byte long
Switch(config-flow-record)# collect counter packet long
Switch(config-flow-record)# collect timestamp absolute first
Switch(config-flow-record)# collect timestamp absolute last 
Switch(config-flow-record)# exit
 
Switch(config)# flow monitor ingressMonitor
Switch(config-flow-monitor)# record basicRecord
Switch(config-flow-monitor)# exporter exportTrisul
Switch(config-flow-monitor)# exit
 
Switch(config)# interface tenGigabitEthernet 1/0/1
Switch(config-if)# ip flow monitor ingressMonitor input
Switch(config-if)# end

Repeat the last step for every interface. Since we are using INGRESS netflow only we need to apply on each interface for best visibility.

Switch(config)# interface tenGigabitEthernet 1/0/1
Switch(config-if)# ip flow monitor ingressMonitor input
Switch(config-if)# end

Verifying

Check the number of records sent to the collector (Trisul)

show flow exporter exportTrisul statistics