Differences

This shows you the differences between two versions of the page.

--- netflow:ciscofnf [2023/07/17 15:59] – veera
+++ netflow:ciscofnf [2023/07/17 16:16] (current) – [Verifying] veera
@@ Line 1: / Line 1: @@
 ====== Cisco Flexible Netflow configuration ======
-Flexible Netflow is a Cisco IOS technology that allows you more freedom to collect exactly the type of information you want in the Netflow records. ((Cisco docs https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3se/flexible_netflow/configuration_guide/b_fnf_3se_3850_cg/b_fnf_3se_3850_cg_chapter_010.html))
+Flexible Netflow (FNF) is a Cisco IOS technology that allows you more freedom to collect exactly the type of information you want in the Netflow records. ((Cisco docs https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3se/flexible_netflow/configuration_guide/b_fnf_3se_3850_cg/b_fnf_3se_3850_cg_chapter_010.html))
+Some of the popular models that support FNF are the Catalyst range of switches such as the Catalyst 3850 series, Catalyst 4500 series, etc. This article tells you how to configure Flexible Netflow.
+===== Ingress only mode =====
+The recommended mode is to enable ingress only on all the interfaces.
+<note>The collector IP
+Let us assume Trisul Network Analytics (R)  - the "Collector" is on IP ''10.10.100.100'' Port ''2055''
+</note>
+You have to configure 3 items.
+  - **Export** -- where to send the Netflow,the Collector
+  - **Record** -- what data items to match and collect and put into the netflow record. I
+  - **Monitor** -- combination of Export and Record that will be applied on interface
+Then apply a Monitor on each interface. Note that if you want to use both Ingress and Egress netflow you need to create two separate records and two separate monitors. In this example we only need Ingress.
+The following example taken from the Cisco Docs
+<code cisco>
+Switch(config)# flow export exportTrisul
+Switch(config-flow-exporter)# destination 10.10.100.100
+Switch(config-flow-exporter)# transport udp 2055
+Switch(config-flow-exporter)# exit
+Switch(config)# flow record basicRecord
+Switch(config-flow-record)# match ipv4 source address
+Switch(config-flow-record)# match ipv4 destination address
+Switch(config-flow-record)# match ipv4 protocol
+Switch(config-flow-record)# match transport source-port
+Switch(config-flow-record)# match transport destination-port
+Switch(config-flow-record)# collect counter byte long
+Switch(config-flow-record)# collect counter packet long
+Switch(config-flow-record)# collect timestamp absolute first
+Switch(config-flow-record)# collect timestamp absolute last
+Switch(config-flow-record)# exit
+Switch(config)# flow monitor ingressMonitor
+Switch(config-flow-monitor)# record basicRecord
+Switch(config-flow-monitor)# exporter exportTrisul
+Switch(config-flow-monitor)# exit
+Switch(config)# interface tenGigabitEthernet 1/0/1
+Switch(config-if)# ip flow monitor ingressMonitor input
+Switch(config-if)# end
+</code>
+Repeat the last step for every interface. Since we are using INGRESS netflow only we need to apply on each interface for best visibility.
+<code cisco>
+Switch(config)# interface tenGigabitEthernet 1/0/1
+Switch(config-if)# ip flow monitor ingressMonitor input
+Switch(config-if)# end
+</code>
+===== Verifying =====
+Check the number of records sent to the collector (Trisul)
+<code>
+show flow exporter exportTrisul statistics
+</code>