NetFlow on Cisco Switches: NetFlow v9 configuration for Cisco Catalyst 3850

The Cisco Catalyst 3850 is a fixed, stackable GE (Gigabit Ethernet) access layer switch that converges wired and wireless within a single platform. This switch is based on Cisco’s programmable ASIC named Unified Access Data Plane (UADP) which supports the convergence as well as allows for deployment of SDN and Cisco ONE (Cisco’s version of SDN).


The Catalyst 3850 switch can stack and route, supports PoE, has a higher throughput, larger TCAMs, be your Wireless LAN Controller supporting up to 50 AP and 2000 clients and importantly supports Flexible NetFlow export. And why is NetFlow important? NetFlow has over the years become the de-facto standard for bandwidth monitoring and traffic analytics due its ability to report on the ‘Who, What, When and Where’ of your network traffic.


Flexible NetFlow configuration for Cisco Catalyst 3850 Switch:

The Cisco 3850 needs either an IP Base or IP Services Base license to support Flexible NetFlow (FNF) export.


Flexible NetFlow configuration involves creating a Flow Monitor, Flow Exporter and a Flow Record. Flow Monitor is the NetFlow cache whose components include the Flow Exporter and Flow Record. The Flow Exporter carries information for the export – such as the destination IP Address for the flows, the UDP port for export, interface through which NetFlow packets are exported, cache timeout for active and inactive flows, etc. The Flow Record carries the actual information about the network traffic which is then used by your NetFlow analyzer tool to generate bandwidth and traffic reports. Some of the fields in a Flow Record are source and destination IP Address, source and destination port, transport protocol, source and destination L3 interface, ToS, DSCP, bytes, packets, etc.


So, here is a sample configuration for enabling Flexible NetFlow on a Cisco Catalyst 3850 and exporting it to your flow analyzer such as SolarWinds NTA.


Flow Record:

We start with creating the flow record. From the 'global configuration' mode, the followings commands are to be applied.

flow record NetFlow-to-Orion           \\ You can use a custom name for your flow-record

match ipv4 source address                               

match ipv4 destination address

match ipv4 protocol

match transport source-port

match transport destination-port

match ipv4 tos

match interface input

collect interface output

collect counter bytes long        \\ Though "long" is an optional command, readers have stated that NetFlow reporting works only when "long" is used

collect counter packets long


Flow Exporter:

And next for the flow exporter, again from the 'global config' mode.

flow exporter NetFlow-to-Orion       \\ You can use a custom name for your flow-exporter

destination 10.10.10.10                     \\ Use the IP Address of your flow analyzer server

source GigabitEthernet1/0/1            \\ Opt for an interface that has a route to the flow analyzer server

transport udp 2055                             \\ The UDP port to reach the server. SolarWinds NTA listens on 2055

Flow Monitor:

Now to associate the flow record and exporter to the flow monitor.

flow monitor NetFlow-to-Orion          \\ Again, you can use a custom name

record NetFlow-to-Orion                  \\ Use the same name as your flow record

exporter NetFlow-to-Orion               \\ Use the same name as your flow monitor

cache timeout active 60                  \\ Interval at which active conversations are exported - in seconds

cache timeout inactive 15                \\ Interval at which inactive conversations are exported - in seconds

Enabling on an Interface:

And finally associate the flow monitor to all the interfaces you would monitor with your flow analyzer. Go to the ‘interface config’ mode for each interface and apply the command:

ip flow monitor NetFlow-to-Orion input          \\ Or use the name of your custom flow monitor

The above command attaches the flow monitor to the interface you selected after which the ingress traffic that passes across the interface is captured and send to your flow analyzer for reporting.


For a trouble free setup, ensure that your firewalls or ACLs are not blocking the NetFlow packets exported on UDP 2055, and that you have a route from the interface you had selected under flow exporter to the flow analyzer server. And then you are all set. Happy Monitoring!

30 Day Full Feature Trial | Live Product Demo | Product Overview Video | Geeks on Twitter


Anonymous

Top Comments

  • Hi all,

    I am Cisco 3850's with IOS 16.9.4, like all - and for several days I have researched, tried, failed, rebooted and clutched at straws with the configuration to make it work. I have L3 interfaces on some of my devices, and layer 2 (within a LACP) configuration on others. I have tried applying netflow configurations repeatedly to all these devices to get it to work...

    I am sure of the collector address, port. I think the issue is in the IOS level so anyone who's upgrade to 16.9.4 and has a working syntax please paste.

    NB: I have done intermittent reboots with the devices between attempts in case things are skew....

  • I have cases opened with Cisco and Solarwinds.  If I hear anything positive, I will let you know.   This is the error message I am getting when I apply the flow monitor to an interface:

    % Flow Monitor: Failed to add monitor to interface: Invalid set of fields in monitor record for wired interface

    From what I have seen, I can get the "ip flow monitor" command applied to an interface with "match application name" as part of my flow record if I don't include "match interface output" and "collect interface input" in my flow record.  When I do that, I receive an error in NTA that NTA is receiving an invalid template.

  • I was wondering if anyone has been able to get this work on a 3850 that also gives NBAR data?   I would be curious to know what the flow record looks like.  I am running 16.6.6 IOS XE.

    Thanks!

  • this is NOT possible on 3850's. [% Flow Monitor: Flow Monitor 'Netflow-Monitor-In' flexible netflow not supported on vlan interfaces]

    I would really like to be able to track VLAN traffic but so far it doesnt appear to be possible.