cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

NetFlow on Cisco Switches: NetFlow v9 configuration for Cisco Catalyst 3850

Level 12

The Cisco Catalyst 3850 is a fixed, stackable GE (Gigabit Ethernet) access layer switch that converges wired and wireless within a single platform. This switch is based on Cisco’s programmable ASIC named Unified Access Data Plane (UADP) which supports the convergence as well as allows for deployment of SDN and Cisco ONE (Cisco’s version of SDN).


The Catalyst 3850 switch can stack and route, supports PoE, has a higher throughput, larger TCAMs, be your Wireless LAN Controller supporting up to 50 AP and 2000 clients and importantly supports Flexible NetFlow export. And why is NetFlow important? NetFlow has over the years become the de-facto standard for bandwidth monitoring and traffic analytics due its ability to report on the ‘Who, What, When and Where’ of your network traffic.


Flexible NetFlow configuration for Cisco Catalyst 3850 Switch:

The Cisco 3850 needs either an IP Base or IP Services Base license to support Flexible NetFlow (FNF) export.


Flexible NetFlow configuration involves creating a Flow Monitor, Flow Exporter and a Flow Record. Flow Monitor is the NetFlow cache whose components include the Flow Exporter and Flow Record. The Flow Exporter carries information for the export – such as the destination IP Address for the flows, the UDP port for export, interface through which NetFlow packets are exported, cache timeout for active and inactive flows, etc. The Flow Record carries the actual information about the network traffic which is then used by your NetFlow analyzer tool to generate bandwidth and traffic reports. Some of the fields in a Flow Record are source and destination IP Address, source and destination port, transport protocol, source and destination L3 interface, ToS, DSCP, bytes, packets, etc.


So, here is a sample configuration for enabling Flexible NetFlow on a Cisco Catalyst 3850 and exporting it to your flow analyzer such as SolarWinds NTA.


Flow Record:

We start with creating the flow record. From the 'global configuration' mode, the followings commands are to be applied.

flow record NetFlow-to-Orion           \\ You can use a custom name for your flow-record

match ipv4 source address                               

match ipv4 destination address

match ipv4 protocol

match transport source-port

match transport destination-port

match ipv4 tos

match interface input

collect interface output

collect counter bytes long        \\ Though "long" is an optional command, readers have stated that NetFlow reporting works only when "long" is used

collect counter packets long


Flow Exporter:

And next for the flow exporter, again from the 'global config' mode.

flow exporter NetFlow-to-Orion       \\ You can use a custom name for your flow-exporter

destination 10.10.10.10                     \\ Use the IP Address of your flow analyzer server

source GigabitEthernet1/0/1            \\ Opt for an interface that has a route to the flow analyzer server

transport udp 2055                             \\ The UDP port to reach the server. SolarWinds NTA listens on 2055

Flow Monitor:

Now to associate the flow record and exporter to the flow monitor.

flow monitor NetFlow-to-Orion          \\ Again, you can use a custom name

record NetFlow-to-Orion                  \\ Use the same name as your flow record

exporter NetFlow-to-Orion               \\ Use the same name as your flow monitor

cache timeout active 60                  \\ Interval at which active conversations are exported - in seconds

cache timeout inactive 15                \\ Interval at which inactive conversations are exported - in seconds

Enabling on an Interface:

And finally associate the flow monitor to all the interfaces you would monitor with your flow analyzer. Go to the ‘interface config’ mode for each interface and apply the command:

ip flow monitor NetFlow-to-Orion input          \\ Or use the name of your custom flow monitor

The above command attaches the flow monitor to the interface you selected after which the ingress traffic that passes across the interface is captured and send to your flow analyzer for reporting.


For a trouble free setup, ensure that your firewalls or ACLs are not blocking the NetFlow packets exported on UDP 2055, and that you have a route from the interface you had selected under flow exporter to the flow analyzer server. And then you are all set. Happy Monitoring!

30 Day Full Feature Trial | Live Product Demo | Product Overview Video | Geeks on Twitter


60 Comments
Level 9

Hi,

Anyone who knows how to get BGP in to netflow?

Everything is working but no AS number in NTA from BGP.

//Jan

Level 12

Are you referring to the Cisco3850 switch - I am not sure if it can support BGP/AS info. If you are talking about flexible netflow from a router, make sure you have enabled collection of AS info using the appropriate collect command when creating the flow record. I would suggest posting it as a question in the NTA forum for more visibility.

Level 9

Thank you this can explain why I am not seeing the command in the switch.

Level 9

Hi,

I have two Netflow collectors and I want to sent netflow from the same source. Is that possible? I tried to add another ip flow monitor NETFLOW-monitor2 input and I am getting an 'NETFLOW-monitor' cannot be applied as Flow Monitor 'NETFLOW-monitor1' is already applied on interface Vlan1. But with version 5, I can easily add another destination to my config and don't have to worry about my source.

Level 15

Very good article.

Level 20

Netflow is great stuff!

Level 9

this is NOT possible on 3850's. [% Flow Monitor: Flow Monitor 'Netflow-Monitor-In' flexible netflow not supported on vlan interfaces]

I would really like to be able to track VLAN traffic but so far it doesnt appear to be possible.

Level 12

I was wondering if anyone has been able to get this work on a 3850 that also gives NBAR data?   I would be curious to know what the flow record looks like.  I am running 16.6.6 IOS XE.

Thanks!

Level 12

I have cases opened with Cisco and Solarwinds.  If I hear anything positive, I will let you know.   This is the error message I am getting when I apply the flow monitor to an interface:

% Flow Monitor: Failed to add monitor to interface: Invalid set of fields in monitor record for wired interface

From what I have seen, I can get the "ip flow monitor" command applied to an interface with "match application name" as part of my flow record if I don't include "match interface output" and "collect interface input" in my flow record.  When I do that, I receive an error in NTA that NTA is receiving an invalid template.

Level 7

Hi all,

I am Cisco 3850's with IOS 16.9.4, like all - and for several days I have researched, tried, failed, rebooted and clutched at straws with the configuration to make it work. I have L3 interfaces on some of my devices, and layer 2 (within a LACP) configuration on others. I have tried applying netflow configurations repeatedly to all these devices to get it to work...

I am sure of the collector address, port. I think the issue is in the IOS level so anyone who's upgrade to 16.9.4 and has a working syntax please paste.

NB: I have done intermittent reboots with the devices between attempts in case things are skew....