The Cisco Catalyst 3850 is a fixed, stackable GE (Gigabit Ethernet) access layer switch that converges wired and wireless within a single platform. This switch is based on Cisco’s programmable ASIC named Unified Access Data Plane (UADP) which supports the convergence as well as allows for deployment of SDN and Cisco ONE (Cisco’s version of SDN).
The Catalyst 3850 switch can stack and route, supports PoE, has a higher throughput, larger TCAMs, be your Wireless LAN Controller supporting up to 50 AP and 2000 clients and importantly supports Flexible NetFlow export. And why is NetFlow important? NetFlow has over the years become the de-facto standard for bandwidth monitoring and traffic analytics due its ability to report on the ‘Who, What, When and Where’ of your network traffic.
Flexible NetFlow configuration for Cisco Catalyst 3850 Switch:
The Cisco 3850 needs either an IP Base or IP Services Base license to support Flexible NetFlow (FNF) export.
Flexible NetFlow configuration involves creating a Flow Monitor, Flow Exporter and a Flow Record. Flow Monitor is the NetFlow cache whose components include the Flow Exporter and Flow Record. The Flow Exporter carries information for the export – such as the destination IP Address for the flows, the UDP port for export, interface through which NetFlow packets are exported, cache timeout for active and inactive flows, etc. The Flow Record carries the actual information about the network traffic which is then used by your NetFlow analyzer tool to generate bandwidth and traffic reports. Some of the fields in a Flow Record are source and destination IP Address, source and destination port, transport protocol, source and destination L3 interface, ToS, DSCP, bytes, packets, etc.
So, here is a sample configuration for enabling Flexible NetFlow on a Cisco Catalyst 3850 and exporting it to your flow analyzer such as SolarWinds NTA.
We start with creating the flow record. From the 'global configuration' mode, the followings commands are to be applied.
flow record NetFlow-to-Orion \\ You can use a custom name for your flow-record
match ipv4 source address
match ipv4 destination address
match ipv4 protocol
match transport source-port
match transport destination-port
match ipv4 tos
match interface input
collect interface output
collect counter bytes long \\ Though "long" is an optional command, readers have stated that NetFlow reporting works only when "long" is used
collect counter packets long
And next for the flow exporter, again from the 'global config' mode.
flow exporter NetFlow-to-Orion \\ You can use a custom name for your flow-exporter
destination 10.10.10.10 \\ Use the IP Address of your flow analyzer server
source GigabitEthernet1/0/1 \\ Opt for an interface that has a route to the flow analyzer server
transport udp 2055 \\ The UDP port to reach the server. SolarWinds NTA listens on 2055
Now to associate the flow record and exporter to the flow monitor.
flow monitor NetFlow-to-Orion \\ Again, you can use a custom name
record NetFlow-to-Orion \\ Use the same name as your flow record
exporter NetFlow-to-Orion \\ Use the same name as your flow monitor
cache timeout active 60 \\ Interval at which active conversations are exported - in seconds
cache timeout inactive 15 \\ Interval at which inactive conversations are exported - in seconds
Enabling on an Interface:
And finally associate the flow monitor to all the interfaces you would monitor with your flow analyzer. Go to the ‘interface config’ mode for each interface and apply the command:
ip flow monitor NetFlow-to-Orion input \\ Or use the name of your custom flow monitor
The above command attaches the flow monitor to the interface you selected after which the ingress traffic that passes across the interface is captured and send to your flow analyzer for reporting.
For a trouble free setup, ensure that your firewalls or ACLs are not blocking the NetFlow packets exported on UDP 2055, and that you have a route from the interface you had selected under flow exporter to the flow analyzer server. And then you are all set. Happy Monitoring!
SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community.
More than 150,000 members are here to solve problems, share technology and best practices, and directly
contribute to our product development process.