Getting Netflow from a Cisco core switch

Hi Mark,

The big advantage of monitoring your core switch is that you will see local traffic, ie users connecting to your servers and other devices on the LAN which may never go out over a router.

It is not common for switches to have NetFlow features. In the past people bought NetFlow feature cards which were expensive. Some of the more modern layer 3 switches will have it.

Your Cisco switches will have a feature called SPAN (port or VLAN mirroring). I normally go for VLAN monitoring as its the easiest to setup. You then need to connect something like nProbe or a DPI system to the  SPAN port. The nProbe system will convert the SPAN traffic to NetFlow and I think if you search for nProbe in Thwack you will find an article on how to set it up. If you choose to look at a DPI tool you can get addiational info from the traffic like file names and website usage

If you let me know your specific switch model I can let you know if it supports NetFlow and I will also have the SPAN seup guide if you need it

Darragh

Wow thanks..  I dont have the model until now but I believe the IOS is 12.4.. Is it okay if Im gonna check your Span setup guide? for future reference.

Thanks in advance

Mark

What model of switch are you running?

If you are unsure, log onto the switch and issue a show version, the details will be in there.

For most Cisco switches excluding really old stuff and the new Nexus range you setup SPAN by following these steps.

1. Connect your monitoring tool to a port on the switch. The monitoring tool will need to have two network interfaces. One for management and one for the SPAN port. Note the port number that you connect to. For this example I am going to use GigabitEthernet0/1

2. Log onto the switch CLI and go into enable mode

3. Decide on what you want to monitor. One of the easiest things to do is to run the command 'sh vlan' and pick out the vlan numbers where you have servers. If you dont use vlans (flat network) then you can go with vlan 1 which is the native vlan.

4. Run the command 'sh monitor' to check for any monitoring that may already be setup. Some proxy servers use SPAN sessions so always worth checking this. Most Cisco switches allow for two SPAN sessions

5. If no SPAN sessions are in place enter global configuration mode and run these commands

monitor session 1 source vlan 1 both
monitor session 1 destination interface GigabitEthernet0/1

6. The SPAN session is now setup. If you ever need to switch it off you can do so by running 'no monitor session 1'

More detailed info at this link

www.cisco.com/.../41.pdf

Or if you Google the model of your switch and the text span filetype:pdf you should get straight to the manuals. For example 'cisco 6509 span filetype:pdf'