I'm going to go over Netflow configuration and some useful commands to troubleshoot issues with NetFlow.
Nexus 1000v Netflow Configuration for 5.x:
The Nexus 1000v has a few predefined flow records in 5.x:
- Netflow IPv4 Original-Input - Traditional IPv4 input NetFlow
- Netflow IPv4 Original-Output - Tranditional IPv4 Output NetFlow
- Netflow Protocol-Port - Protocol and Ports aggregation scheme
- NetFlow Layer2-Switched Input - Layer 2 Switched input NetFlow
- NetFlow-Original - Traditional IPv4 input NetFlow with original AS
To view the different fields that will be collected issue the following command:
show flow record {netflow | netflow-original} predefined-record-name
create a Flow Record in Nexus 1000v (SKIP IF USING A PREDEFINED RECORD):
- Enable the feature:
feature netflow
- Create the flow record by name:
flow record name
- (Optional) Give it an description:
description description
- Define a flow record to match one of the following:
match {ip {protocol | tos} | ipv4 {destination address | source address} | transport {destination-port | source-port} | datalink {{mac {source-address | destination-address}} | ethertype | vlan | vxlan}}
Quick Notes: Netflow doesn't support mixing datalink fields with other field types in the same record.- IP - Matches one of the following IP options:
- Protocol
- tos (Type of service)
- IPv4 - Matches one of the following options:
- Source address
- Destination address
- Transport - Matches one of the following transport options:
- Destination port
- Source port
- Datalink - Data collected in the flow records matches one of the following datalink options:
- mac source-address
- mac destination address
- ethertype
- VLAN
- VXLAN
- IP - Matches one of the following IP options:
- Specify a collection option to define the information to collect in the Flow Record:
collect {counter {bytes [long] | packets [long]} | timestamp sys-uptime {first | last} | transport tcp flags}
Quick Notes:- Counter - Collects flow record information in one of the following formats:
- Bytes - Collected in 32-bit counters unless the long 64-bit counter is specified
- Packet - collected in 32-bit counters unless the long 64-bit counter is specified
Note: Cisco recommends that 64-bit counters be used in systems with data rates in excess of 1 Gbps
- Timestamp sys-uptime - Collects the system uptime for the first and last packet in the flow
- Transport tcp flags - Collects the TCP transport layer flags for the packets in the flow
- Counter - Collects flow record information in one of the following formats:
- Verify:
show flow record name
create a flow exporter:
- Create the flow exporter:
flow exporter name
- (Optional) Give it an description:
description description
- Specify the IP address of the destination:
destination {ipv4-addr | ipv6-addr}
- Specify the IP address to from which the flow records are sent to the NetFlow collect:
source lc-exp ipv4-addr/mask
- Specify the destination UDP port number to reach the NetFlow collector:
transport udp port-num
- Specify NetFlow version 9:
version 9
- Specify one of the following version 9 exporter resend timers and it's value for exporter-stats and interface table:
option {exporter-stats | interface-table} timeout secs
- Set the template data resend timer and it's value in seconds:
template data timeout secs
- Verify:
show flow exporter name
create a Flow Monitor:
- Create a flow monitor by name:
flow monitor name
- (Optional) Create a description for the flow monitor:
description description
- Add an existing exporter:
exporter name
- Add an existing flow record or use a predefined record:
record {name | netflow {ipv4}] | netflow-original | original-input | original-output | protocol-port}
- Verify:
show flow monitor name
Add Flow Monitor to port profile:
- Enter the port profile configuration mode for the named port profile:
port-profile [type {ethernet | vethernet}] name
- Apply the flow monitor to the port profile for either incoming (input) or outgoing (output) traffic:
ip flow monitor name {input | output}
- Verify:
show port-profile [expand-interface] [name name]
Troubleshooting Netflow on Nexus 1000v:
- show flow interface - Displays information about the NetFlow interfaces
- show flow exporter - Displays information about the exporters and the statistics
- show flow timeout - Displays information about NetFlow timeouts
- show flow monitor name cache module num - Displays information about NetFlow flow monitors. Slightly different than statistics command because it includes the cached entries as well
- show flow monitor name statistics module num - Displays information about flow monitor statistics module
Reference Documentation: Nexus 1000v for VMWare System Management Configuration Guide
IOS XE Flexible Netflow Configuration for 3.6E:
I'll be going through the configuration for IOS-XE for 3.6.4 since that's a very stable version for ISE 2.0+ and allows NetFlow to collect Security Group Tags.
The following are prerequisites for Flexible NetFlow in IOS XE 3.6:
- Must configure a source interface. If you don't, the exporter will remain in a disabled state
- Must configure a valid record name for every flow monitor
- Must enable IPv6 routing to export the flow records to an IPv4 destination server
- Must configure IPFIX export protocol for the flow exporter to export NetFlow records in IPFIX format
- Switch must be configured for IPv4 routing for IPv4 traffic
- CEF or distributed CEF must be enabled
- For IPv6 traffic, switch must be configured for IPv6 routing
- For IPv6 traffic, CEF IPv6 or distributed CEF must be enabled
create a flow record in IOS-XE:
- Create a flow record and it will enter the flow record config mode:
flow record name
- (Optional) Give it an description:
description description
- Specify a match:
- match application name - Matches the application name
- match datalink - Datalink (layer2) fields
- dot1q - Dot1q field
- priority - The CoS field out of the dot1q header
- vlan - The VLAN the packet is on
- input - VLAN the packet is on at input
- output - VLAN the packet in on at output
- ethertype - Ethertype of the packet
- mac - MAC fields
- destination address input - Destination MAC address from packet at input
- destination address output - Destination MAC address from packet at output
- source address input - Source MAC address from packet at input
- source address output - Source MAC address from packet at output
- vlan - VLAN the packet is on
- input - VLAN the packet is on at input
- output - VLAN the packet in on at output
- dot1q - Dot1q field
- match flow - Flow identifying fields
- cts - Cisco Trusted Security fields
- destination group-tag - Destination group tag
- source group-tag - Source group tag
- direction - Direction the flow was monitored in
- cts - Cisco Trusted Security fields
- match interface - Interface fields
- input - Input interface
- output - Output interface
- match ipv4 - IPv4 fields
- destination address - Destination address
- protocol - IPv4 protocol
- source address - Source address
- tos - Type of service
- ttl - IPv4 TTL
- version - IP version from IPv4 header
- match ipv6 - IPv6 fields
- destination address - Destination address based field
- hop-limit - IPv6 hop limit
- protocol - Payload protocol
- source address - Source address based field
- traffic-class - IPv6 traffic class
- version - IP version from IPv6 header
- match transport - Transport layer fields
- destination-port - Transport destination port
- icmp - ICMP fields
- ipv4 - IPv4 ICMP fields
- code - ICMP code
- type - ICMP type
- ipv6 - IPv6 ICMP fields
- code - ICMP code
- type - ICMP type
- ipv4 - IPv4 ICMP fields
- igmp type - IGMP type
- source-port - Tranport source port
- match wireless ssid - The SSID name identifying the wireless network (3650/3850 switches)
- Specify the collection field:
- collect
- counter - Counter fields
- bytes - Total number of bytes
- layer2 - Total number of layer 2 bytes
- long - Total number of layer 2 bytes (64 bit counter)
- long - Total number of bytes (64 bit counter)
- layer2 - Total number of layer 2 bytes
- packets - Total number of packets
- long - Total number of packets (64 bit counter)
- bytes - Total number of bytes
- flow username - Username associated with the flow
- interface - Interface fields
- input - Input interface
- output - Output interface
- timestamp absolute - Timestamps based on the epoch of 00:00 UTC 1st Jan 1970
- first - Absolutely time the first packet was seen
- last - Absolutely time the last packet was seen
- transport tcp flags - Collect the transport TCP flags
- ack - TCP acknowledgement flag
- cwr - TCP congestion window reduced flag
- ece - TCP ECN echo flag
- fin - TCP finish flag
- psh - TCP push flag
- rst - TCP reset flag
- syn - TCP synchronize flag
- urg - TCP Urgent Flag
- collect wireless
- ap mac address - Wireless access point MAC address
- client mac address - Wireless client MAC address
- counter - Counter fields
- collect
- Verify:
show flow record [name name]
create a Flow Exporter in IOS-XE:
- Create the named flow exporter:
flow exporter name
- (Optional) Create a description:
description name
- Set the IPv4/IPv6 destination address:
destination {ipv4-addr | ipv6-addr}
- Specify the interface to use to reach the NetFlow collector:
source interface
- Specify the UDP port to use to reach the NetFlow collector:
transport udp port
Note: Default port is 4739
- Specify the version of NetFlow:
export-protocol {netflow-v9 | ipfix}
- Verify:
show flow exporter [name name]
create a flow monitor in IOS-XE:
- Create a named flow monitor and enter flow monitor config mode:
flow monitor name
- (Optional) Create a description for the flow monitor
description string
- Associate a flow exporter with this flow monitor:
exporter name
- Associate a flow record with the monitor:
record name
- Associate a flow cache with the specific flow monitor:
cache { timeout {active | inactive} seconds | type normal}
- Verify:
show flow monitor [name name]
Applying the flow to an interface in IOS-XE:
- Enter the interface config mode:
interface type mod/num
- Associate an IPv4 or IPv6 flow monitor for input or output packets:
ip flow monitor name {input | output}
- Verify:
show flow interface
Troubleshooting netflow on ios-xe:
- show flow monitor name cache - To display status, statistics, and data for the flow monitor
- show flow monitor name statistics - To display high-level statistics and data for the flow monitor
- show flow exporter templates - Used to display the exporter template information such as the fields in the template, the version of the exporter format, the name of the exporter, the associated flow monitor, and other information
- show flow exporter export-ids netflow-v9 - Used as a reference when learning the different export fields that can be exported and their IDs
- show flow exporter option application table - Displays the detailed application options that can be used
Useful debugs:
- debug flow record - Enables debugging for the flow records
- debug flow record error
- debug flow record detailed - Be careful with this one
- debug flow exporter
- debug flow monitor
Reference Documentation: Cisco Flexible Netflow Configuration Guide for IOS XE 3.6E
ASA NetFlow Configuration for 9.6
ASA supports NetFlow Version 9 services. The ASA supports stateful, IP flow tracking method that exports only those records that indicate significant events in a flow. The ASA also exports syslog messages that include the same information.
Configure NSEL Collectors:
You must have at least one configured collector before you can use NSEL and you must configure NSEL collectors before you configure filters via MPF.
- Add an NSEL connector to which NetFlow packets may be sent:
flow-export destination interface-name {ipv4-address | hostname} udp-port
On an ASA, you can configure up to five collectors to export NetFlow to. After the collector is configured, template records are automatically sent to all configured NSEL collector
configure flow-export actions through modular policy framework:
- Define the class map that identifies traffic for which NSEL events need to be exported:
class-map name
- Either configure an ACL to match specific traffic or simply match any traffic:
match access-list acl-name
or
match any
- Define policy-maps: You have two different options in this case -
- Apply the policy map to the global policy policy-map:
policy-map global_policy
class name
- Define the policy map to apply flow-export actions to the defined classes:
policy-map name
class name
- Apply the policy map to the global policy policy-map:
- Configure a flow-export action:
flow-export event-type {all | flow-create | flow-denied | flow-teardown | flow-update} destination flow-export-host
- Add the service policy globally:
service-policy name global
Configure the Netflow timers and Syslog:
- Specify the interval at which template records are sent to all configured output destinations:
flow-export template timeout-rate minutes
Default value is 30 minutes.
- Specify the time interval between flow-update events in minutes:
flow-export active refresh-interval min
Default value is 1 minute
- Delay the sending of a flow-create event by the specified number of seconds:
flow-export delay flow-create sec
This setting must be at least 5 seconds more than your active refresh-interval and time-out rate.
- Disable syslog messages that have become redundant because of NSEL:
logging flow-export-syslog disable
Troubleshooting Netflow on the asa:
- show flow-export counters - Shows runtime counters, including statistical data and error data, for NSEL
- show logging flow-export-syslogs - Lists all syslog messages that are captured by NSEL events
- show running-config flow-export - Shows the currently configure NetFlow commands
- show running-config logging - Shows disabled syslog messages, which are redundant syslog messages because they export the same information through NetFlow
Reference Documentation: ASA NetFlow Implementation Guide