This blog post is going to be a quick one. I'm going to share the configuration of NetFlow so I can export to my StealthWatch system. In previous posts, I mentioned that I'm using a Cisco Catalyst 3650, Nexus 1000v, and ASA 5506 in my lab so I'll go over what I configured on them.
3650 Configuration:
Flow Record configuration:
flow record LANCOPE-REC
match datalink mac source address input
match datalink mac destination address input
match datalink vlan input
match ipv4 ttl
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface input
match transport icmp ipv4 type
match transport icmp ipv4 code
match flow direction
match flow cts source group-tag <- Note: As of IOS-XE 3.06.04, you can now export SGTs via NetFlow
match flow cts destination group-tag <- Note: As of IOS-XE 3.06.04, you can now export SGTs via NetFlow
collect interface output
collect transport tcp flags
collect counter bytes long
collect counter packets long
collect timestamp absolute first
collect timestamp absolute last
collect counter bytes layer2 long
Create the Flow Exporter:
flow exporter LANCOPE-EXP
destination 10.1.100.8 <- IP address of your Flowcollector, not the SMC
source vlan100
transport udp 2055
template data timeout 60
Create the flow monitor:
flow monitor LANCOPE-MON
exporter LANCOPE-EXP
cache timeout active 30
record LANCOPE-REC
Apply it to the interfaces:
interface range g1/0/1-48
ip flow monitor LANCOPE-MON input
To verify:
show flow monitor LANCOPE-MON cache:
If you have your StealthWatch Management Center up, you should start seeing the flow coming in.
Nexus 1000v
Enable the feature:
feature netflow
Create the flow exporter:
destination 10.1.100.8 <- IP address of your Flowcollector, not the SMC
transport udp 2055
version 9
source mgmt0
Create the flow monitor:
flow monitor LANCOPE-MON
exporter LANCOPE-EXP
record netflow-original
timeout active 60
timeout inactive 15
Apply it to the port-profiles:
port-profile ProductionServer
ip flow monitor LANCOPE-MON input
ASA
Login to the ASDM and navigate to Configuration>Device Management>Logging>Netflow and do the following:
- Change the Template Timeout Rate down to 10
- In the Flow Update Interval field, define the frequency that status updates for long-lived flows will be sent from the ASA (1 minute is recommended)
- Check the box for Delay transmission of flow creation events for short-lived flows
- Type 60 in the Delay By field - it'll reduce the number of flow events exported from the ASA and reduces the licensing implications without significantly changing the data reporting
- Click Add on this screen to add a Netflow collector and add the IP address of the FlowCollector
- Check the box for Disable redundant syslog messages. This helps prevent performance concerns
Navigate to Configuration>Firewall>Service Policy Rules and click Add. Change the radio button to Global and click Next.
On the next page, choose the radio button for Create a new traffic class, name it, and check the box for Any traffic before click Next.
On the next page, click the Netflow tab and then click Add. Check the box for the Lancope FlowCollector:
Click Finish and save your changes in the ASDM