Blog

Cisco Catalyst 9300 NetFlow Configuration

scott

One device that I am beginning to see a lot more of at my customer sites is the Cisco Catalyst 9300. I figured that I would take this opportunity to walk through the Cisco Catalyst 9300 NetFlow configuration, and provide a sample reference document for you.

There is not much new here on configuring NetFlow. If you are familiar with the 3850 NetFlow configuration, it is very much the same.

The configurations are unique because there are specific configuration rules that govern the use of particular key (match) parameters, and in which direction we apply the records/monitors to the interfaces.

If you apply a flow monitor in the input direction:

  • Use the match keyword and use the input interface as a key field in an input flow record.
  • Use the collect keyword and use the output interface as a collect field. This field will be present in the exported records but with a value of ‘0’.

If you apply a flow monitor in the output direction:

  • Use the match keyword and use the output interface as a key field in an output flow record.
  • Use the collect keyword and use the input interface as a collect field. This field will be present in the exported records but with a value of ‘0’.

Let’s get started with the Cisco 9300 NetFlow Configuration.

We need to create a separate flow record and flow monitor for inbound traffic and outbound traffic.

Below are two recommended flow records for use in the NetFlow configuration.

flow record FNF-input
                description IPv4 NetFlow
                match ipv4 source address
                match ipv4 destination address
                match transport source-port
                match transport destination-port
                match ipv4 protocol
                match interface input
                match ipv4 tos
                match flow direction

                collect interface output
                collect counter bytes long
                collect counter packets long
                collect transport tcp flags
                collect timestamp absolute first
                collect timestamp absolute last

flow record FNF-output

                description IPv4 NetFlow
                match ipv4 source address
                match ipv4 destination address
                match transport source-port
                match transport destination-port
                match ipv4 protocol
                match interface output
                match ipv4 tos
                match flow direction

                collect interface input
                collect counter bytes long
                collect counter packets long
                collect transport tcp flags
                collect timestamp absolute first
                collect timestamp absolute last

The next step creates the exporter. The exporter defines how we export the flows to the collector.

flow exporter Scrutinizer

                description Export to Scrutinizer
                destination [collectors IP Address]
                source [name of interface that you will be exporting flows to collector through]
                transport udp 2055
                template data timeout 60

You must specify a source interface. If you do not configure a source interface, the exporter remains disabled.

In the next step, we will create flow monitors. The flow monitors will tie the flow record with the exporter. There will be a flow monitor for each direction.

flow monitor Scrut_mon_input

                description IPv4 FNF ingress exports
                exporter Scrutinizer
                record FNF-input
                cache timeout active 60

flow monitor Scrut_mon_output

                description IPv4 FNF egress exports
                exporter Scrutinizer
                record FNF-output
                cache timeout active 60

The last step is to add the flow monitors to the interfaces that you are looking for traffic visibility on.

interface GigabitEthernet1/0/1
   ip flow monitor Scrut_mon_input input
   ip flow monitor Scrut_mon_output output

When working through configurations with customers I am often asked, “Can I use NetFlow to get layer 2 traffic visibility?”

On some Cisco switch models, the answer is YES. You can use a layer2-switched option on the monitor, or as shown in the example below, configure a unique layer 2 flow monitor on the layer 2 interfaces.

The steps are the same, except that you create a flow record with match statements specific to monitoring layer 2 traffic.

flow record l2-rec
                description Layer2 NetFlow Record
                match datalink mac source address input
                match datalink mac destination address input
                match datalink vlan input
                match datalink ethertype
                collect counter bytes long
                collect counter packets

Just like with the layer 3 flow records, we configure a layer 2 output record where the match datalink vlan, match datalink dot1q vlan, and match datalink mac destination address will aggregate on the output direction. A separate outbound monitor needs to be configured to call in these output records.

You need to create a new monitor for each input and output direction that will tie together the layer 2 record and the exporter. We can then configure the layer 2 flow monitors on the layer 2 interfaces.

Configuring Flexible NetFlow offers you a ton of different user configuration options for monitoring, including layer 2 switched traffic streams. Contact our support team if you want to learn more or need help with configurations.