I am seeing a lot more of the Cisco Catalyst 9400 switches at my customer sites these days. I have also had a number of requests for configuration help. I figured that I would take this opportunity to walk through the Cisco Catalyst 9400 NetFlow configuration, and provide a sample reference document for you.
There is not much new here on configuring NetFlow. If you are familiar with the 3850 NetFlow configuration, it is very much the same.
The configurations are unique because there are specific configuration rules that govern the use of particular key (match) parameters, and in which direction we apply the records/monitors to the interfaces.
If you apply a flow monitor in the input direction:
- Use the match keyword and use the input interface as a key field in an input flow record.
- Use the collect keyword and use the output interface as a collect field. This field will be present in the exported records, but with a value of “0.”
If you apply a flow monitor in the output direction:
- Use the match keyword and use the output interface as a key field in an output flow record.
- Use the collect keyword and use the input interface as a collect field. This field will be present in the exported records, but with a value of “0.”
Let’s get started with the Cisco 9400 NetFlow configuration.
We need to create a separate flow record and flow monitor for inbound traffic and outbound traffic.
Below are two recommended flow records for use in the NetFlow configuration.
flow record FNF-input
description IPv4 NetFlow match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port match ipv4 protocol match interface input match ipv4 tos match flow direction collect interface output collect counter bytes long collect counter packets long collect transport tcp flags collect timestamp absolute first collect timestamp absolute last
flow record FNF-output
description IPv4 NetFlow match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port match ipv4 protocol match interface output match ipv4 tos match flow direction collect interface input collect counter bytes long collect counter packets long collect transport tcp flags collect timestamp absolute first collect timestamp absolute last
The next step creates the exporter. The exporter defines how we export the flows to the collector.
flow exporter Scrutinizer
description Export to Scrutinizer destination [collector's IP address] source [name of interface that you will be exporting flows to collector through] transport udp 2055 template data timeout 60
You must specify a source interface.
If you do not configure a source interface, the exporter will remain disabled.
In the next step, we will create flow monitors. The flow monitors will tie the flow record with the exporter. There will be a flow monitor for each direction.
flow monitor Scrut_mon_input
description IPv4 FNF ingress exports exporter Scrutinizer record FNF-input cache timeout active 60
flow monitor Scrut_mon_output
description IPv4 FNF egress exports exporter Scrutinizer record FNF-output cache timeout active 60
The last step is to add the flow monitors to the interfaces where you’re looking for traffic visibility.
interface GigabitEthernet1/0/1 ip flow monitor Scrut_mon_input input ip flow monitor Scrut_mon_output output
Can I use NetFlow to get layer 2 traffic visibility?
On some Cisco switch models, the answer is YES. You can use a layer-2-switched option on the monitor, or as shown in the example below, configure a unique layer 2 flow monitor on the layer 2 interfaces.
The steps are the same, except that you create a flow record with match statements specific to monitoring layer 2 traffic.
flow record l2-rec description Layer2 NetFlow Record match datalink mac source address input match datalink mac destination address input match datalink vlan input match datalink ethertype collect counter bytes long collect counter packets
Just like with the layer 3 flow records, we configure a layer 2 output record where the match datalink vlan, match datalink dot1q vlan, and match datalink mac destination address will aggregate on the output direction. A separate outbound monitor needs to be configured to call in these output records.
You need to create a new monitor for each input and output direction that will tie together the layer 2 record and the exporter. We can then configure the layer 2 flow monitors on the layer 2 interfaces.
Configuring Flexible NetFlow offers you a ton of different user configuration options for monitoring, including layer 2 switched traffic streams. Contact us if you want to learn more or need help with configurations.
