Manufacturer: Cisco

Model(s): Catalyst 3650/3850

Version(s): IOS XE 16.X

URL: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3650/software/release/16-12/configuration_guide/nmgmt/b_1612_nmgmt_3650_cg/configuring_flexible_netflow.html

Notes:

  • Some Devices may require additional licensing to use full NetFlow. Check the appropriate Cisco datasheet regarding the appropriate licensing.

Configuration steps for Flexible NetFlow

  1. Create a Flow Record
configure terminal
flow record FLOW-RECORD
  description NetFlow Record
  match datalink mac source address input
  match datalink mac destination address input
  match datalink vlan input                              
  match ipv4 ttl
  match ipv4 tos
  match ipv4 protocol
  match ipv4 source address
  match ipv4 destination address
  match transport source-port
  match transport destination-port
  match interface input
  collect transport tcp flags
  collect interface output
  collect counter bytes long
  collect counter packets long
  collect timestamp absolute first
  collect timestamp absolute last

CLI command

Description

 
Flow record <name>

Creates a flow record and enters flow record configuration mode.

 
Description <string>

Describes this flow record as a maximum 63-character string.

 
Match <key>

Specifies match keys. Plixer recommended keys are listed in the example above

 
Collect <field>

Specifies the collection field. Plixer recommended fields are listed in the example above.
  1. Create a flow Exporter
configure terminal
flow exporter PLIXER-COLLECTOR
  description Plixer flow collector
  destination <IP of Plixer collector>
  source <interface>
  transport udp 2055
  exit

CLI command

Description

 
flow exporter <name>

Creates a flow exporter and enters flow exporter configuration mode

 
description <string>

Describes this flow exporter as a maximum 63-character string

 
destination <ip>

IPv4 address of the Plixer collector. You can optionally configure the VRF to use to reach the NetFlow Collector.

 
Source <interface>

Specifies the interface to use when sending NetFlow exports. Make sure Plixer can query it using SNMP.

 
transport udp <port>

Specifies the UDP port to use to reach the NetFlow Collector. The range is from 0 to 65535. (2055 or 9995 are recommended)
  1. Create a Flow Monitor
configure terminal
flow monitor FLOW-COLLECTION
  description flow collection
  record FLOW-RECORD
  exporter PLIXER-COLLECTOR
  cache timeout active 60
  cache timeout inactive 15
  exit

CLI command

Description

 
flow monitor <name>

Creates a flow monitor and enters flow monitor configuration mode

 
description <string>

Describes this flow monitor as a maximum 63-character string

 
record <name>

Associates a flow record with this flow monitor.

 
exporter <name>

Associates a flow exporter with this flow monitor.

 
cache timeout <seconds>

Sets the flow timeout length. Plixer recommends this be set to 60 seconds.
  1. Apply a Flow Monitor to an interface
configure terminal
interface <interface> (or) (vlan configuration <interface>)
ip flow monitor flow-collection input

CLI command

Description

 
Ip flow monitor <ipv4 |ipv6> input

Associates an IPv4 or IPv6 flow monitor to the interface for input packets.
  1. Add Trustsec SGT information into Flow Records

Must have the appropriate licensing to enable these features.

flow record FLOW-RECORD
  match flow cts source group-tag
  match flow cts destination group-tag