Manufacturer: Cisco

Switch Model(s): Catalyst 9000 family

Wireless Controller Model(s): Catalyst 9800 Series

Access Point Model(s): Catalyst 9100 Series

Router Model(s): ASR 900/1000 Series, NCS 4200 Series, Catalyst 8000 Edge Platforms, ISR 1000/4000 Series, IR1100/IR1800/IR8100/IR8300 Series, Catalyst 8000V Edge, CSR1000v, CBR Series

Version(s): IOS XE 17

URL: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/fnetflow/configuration/xe-17/fnf-xe-17-book/fnf-v5-export.html

Notes:

• Some Cisco devices support additional licensing to provide NBAR, TrustSEC, and ETA analytics. Refer to the appropriate Cisco Data sheet to determine if your device supports these features.

Configuration steps for layer 3 Flexible NetFlow

1. Create a Flow Record

configure terminal
flow record FLOW-RECORD
description flow record
  match ipv4 tos
  match ipv4 protocol
  match ipv4 source address
  match ipv4 destination address
  match transport source-port
  match transport destination-port
  match interface input
  match flow direction
  collect routing source as
  collect routing destination as
  collect routing next-hop address ipv4
  collect ipv4 dscp
  collect ipv4 id
  collect ipv4 source prefix
  collect ipv4 source mask
  collect ipv4 destination mask
  collect ipv4 ttl minimum
  collect ipv4 ttl maximum
  collect transport tcp flags
  collect interface output
  collect counter bytes
  collect counter packets
  collect timestamp sys-uptime first
  collect timestamp sys-uptime last
  exit

Flow record <name>

Description <string>

Match <type>

Collect <type>

2. Create a flow Exporter

configure terminal
flow exporter PLIXER-COLLECTOR
  description Plixer Platform Flow Collector
  destination <IP of Plixer collector>
  source <interface>
  export-protocol ipfix
  transport udp 9995
  exit

flow exporter <name>

description <string>

destination <ip> [use vrf-name]

source <interface>

export-protocol ipfix

transport udp <port>

3. Create a Flow Monitor

configure terminal
flow monitor FLOW-COLLECTION
  description flow collection
  record FLOW-RECORD
  exporter PLIXER-COLLECTOR
  cache timeout 60
  exit

flow monitor <name>

description <string>

record <name>

exporter <name>

cache timeout <seconds>

4. Apply a Flow Monitor to an interface

configure terminal
interface <interface>
  ip flow monitor FLOW-COLLECTION input
  exit

Ip flow monitor <ipv4 |ipv6> input

5. Configure ETA

Must have the appropriate licensing to enable these features.

configure terminal
et-analytics
  ip flow-export destination <IP of Plixer collector> 2055
  inactive-timeout 15

interface <interface>
  et-analytics enable
  exit

6. Add Trustsec SGT information into Flow Records

Must have the appropriate licensing to enable these features.

configure terminal
flow record FLOW-RECORD
  match flow cts source group-tag
  match flow cts destination group-tag
  exit

7. Add NBAR data to the flow record

Must have the appropriate licensing to enable these features.

configure terminal
flow record FLOW-RECORD
  collect application name
  collect application http url
  collect application http host
  collect connection delay response to-server sum
  collect connection delay response to-server min
  collect connection delay response to-server max
  collect connection delay network to-server sum
  collect connection delay network to-client sum
  collect connection delay network client-to-server sum
  collect connection delay application sum
  collect connection delay application min
  collect connection delay application max
  collect connection delay response client-to-server sum
  exit