At a high level, below are the 5 steps to setting up the Cisco Nexus 7000 to export NetFlow v9:
- Enable the NetFlow feature.
- Create a Flow Record (e.g. netflow-original) and specify the fields that you want exported (we’ll use the default).
- Create a Flow Exporter (e.g. scrutinizer) that specifies where and how the NetFlow is to be sent.
- Create a Flow Monitor (e.g. tie the Flow Record to the Flow Exporter).
- Map the Flow Monitor to selected interfaces.
Now let’s dig into the meat and potatoes of configuring this monster.
First: We have to enable the NetFlow Feature on the Nexus 7000:
Second: We need to configure a “Flow Record”. We can skip this step as the Nexus 7000 ships with a Flow Record that we can use called ‘netflow-original’. Lets see what it looks like:
To learn more about “collect vs. match,” I suggest reading Scott’s Systrax blog on the Nexus 7000. Scott’s approach is a bit different than this blog, however, you should have better luck with this page when trying to get it to work.
Notice above that we specified:
- The name “scrutinizer.”
- A description “export netflow to scrutinizer.”
- The destination (i.e. the IP address of Scrutinizer).
- The version of NetFlow (i.e. v9).
- The UDP port it will receive on (i.e. 6343).
- The interface the flows need to exit to reach the NetFlow collector (aka Scrutinizer).
Fourth: We need to bind the record to the exporter using a flow monitor. We’ll call it ‘Monitortac7000’:
Please pay close attention to what happened above. We bound the record ‘netflow-original’ to the exporter ‘scrutinizer’ and the name of this flow monitor is called ‘Monitortac7000.’
Fifth: Now it is time to apply the flow monitor ‘Monitortac7000’ to each interface.
Above we configured input (i.e. ingress) captured flows on every interface. We could of typed in the exact command again using ‘output’ (i.e. egress) in place of ‘input’ to export egress flows. However, this would have doubled the volume of NetFlow exported and egress NetFlow is only necessary for a few select reasons.
Suggest that you also review: Ingress or Egress NetFlow Analysis (by Michael Patterson)
Sixth: I know it was supposed to be 5 steps, but I forgot this one:
If you want to check all your work, try the below show commands that I got from this Cisco Nexus NetFlow document:
- tac7000# show flow record netflow-original
- tac7000# show flow exporter
- tac7000# show flow monitor Monitortac7000
- tac7000# sh run
- tac7000# sh run int vlan612
Below are screen captures of what the “sh flow record” command will look like:
You should know that this monster can kick out tens of thousands of flows per second. This is more than any single NetFlow collector on the market can handle. In my next BradReese.Com Blog, I’ll cover NetFlow Sampling.
Visit Brad’s how to archive.