Macro 32 Ramblings

Mind Archive

How to configure a Cisco Nexus 7000 to export NetFlow v9

http://www.bradreese.com/blog/plixer-4-8-2010.htm

At a high level, below are the 5 steps to setting up the Cisco Nexus 7000 to export NetFlow v9:

  1. Enable the NetFlow feature.
  2. Create a Flow Record (e.g. netflow-original) and specify the fields that you want exported (we’ll use the default).
  3. Create a Flow Exporter (e.g. scrutinizer) that specifies where and how the NetFlow is to be sent.
  4. Create a Flow Monitor (e.g. tie the Flow Record to the Flow Exporter).
  5. Map the Flow Monitor to selected interfaces.

Now let’s dig into the meat and potatoes of configuring this monster.

First: We have to enable the NetFlow Feature on the Nexus 7000:

tac7000(config)# feature netflow

Second: We need to configure a “Flow Record”. We can skip this step as the Nexus 7000 ships with a Flow Record that we can use called ‘netflow-original’. Lets see what it looks like:

tac7000# show flow record netflow-original
Flow record netflow-original:
Description: Traditional IPv4 input NetFlow with origin ASs
No. of users: 1
Template ID: 261
Fields:
     match ipv4 source address

     match ipv4 destination address

     match ip protocol

     match ip tos

     match transport source-port

     match transport destination-port

     match interface input

     match interface output

     match flow direction

     collect routing source as

     collect routing destination as

     collect routing next-hop address ipv4

     collect transport tcp flags

     collect counter bytes

     collect counter packets

     collect timestamp sys-uptime first

     collect timestamp sys-uptime last

To learn more about “collect vs. match,” I suggest reading Scott’s Systrax blog on the Nexus 7000. Scott’s approach is a bit different than this blog, however, you should have better luck with this page when trying to get it to work.

Third: We need to set-up a flow exporter. We’ll call it ‘scrutinizer‘ of course!

tac7000# conf t
tac7000(config)# flow exporter scrutinizer

tac7000(config)# description export netflow to scrutinizer
tac7000(config)# destination 10.1.3.138
tac7000(config)# export Version 9
tac7000(config)# transport udp 6343
tac7000(config)# source vlan613

Notice above that we specified:

  • The name “scrutinizer.”
  • A description “export netflow to scrutinizer.”
  • The destination (i.e. the IP address of Scrutinizer).
  • The version of NetFlow (i.e. v9).
  • The UDP port it will receive on (i.e. 6343).
  • The interface the flows need to exit to reach the NetFlow collector (aka Scrutinizer).

Fourth: We need to bind the record to the exporter using a flow monitor. We’ll call it ‘Monitortac7000’:

tac7000(config)# flow monitor Monitortac7000
tac7000(config-flow-monitor)# exporter scrutinizer

tac7000(config-flow-monitor)# record netflow-original
tac7000(config)#

Please pay close attention to what happened above. We bound the record ‘netflow-original’ to the exporter ‘scrutinizer’ and the name of this flow monitor is called ‘Monitortac7000.’

Fifth: Now it is time to apply the flow monitor ‘Monitortac7000’ to each interface.

tac7000(config)# interface Vlan612
tac7000(config-if)# ip flow monitor Monitorlab7000 input
tac7000(config)# exit

tac7000# interface Vlan613
tac7000(config-if)# ip flow monitor Monitorlab7000 input
tac7000(config)# exit
tac7000# interface Vlan614
tac7000(config-if)# ip flow monitor Monitorlab7000 input
tac7000(config)# exit
tac7000# interface Vlan615
tac7000(config-if)# ip flow monitor Monitorlab7000 input
tac7000(config)# exit

tac7000# interface Vlan616
tac7000(config-if)# ip flow monitor Monitorlab7000 input

Above we configured input (i.e. ingress) captured flows on every interface. We could of typed in the exact command again using ‘output’ (i.e. egress) in place of ‘input’ to export egress flows. However, this would have doubled the volume of NetFlow exported and egress NetFlow is only necessary for a few select reasons.

Suggest that you also review: Ingress or Egress NetFlow Analysis (by Michael Patterson)

Sixth: I know it was supposed to be 5 steps, but I forgot this one:

tac7000(config-if)# copy running-config startup-config

tac7000(config)# exit

If you want to check all your work, try the below show commands that I got from this Cisco Nexus NetFlow document:


  • tac7000# show flow record netflow-original
  • tac7000# show flow exporter
  • tac7000# show flow monitor Monitortac7000
  • tac7000# sh run
  • tac7000# sh run int vlan612

Below are screen captures of what the “sh flow record” command will look like:

Screenshot

You should know that this monster can kick out tens of thousands of flows per second. This is more than any single NetFlow collector on the market can handle. In my next BradReese.Com Blog, I’ll cover NetFlow Sampling.

Visit Brad’s how to archive.