Building a Better Monitoring Solution with Flexible Netflow
If you were to ask most network engineers to configure their network to be monitored, they'd likely set up SNMP and logging and be done with it. They might get some rudimentary interface utilization statistics from SNMP, but they'd be blind to the rich meta data and in depth traffic statistics that they could be getting from netflow.
With netflow we can collect traffic statistics on a per-flow basis rather than just a per-interface basis. Information like this can transform your security teams ability to track down bad actors and for you to identify network bottlenecks, network misconfigurations, user behaviors, and more.
While netflow information can be views from a switches command line, it lacks the ability to provide historical trends, create alerts, or view data from multiple devices in the network at once. For this, we're going to need a netflow server, otherwise known as a netflow collector. Popular netflow collectors are SolarWinds, Cisco's Stealthwatch, and ManageEngine. There are opensource options available as well.
Cisco has even built a netflow collector into DNA Center to enable the Assurance feature set.
Netflow has progressed through multiple versions but to get the most our netflow configuration, we want to use version 9. Earlier versions mostly deprecated at this point but version 5 is still used and configurable. Netflow version 5 doesn't provide the flexibility of version 9 to choose exactly which fields you find important. Additionally, version 9 adds support for IPv6 that version 5 lacks.
There are three portions of a flexible netflow configuration:
The flow exporter
Defines the servers that netflow data will be sent to. We'll define the IP address of the collector, port information, source-interface, and netflow version here.The flow record
This defines the metadata that will actually be collected by our switches. We can record information such as:Layer 2 Source and Destination, VLAN, TOS
Layer 3 Source and Destination, Protocol
Layer 4 ports
Interface and flow direction, next hop
VRF and MPLS labels
Timestamps
Packet size
Forwarding Status
The flow monitor
The flow monitor is where we combine the flow exporter and record policies. We can attach multiple flow exporters here under the flow monitor policy. This is what will be attached to an interface.
After defining the components of our netflow policy, it can then be applied to monitor an interface.
Below is my do-everything netflow configuration. It's possibly a little overkill for every application but it gives you a great deal of information about your network traffic. If you were planning on applying this configuration to a routed interface, I would remove the datalink information from the flow record policy because every frame transiting the link would have the same source and destination information.
Configuration
flow exporter EXPORTER description Export NetFlow to StealthWatch destination <Destination IP Address> export-protocol netflow-v9 source Vlan100 transport udp 2055 ! flow record RECORD description NetFlow record match datalink mac source address input match datalink mac destination address input match datalink vlan input match ipv4 ttl match ipv4 tos match ipv4 protocol match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port match interface input collect interface output collect counter bytes long collect counter packets long collect timestamp absolute first collect timestamp absolute last ! flow monitor IPv4_NETFLOW record RECORD exporter EXPORTER cache timeout active 60 ! interface <> ip flow monitor IPv4_NETFLOW input !
Of course, Cisco’s configuration guide is the best place to go for in depth documentation of the various options that can be configured.
If you’d like to view the netflow cached data on the switch itself, “show ip cache flow” is the way to go. You can also see which interfaces you have netflow enabled on with “show ip flow interface” and view statistics regarding your exporter with “show ip flow export”.
