Building a Better Monitoring Solution with Flexible Netflow

If you were to ask most network engineers to configure their network to be monitored, they'd likely set up SNMP and logging and be done with it. They might get some rudimentary interface utilization statistics from SNMP, but they'd be blind to the rich meta data and in depth traffic statistics that they could be getting from netflow.

With netflow we can collect traffic statistics on a per-flow basis rather than just a per-interface basis. Information like this can transform your security teams ability to track down bad actors and for you to identify network bottlenecks, network misconfigurations, user behaviors, and more.

While netflow information can be views from a switches command line, it lacks the ability to provide historical trends, create alerts, or view data from multiple devices in the network at once. For this, we're going to need a netflow server, otherwise known as a netflow collector. Popular netflow collectors are SolarWinds, Cisco's Stealthwatch, and ManageEngine. There are opensource options available as well.

Screen Shot 2020-01-27 at 7.57.00 PM.png

Cisco has even built a netflow collector into DNA Center to enable the Assurance feature set.

Netflow has progressed through multiple versions but to get the most our netflow configuration, we want to use version 9. Earlier versions mostly deprecated at this point but version 5 is still used and configurable. Netflow version 5 doesn't provide the flexibility of version 9 to choose exactly which fields you find important. Additionally, version 9 adds support for IPv6 that version 5 lacks.

There are three portions of a flexible netflow configuration:

  • The flow exporter
    Defines the servers that netflow data will be sent to. We'll define the IP address of the collector, port information, source-interface, and netflow version here.

  • The flow record
    This defines the metadata that will actually be collected by our switches. We can record information such as:

    • Layer 2 Source and Destination, VLAN, TOS

    • Layer 3 Source and Destination, Protocol

    • Layer 4 ports

    • Interface and flow direction, next hop

    • VRF and MPLS labels

    • Timestamps

    • Packet size

    • Forwarding Status

  • The flow monitor
    The flow monitor is where we combine the flow exporter and record policies. We can attach multiple flow exporters here under the flow monitor policy. This is what will be attached to an interface.

After defining the components of our netflow policy, it can then be applied to monitor an interface.

Below is my do-everything netflow configuration. It's possibly a little overkill for every application but it gives you a great deal of information about your network traffic. If you were planning on applying this configuration to a routed interface, I would remove the datalink information from the flow record policy because every frame transiting the link would have the same source and destination information.

Configuration

flow exporter EXPORTER
 description Export NetFlow to StealthWatch
 destination <Destination IP Address>
 export-protocol netflow-v9
 source Vlan100
 transport udp 2055
!
flow record RECORD
 description NetFlow record
 match datalink mac source address input
 match datalink mac destination address input
 match datalink vlan input
 match ipv4 ttl
 match ipv4 tos
 match ipv4 protocol
 match ipv4 source address
 match ipv4 destination address
 match transport source-port
 match transport destination-port
 match interface input
 collect interface output
 collect counter bytes long
 collect counter packets long
 collect timestamp absolute first
 collect timestamp absolute last
!
flow monitor IPv4_NETFLOW
 record RECORD
 exporter EXPORTER
 cache timeout active 60
!
interface <>
 ip flow monitor IPv4_NETFLOW input
!

Of course, Cisco’s configuration guide is the best place to go for in depth documentation of the various options that can be configured.

If you’d like to view the netflow cached data on the switch itself, “show ip cache flow” is the way to go. You can also see which interfaces you have netflow enabled on with “show ip flow interface” and view statistics regarding your exporter with “show ip flow export”.

Ryan Harris

I’m Ryan and I’m a Senior Network Engineer for BlueAlly (formerly NetCraftsmen) in North Carolina doing routing, switching, and security. I’m very interested in IPv6 adoption, SD-Access, and Network Optimization. Multi-vendor with the majority of my work being with Cisco and Palo Alto.

Previous
Previous

What is Cisco's Software Defined Access?

Next
Next

What is Zero Trust Networking?