Overview
NetFlow configuration varies slightly per hardware model.
NetFlow is based on 7 key fields
Source IP address
Destination IP address
Source port number
Destination port number
Layer 3 protocol type (ex. TCP, UDP)
ToS (type of service) byte
Input logical interface
If one field is different, a new flow is created in the flow cache.
Enabled NetFlow on EVERY layer-3 interface for complete visibility
It is best practice to use a NetFlow “source-interface” that would never go down such as a loopback interface.
A “flow record” within Flexible NetFlow (that is used in NX-OS) defines the keys that NetFlow uses to identify packets in the flow as well as other fields of interest that NetFlow gathers for the flow.
Prerequisite
There are 4 basic steps you need to follow:
Create a flow record
Create a flow exporter
Create a flow monitor
Apply the flow monitor to interfaces
Configuration Steps
1. log in to your router, and go into the global configuration mode by typing “config t “
2. Now create the flow record(put any record name, for example, NTA record):
#flow record NTA record
3. Now you will define match and collect statements to capture fields to include in the flow record
#match ipv4 source address
#match ipv4 destination address
#match ipv4 protocol
#match transport source-port
#match transport destination-port
#match ipv4 tos (to collect the type of source data)
#match interface input (to collect ingress interface data )
#collect interface output (to collect egress interface data)
#collect counter bytes
#collect counter packets
#collect timestamp sys-uptime first
#collect timestamp sys-uptime last
#collect application name
#collect routing source as (to collect AS information)
#collecting routing destination as
#flow exporter NTAExport
#destination CCE_IP_Address
#source gigabitEthernnet 0/1
#transportation UDP 2055 (we will type: ”transport UDP 2055” because that’s the default used by SolarWinds Netflow Traffic Analyzer to listen for Network Packets)
#export-protocol netflow-v9
#template data timeout 60
#option application-table timeout 60
#option application-attributes timeout 300
#flow monitor NTAMonitor
#record NTARecord
#exporter NTAExporter
#cache timeout active 60
#cache timeout inactive 15
#exit
#interface gigabitEthernet 0/1
#ip flow monitor NTAMonitor input
#ip flow monitor NTAMonitor output
#exit
#wr mem (to save configuration)
VERIFICATION OF CONFIGURATION
Verification can be done either from CCE Server or from UI.
Using UI
STEP 1: Login to UI >> SYSTEM
STEP 2: >> LOGS AND FLOWS COLLECTION STATUS .
STEP 3: >>Inside SOURCE DEVICE IP, IP will reflect.
Using CCE SERVER
“sudo tcpdump -i any host 514 and host <IP address> -AAA” command should be ran on CCE server to check wheather or not we are getting logs .