Overview

NetFlow configuration varies slightly per hardware model.

• NetFlow is based on 7 key fields

1. Source IP address

2. Destination IP address

3. Source port number

4. Destination port number

5. Layer 3 protocol type (ex. TCP, UDP)

6. ToS (type of service) byte

7. Input logical interface

• If one field is different, a new flow is created in the flow cache.

• Enabled NetFlow on EVERY layer-3 interface for complete visibility

• It is best practice to use a NetFlow “source-interface” that would never go down such as a loopback interface.

• A “flow record” within Flexible NetFlow (that is used in NX-OS) defines the keys that NetFlow uses to identify packets in the flow as well as other fields of interest that NetFlow gathers for the flow.

Prerequisite

There are 4 basic steps you need to follow:

1. Create a flow record

2. Create a flow exporter

3. Create a flow monitor

4. Apply the flow monitor to interfaces

Configuration Steps

1. log in to your router, and go into the global configuration mode by typing “config t “

2. Now create the flow record(put any record name, for example, NTA record):

• #flow record NTA record

3. Now you will define match and collect statements to capture fields to include in the flow record

#match ipv4 source address

#match ipv4 destination address

#match ipv4 protocol

#match transport source-port

#match transport destination-port

#match ipv4 tos (to collect the type of source data)

#match interface input (to collect ingress interface data )

#collect interface output (to collect egress interface data)

#collect counter bytes

#collect counter packets

#collect timestamp sys-uptime first

#collect timestamp sys-uptime last

#collect application name

#collect routing source as (to collect AS information)

#collecting routing destination as

#flow exporter NTAExport

#destination CCE_IP_Address

#source gigabitEthernnet 0/1

#transportation UDP 2055 (we will type: ”transport UDP 2055” because that’s the default used by SolarWinds Netflow Traffic Analyzer to listen for Network Packets)

#export-protocol netflow-v9

#template data timeout 60

#option application-table timeout 60

#option application-attributes timeout 300

#flow monitor NTAMonitor

#record NTARecord

#exporter NTAExporter

#cache timeout active 60

#cache timeout inactive 15

#exit

#interface gigabitEthernet 0/1

#ip flow monitor NTAMonitor input

#ip flow monitor NTAMonitor output

#exit

#wr mem (to save configuration)

VERIFICATION OF CONFIGURATION

Verification can be done either from CCE Server or from UI.

Using UI

STEP 1: Login to UI >> SYSTEM

STEP 2: >> LOGS AND FLOWS COLLECTION STATUS .

STEP 3: >>Inside SOURCE DEVICE IP, IP will reflect.

Using CCE SERVER

“sudo tcpdump -i any host 514 and host <IP address> -AAA” command should be ran on CCE server to check wheather or not we are getting logs .