top of page
Writer's pictureMukesh Chanderia

Netflow

Updated: Sep 29

Overview:

  • NetFlow tracks and records data movement within the network.

  • Helps administrators analyze traffic patterns, troubleshoot issues, and enhance network performance.


NetFlow Monitor Policies


  • Application:

    • Applied to specific network interfaces.

    • Can be configured under the Fabric section for physical interfaces or within a Tenant for bridge domains and L3Outs.

  • Types of Traffic Monitored:

    • IPv4

    • IPv6

    • Layer 2 (Classical Ethernet)

  • Policy Components:

    • Recording Rules: Define what traffic data to capture.

    • Exporting Rules: Determine how and where to send the captured data.

  • Operation:

    • Identifies and tracks incoming IP packet flows.

    • Provides traffic statistics without altering packets or networking devices.

  • Scope:

    • Can monitor the entire network or specific segments based on configuration.



NetFlow Record Policies


  • Definition:

    • Record Policy (netflowRecordPol): Defines the structure and data collection for each flow.

  • Components:

    1. Match:

      • Criteria that define a flow (e.g., source/destination IP, ports, protocol, VLAN, ToS, Ethernet type, MAC addresses).

    2. Collect:

      • Specifies the data to gather for each flow (e.g., src-ip, dst-ip in IPv4/IPv6).

  • Customization:

    • Combine different keys and fields to tailor flow records.

    • Choose between 32-bit or 64-bit counters for tracking packets and bytes.


NetFlow Exporter Policies


  • Definition:

    • Exporter Policy (netflowExporterPol): Specifies where to send the collected flow data.

  • Key Properties:

    1. Destination IP Address:

      • Required; must be in host format (e.g., /32 for IPv4, /128 for IPv6).

    2. Destination Port:

      • Required; port number where the exporter listens.

    3. Source IP Address:

      • Optional; used to tag flows from different network sections or nodes.

      • Must have at least 12 host bits (/20 for IPv4, /116 for IPv6).

    4. Version:

      • Specifies NetFlow version (only v9 supported).

  • Export Options:

    • Direct Connection: Through an EPG (Endpoint Group) within the network fabric.

    • Remote Collector: Via an L3Out connection.


NetFlow Node Policies


  • Definition:

    • Node Policy (netflowNodePol): Manages NetFlow timers for sending flow records.

  • Timers:

    1. Collection Interval:

      • Frequency of sending NetFlow packets to the collector.

      • Default: 1 minute.

    2. Template Interval:

      • Frequency of sending record templates to define record formats.

      • Default: 5 minutes.


Supported Interfaces for NetFlow


  • Types:

    • Physical Ethernet (Layer 2 & 3)

    • Port Channel (PC)

    • Virtual Port Channel (vPC)

    • Fabric Extenders (FEX, FEX PC, FEX vPC)

    • Layer 3 Sub-interface

    • Switched Virtual Interface (SVI)

    • Bridge Domains


  • Configuration:

    • NetFlow policies are not applied by default; must be explicitly enabled on each desired interface.


Filter Types for NetFlow Monitor Policies

  1. IPv4 Filter Type

  2. IPv6 Filter Type

  3. CE Filter Type (Classical Ethernet / Layer 2 Flows)

    • Note: CE filter is only for non-IP traffic.

  4. Configuration:

    • Monitor packets based on the specified address family.

    • Enable different monitoring policies for each address family on the same interface.


Feature Overview


Monitoring Modes:

  1. NetFlow Mode:

    • Collects and analyzes flow data.

    • Used for monitoring traffic patterns, identifying bottlenecks, and troubleshooting.

  2. Analytics Mode (Tetration Mode):

    • Provides deep visibility and security analytics.

    • Offers comprehensive analytics, security monitoring, and policy enforcement.

Additional Features:

  • Availability:

    • NetFlow: Only on TOR (Top of Rack) switches’ front panel ports.

    • Supported Hardware: EX series.

  • Traffic Collection:

    • Ingress Traffic Only: Collects statistics for incoming traffic.

    • Dropped Packets: Still collects statistics even if packets are dropped.

  • Operational Modes:

    • Switches can operate in either NetFlow Mode or Analytics Mode, not both simultaneously.

    • Default Mode: Analytics Mode.

  • Manual Enablement:

    • NetFlow must be manually enabled on each interface.

  • Distributed Virtual Switch (DVS):

    • Requires in-band management.

    • Does not support flow-level filtering.


Priority Settings


  • Purpose: Determine resource allocation when multiple monitoring features compete for limited resources (CPU, memory).

  • Analytics Priority:

    • Focus: In-depth analytics, security monitoring, policy enforcement.

    • High Priority: Ensures Tetration analytics functions receive necessary resources.

  • NetFlow Priority:

    • Focus: Traffic flow monitoring and analysis.

    • High Priority: Allocates resources to collect and export flow data effectively.

  • Telemetry Priority:

    • Focus: Real-time data monitoring and reporting (network performance, faults, metrics).

    • High Priority: Ensures efficient collection and transmission of telemetry data.

  • Functionality:

    • Prioritizes critical monitoring functions based on configured settings.

    • Ensures essential features receive adequate resources during resource contention.



Configuration


Step 1 : Enable switches for NetFlow


A switch can be in one of the (Analytics Priority, Netflow Priority or Telemetry Priority)


This can be done by editing the default Fabric Node Controls Policy


Under Fabric > Fabric Policies > Policies > Monitoring > Fabric Node Control > default and then choose Netflow Priority.



Step 2 : Create Flow Records and Exporters


Fabric > Access Policies > Policies > Interface > NetFlow > NetFlow Records



For the Collect Parameters drop-down list, you can choose multiple parameters.



For the Match Parameters drop-down list, you can choose multiple parameters.





Configuring a Fabric NetFlow Exporter Policy 


Fabric > Access Policies > Policies > Interface > NetFlow > NetFlow Exporters


Right-click NetFlow Exporters and choose Create External Collector Reachability



For the NetFlow Exporter Version Format buttons, Version 9 is the only valid choice. Even if you click one of the other buttons, version defaults to 9


For the EPG Type check boxes, you can leave the boxes unchecked, or you can put a check in one box. You cannot put a check in multiple boxes.



Step 3 : Configuring a Fabric NetFlow Monitor Policy


 Fabric>Access Policies>Policies>Interface>NetFlow>NetFlow Monitors






Right-click NetFlow Monitors and select Create NetFlow Monitor


Step 3 : You can create new or add existing Flow Records and Exporters.


You can associate a maximum of two flow exporters with the monitor policy.



Configuring a Tenant NetFlow Monitor Policy 


Tenant <tenant-name> > Policies > NetFlow > NetFlow Monitors


Right-click NetFlow Monitors and choose Create NetFlow Monitor




Configuring a Tenant NetFlow Record Policy 






Configuring a Tenant NetFlow Exporter Policy


Tenant <tenant-name> > Policies > NetFlow > NetFlow Exporters


Right-click NetFlow Exporters and choose Create External Collector Reachability.




Deploying NetFlow Monitor Policy Through a Selector Using Cisco APIC GUI


Fabric > Access Policies > Interfaces > Leaf Interfaces > Policy Groups


You can deploy the NetFlow monitor policy when you create a new leaf policy group, or you can deploy the NetFlow monitor policy on an existing leaf policy group.


To deploy the NetFlow monitor policy when you create a new leaf policy group, use the following steps:


Right-click the type of interface group you want to create and choose Create Leaf Access Port Policy Group



On the NetFlow Monitor Policies table, click + to add a policy, and choose the IP filter type and monitor policy



To deploy the NetFlow monitor policy on an existing leaf policy group, use the following steps:

1. In the Navigation pane, choose one of the existing leaf access port policy groups, PC interface policy groups, or VPC interface policy groups.

2. In the Work pane, on the NetFlow Monitor Policies table, click to add a policy, and choose the

IP filter type and monitor policy.

Click Submit.


Deploying NetFlow Monitor Policy Through an L3Out Using Cisco APIC GUI


Step 1 From the menu bar, choose Tenants > All Tenants.

Step 2 In the Work pane, double-click the tenant's name.

Step 3 In the Navigation pane, choose Tenant <tenant-name> > Networking > External Routed Networks or L3Outs > <network-name> > Logical Node Profiles > <node-profile-name> > Logical Interface Profile > <interface-profile-name>


Step 4 Select the General tab

Step 5 Under NetFlow Monitor Policies, click + to add a NetFlow policy.

Step 6 Click Update to add the NetFlow policy.



Deploying NetFlow Monitor Policy Through a Bridge Domain Using Cisco APIC GUI


Step 1 On the menu bar, choose Tenants > All Tenants.

Step 2 In the Work pane, double-click the tenant's name.

Step 3 In the Navigation pane, choose Tenant tenant_name > Networking > Bridge Domains.

Step 4 You can deploy the NetFlow monitor policy when you create a new bridge domain, or you can deploy the NetFlow monitor policy on an existing bridge domain.



To deploy the NetFlow monitor policy when you create a new bridge domain, use the following steps:

1. In the Work pane, choose Actions > Create Bridge Domain.

2. In the Create Bridge Domain dialog box, fill in the fields as required, except as specified below:

3. On the Advanced Troubleshooting step, on the NetFlow Monitor Policies table, click +, choose a NetFlow IP filter type, choose a NetFlow monitor policy, and click Update.

4. Click Finish.




To deploy the NetFlow monitor policy on an existing bridge domain, use the following steps:


1. In the Navigation pane, choose one of the existing bridge domains.

2. the Work pane, choose Policy > Advanced Troubleshooting.

3. the NetFlow Monitor Policies table, click +, choose a NetFlow IP filter type, choose a NetFlow monitor policy, and click Update.

4. Click Submit



Verification


To check if the flow monitor is deployed:


leaf# show flow monitor


Flow Monitor default:

Use count: 2

Flow Record: default

Flow Monitor dpita-tenant:dpita-flow-monitor:

Use count: 1

Flow Record: dpita-tenant:dpita-flow-record

Bucket Id: 1

Flow Exporter: dpita-tenant:dpita-exporter

Feature Prio: Netflow


Next, the record configuration can be checked


leaf# show flow record


Flow record default:

No. of users: 1

Template ID: 0

Fields:

Flow record dpita-tenant:dpita-flow-record:

No. of users: 1

Template ID: 256

Fields:

match ipv4 source address

match ipv4 destination address

match ip protocol

match transport source-port

match transport destination-port

Feature Prio: Netflow



The exporter policy is next to confirm the source and destination of the Netflow capture


rtp-f2-p1-leaf6# show flow exporter

Flow exporter dpita-tenant:dpita-exporter:

Destination: 10.10.4.250

VRF: dpita-tenant:dpita-context (1)

Destination UDP Port 2055

Source: 5.5.0.216

DSCP 44

Export Version 9

Sequence number 21

Data template timeout 0 seconds

Exporter Statistics

Number of Flow Records Exported 42

Number of Templates Exported 21

Number of Export Packets Sent 21

Number of Export Bytes Sent 3080

Number of Destination Unreachable Events 0

Number of No Buffer Events 0

Number of Packets Dropped (No Route to Host) 0

Number of Packets Dropped (other) 0

Number of Packets Dropped (Output Drops) 0

Time statistics were last cleared: Never

Feature Prio: Netflow



Notice the last octet of the source of the exported traffic. It matches the node ID of this particular leaf. The destination port, destination server, context and EPG are all listed


rtp-f2-p1-leaf6# acidiag fnvread

10.0.200.89/32 leaf active 0

216 1 rtp-f2-p1-leaf6 10.0.200.88/32 leaf active 

2101 1 rtp-f2-p1-spine1 10.0.200.94/32 spine active 

2102 1 rtp-f2-p1-spine2 10.0.200.93/32 spine active




The VLAN/BD where Netflow is running can also be seen



leaf6# show flow vlan

VLAN ID 11; BD Encap 15990734:

Monitor(IPv4): dpita-tenant:dpita-flow-monitor

Direction: Input



leaf# show flow interface

Interface port-channel3:

Monitor(IPv4): default

Direction: Input

Interface Ethernet1/25:

Monitor(IPv4): default

Direction: Input

Feature Prio: Netflow


Leaf # show flow cache 


On the exporter, a simple tool to view the Netflow packets is wireshark. 


Access Port Netflow


Netflow can also be configured at an interface level as well as under the BD. To do so, navigate to Fabric > Access Policies > Global Policies > Analytics


Once again, creating a Netflow monitor, record and exporter policy is required.

Finally, attach the new Netflow Monitor to an Interface Policy Group



Netflow Monitoring Configuration


The first step is to enable Netflow globally. The default setting is for Tetration analytics, we need to change to Netflow.


Navigate to Fabric > Fabric Policies > Switch Policies > Fabric Node Controls > default


Configuring Netflow Monitoring for a VMM Domain


Navigate to your VMM Domain, VM Networking > Domain_Name > Policy/General > VSwitch Policies and create a VMM Exporter Policy



Input the name of the exporter, source IP address, destination port (2055 is netflow) and the destination IP.


The destination IP MUST be reachable through inband management. Click submit




Tenant Configuration


Navigate to the tenant EPG in use for the lab by clicking on Tenant > Application Profile_Name > Application EPGs> EPG_Name and click on the “Domains” folder.


Here, either associate the VMM domain for the first time or modify the VMM domain association to enable Netflow on the VMM domain.


Option 1)

Adding the VMM domain with Netflow Enabled:



Option 2)

After its already associated



Verification


apic1# show flow vmm-exporter dpita-exporter-vmm


On the exporter, a simple tool to view the Netflow packets is wireshark.



16 views0 comments

Recent Posts

See All

Comments


bottom of page