Overview:
NetFlow tracks and records data movement within the network.
Helps administrators analyze traffic patterns, troubleshoot issues, and enhance network performance.
NetFlow Monitor Policies
Application:
Applied to specific network interfaces.
Can be configured under the Fabric section for physical interfaces or within a Tenant for bridge domains and L3Outs.
Types of Traffic Monitored:
IPv4
IPv6
Layer 2 (Classical Ethernet)
Policy Components:
Recording Rules: Define what traffic data to capture.
Exporting Rules: Determine how and where to send the captured data.
Operation:
Identifies and tracks incoming IP packet flows.
Provides traffic statistics without altering packets or networking devices.
Scope:
Can monitor the entire network or specific segments based on configuration.
NetFlow Record Policies
Definition:
Record Policy (netflowRecordPol): Defines the structure and data collection for each flow.
Components:
Match:
Criteria that define a flow (e.g., source/destination IP, ports, protocol, VLAN, ToS, Ethernet type, MAC addresses).
Collect:
Specifies the data to gather for each flow (e.g., src-ip, dst-ip in IPv4/IPv6).
Customization:
Combine different keys and fields to tailor flow records.
Choose between 32-bit or 64-bit counters for tracking packets and bytes.
NetFlow Exporter Policies
Definition:
Exporter Policy (netflowExporterPol): Specifies where to send the collected flow data.
Key Properties:
Destination IP Address:
Required; must be in host format (e.g., /32 for IPv4, /128 for IPv6).
Destination Port:
Required; port number where the exporter listens.
Source IP Address:
Optional; used to tag flows from different network sections or nodes.
Must have at least 12 host bits (/20 for IPv4, /116 for IPv6).
Version:
Specifies NetFlow version (only v9 supported).
Export Options:
Direct Connection: Through an EPG (Endpoint Group) within the network fabric.
Remote Collector: Via an L3Out connection.
NetFlow Node Policies
Definition:
Node Policy (netflowNodePol): Manages NetFlow timers for sending flow records.
Timers:
Collection Interval:
Frequency of sending NetFlow packets to the collector.
Default: 1 minute.
Template Interval:
Frequency of sending record templates to define record formats.
Default: 5 minutes.
Supported Interfaces for NetFlow
Types:
Physical Ethernet (Layer 2 & 3)
Port Channel (PC)
Virtual Port Channel (vPC)
Fabric Extenders (FEX, FEX PC, FEX vPC)
Layer 3 Sub-interface
Switched Virtual Interface (SVI)
Bridge Domains
Configuration:
NetFlow policies are not applied by default; must be explicitly enabled on each desired interface.
Filter Types for NetFlow Monitor Policies
IPv4 Filter Type
IPv6 Filter Type
CE Filter Type (Classical Ethernet / Layer 2 Flows)
Note: CE filter is only for non-IP traffic.
Configuration:
Monitor packets based on the specified address family.
Enable different monitoring policies for each address family on the same interface.
Feature Overview
Monitoring Modes:
NetFlow Mode:
Collects and analyzes flow data.
Used for monitoring traffic patterns, identifying bottlenecks, and troubleshooting.
Analytics Mode (Tetration Mode):
Provides deep visibility and security analytics.
Offers comprehensive analytics, security monitoring, and policy enforcement.
Additional Features:
Availability:
NetFlow: Only on TOR (Top of Rack) switches’ front panel ports.
Supported Hardware: EX series.
Traffic Collection:
Ingress Traffic Only: Collects statistics for incoming traffic.
Dropped Packets: Still collects statistics even if packets are dropped.
Operational Modes:
Switches can operate in either NetFlow Mode or Analytics Mode, not both simultaneously.
Default Mode: Analytics Mode.
Manual Enablement:
NetFlow must be manually enabled on each interface.
Distributed Virtual Switch (DVS):
Requires in-band management.
Does not support flow-level filtering.
Priority Settings
Purpose: Determine resource allocation when multiple monitoring features compete for limited resources (CPU, memory).
Analytics Priority:
Focus: In-depth analytics, security monitoring, policy enforcement.
High Priority: Ensures Tetration analytics functions receive necessary resources.
NetFlow Priority:
Focus: Traffic flow monitoring and analysis.
High Priority: Allocates resources to collect and export flow data effectively.
Telemetry Priority:
Focus: Real-time data monitoring and reporting (network performance, faults, metrics).
High Priority: Ensures efficient collection and transmission of telemetry data.
Functionality:
Prioritizes critical monitoring functions based on configured settings.
Ensures essential features receive adequate resources during resource contention.
Configuration
Step 1 : Enable switches for NetFlow
A switch can be in one of the (Analytics Priority, Netflow Priority or Telemetry Priority)
This can be done by editing the default Fabric Node Controls Policy
Under Fabric > Fabric Policies > Policies > Monitoring > Fabric Node Control > default and then choose Netflow Priority.
Step 2 : Create Flow Records and Exporters
Fabric > Access Policies > Policies > Interface > NetFlow > NetFlow Records
For the Collect Parameters drop-down list, you can choose multiple parameters.
For the Match Parameters drop-down list, you can choose multiple parameters.
Configuring a Fabric NetFlow Exporter Policy
Fabric > Access Policies > Policies > Interface > NetFlow > NetFlow Exporters
Right-click NetFlow Exporters and choose Create External Collector Reachability
For the NetFlow Exporter Version Format buttons, Version 9 is the only valid choice. Even if you click one of the other buttons, version defaults to 9
For the EPG Type check boxes, you can leave the boxes unchecked, or you can put a check in one box. You cannot put a check in multiple boxes.
Step 3 : Configuring a Fabric NetFlow Monitor Policy
Fabric>Access Policies>Policies>Interface>NetFlow>NetFlow Monitors
Right-click NetFlow Monitors and select Create NetFlow Monitor
Step 3 : You can create new or add existing Flow Records and Exporters.
You can associate a maximum of two flow exporters with the monitor policy.
Configuring a Tenant NetFlow Monitor Policy
Tenant <tenant-name> > Policies > NetFlow > NetFlow Monitors
Right-click NetFlow Monitors and choose Create NetFlow Monitor
Configuring a Tenant NetFlow Record Policy
Configuring a Tenant NetFlow Exporter Policy
Tenant <tenant-name> > Policies > NetFlow > NetFlow Exporters
Right-click NetFlow Exporters and choose Create External Collector Reachability.
Deploying NetFlow Monitor Policy Through a Selector Using Cisco APIC GUI
Fabric > Access Policies > Interfaces > Leaf Interfaces > Policy Groups
You can deploy the NetFlow monitor policy when you create a new leaf policy group, or you can deploy the NetFlow monitor policy on an existing leaf policy group.
To deploy the NetFlow monitor policy when you create a new leaf policy group, use the following steps:
Right-click the type of interface group you want to create and choose Create Leaf Access Port Policy Group
On the NetFlow Monitor Policies table, click + to add a policy, and choose the IP filter type and monitor policy
To deploy the NetFlow monitor policy on an existing leaf policy group, use the following steps:
1. In the Navigation pane, choose one of the existing leaf access port policy groups, PC interface policy groups, or VPC interface policy groups.
2. In the Work pane, on the NetFlow Monitor Policies table, click to add a policy, and choose the
IP filter type and monitor policy.
Click Submit.
Deploying NetFlow Monitor Policy Through an L3Out Using Cisco APIC GUI
Step 1 From the menu bar, choose Tenants > All Tenants.
Step 2 In the Work pane, double-click the tenant's name.
Step 3 In the Navigation pane, choose Tenant <tenant-name> > Networking > External Routed Networks or L3Outs > <network-name> > Logical Node Profiles > <node-profile-name> > Logical Interface Profile > <interface-profile-name>
Step 4 Select the General tab
Step 5 Under NetFlow Monitor Policies, click + to add a NetFlow policy.
Step 6 Click Update to add the NetFlow policy.
Deploying NetFlow Monitor Policy Through a Bridge Domain Using Cisco APIC GUI
Step 1 On the menu bar, choose Tenants > All Tenants.
Step 2 In the Work pane, double-click the tenant's name.
Step 3 In the Navigation pane, choose Tenant tenant_name > Networking > Bridge Domains.
Step 4 You can deploy the NetFlow monitor policy when you create a new bridge domain, or you can deploy the NetFlow monitor policy on an existing bridge domain.
To deploy the NetFlow monitor policy when you create a new bridge domain, use the following steps:
1. In the Work pane, choose Actions > Create Bridge Domain.
2. In the Create Bridge Domain dialog box, fill in the fields as required, except as specified below:
3. On the Advanced Troubleshooting step, on the NetFlow Monitor Policies table, click +, choose a NetFlow IP filter type, choose a NetFlow monitor policy, and click Update.
4. Click Finish.
To deploy the NetFlow monitor policy on an existing bridge domain, use the following steps:
1. In the Navigation pane, choose one of the existing bridge domains.
2. the Work pane, choose Policy > Advanced Troubleshooting.
3. the NetFlow Monitor Policies table, click +, choose a NetFlow IP filter type, choose a NetFlow monitor policy, and click Update.
4. Click Submit
Verification
To check if the flow monitor is deployed:
leaf# show flow monitor
Flow Monitor default:
Use count: 2
Flow Record: default
Flow Monitor dpita-tenant:dpita-flow-monitor:
Use count: 1
Flow Record: dpita-tenant:dpita-flow-record
Bucket Id: 1
Flow Exporter: dpita-tenant:dpita-exporter
Feature Prio: Netflow
Next, the record configuration can be checked
leaf# show flow record
Flow record default:
No. of users: 1
Template ID: 0
Fields:
Flow record dpita-tenant:dpita-flow-record:
No. of users: 1
Template ID: 256
Fields:
match ipv4 source address
match ipv4 destination address
match ip protocol
match transport source-port
match transport destination-port
Feature Prio: Netflow
The exporter policy is next to confirm the source and destination of the Netflow capture
rtp-f2-p1-leaf6# show flow exporter
Flow exporter dpita-tenant:dpita-exporter:
Destination: 10.10.4.250
VRF: dpita-tenant:dpita-context (1)
Destination UDP Port 2055
Source: 5.5.0.216
DSCP 44
Export Version 9
Sequence number 21
Data template timeout 0 seconds
Exporter Statistics
Number of Flow Records Exported 42
Number of Templates Exported 21
Number of Export Packets Sent 21
Number of Export Bytes Sent 3080
Number of Destination Unreachable Events 0
Number of No Buffer Events 0
Number of Packets Dropped (No Route to Host) 0
Number of Packets Dropped (other) 0
Number of Packets Dropped (Output Drops) 0
Time statistics were last cleared: Never
Feature Prio: Netflow
Notice the last octet of the source of the exported traffic. It matches the node ID of this particular leaf. The destination port, destination server, context and EPG are all listed
rtp-f2-p1-leaf6# acidiag fnvread
10.0.200.89/32 leaf active 0
216 1 rtp-f2-p1-leaf6 10.0.200.88/32 leaf active
2101 1 rtp-f2-p1-spine1 10.0.200.94/32 spine active
2102 1 rtp-f2-p1-spine2 10.0.200.93/32 spine active
The VLAN/BD where Netflow is running can also be seen
leaf6# show flow vlan
VLAN ID 11; BD Encap 15990734:
Monitor(IPv4): dpita-tenant:dpita-flow-monitor
Direction: Input
leaf# show flow interface
Interface port-channel3:
Monitor(IPv4): default
Direction: Input
Interface Ethernet1/25:
Monitor(IPv4): default
Direction: Input
Feature Prio: Netflow
Leaf # show flow cache
On the exporter, a simple tool to view the Netflow packets is wireshark.
Access Port Netflow
Netflow can also be configured at an interface level as well as under the BD. To do so, navigate to Fabric > Access Policies > Global Policies > Analytics
Once again, creating a Netflow monitor, record and exporter policy is required.
Finally, attach the new Netflow Monitor to an Interface Policy Group
Netflow Monitoring Configuration
The first step is to enable Netflow globally. The default setting is for Tetration analytics, we need to change to Netflow.
Navigate to Fabric > Fabric Policies > Switch Policies > Fabric Node Controls > default
Configuring Netflow Monitoring for a VMM Domain
Navigate to your VMM Domain, VM Networking > Domain_Name > Policy/General > VSwitch Policies and create a VMM Exporter Policy
Input the name of the exporter, source IP address, destination port (2055 is netflow) and the destination IP.
The destination IP MUST be reachable through inband management. Click submit
Tenant Configuration
Navigate to the tenant EPG in use for the lab by clicking on Tenant > Application Profile_Name > Application EPGs> EPG_Name and click on the “Domains” folder.
Here, either associate the VMM domain for the first time or modify the VMM domain association to enable Netflow on the VMM domain.
Option 1)
Adding the VMM domain with Netflow Enabled:
Option 2)
After its already associated
Verification
apic1# show flow vmm-exporter dpita-exporter-vmm
On the exporter, a simple tool to view the Netflow packets is wireshark.
Comments