Received the following email today from Michael Patterson - President and CEO of network performance measurement vendor - Plixer International:
Brad,
Our team recently helped a customer configure a Cisco Nexus 7000 to export NetFlow v9. The process for doing this is just like setting up Flexible NetFlow. However, since this is a relatively new product from Cisco, I thought it would be worth a blog to outline the steps involved when setting up the Nexus 7000 to export NetFlow. At a high level, below are the 5 steps to setting up the Cisco Nexus 7000 to export NetFlow v9:
Now let's dig into the meat and potatoes of configuring this monster.
First: We have to enable the NetFlow Feature on the Nexus 7000:
tac7000(config)# feature netflow
Second: We need to configure a "Flow Record". We can skip this step as the Nexus 7000 ships with a Flow Record that we can use called 'netflow-original'. Lets see what it looks like:
tac7000# show flow record netflow-original
Flow record netflow-original:
Description: Traditional IPv4 input NetFlow with origin ASs
No. of users: 1
Template ID: 261
Fields:
match ipv4 source address
match ipv4 destination address
match ip protocol
match ip tos
match transport source-port
match transport destination-port
match interface input
match interface output
match flow direction
collect routing source as
collect routing destination as
collect routing next-hop address ipv4
collect transport tcp flags
collect counter bytes
collect counter packets
collect timestamp sys-uptime first
collect timestamp sys-uptime last
To learn more about "collect vs. match," I suggest reading Scott's Systrax blog on the Nexus 7000. Scott's approach is a bit different than this blog, however, you should have better luck with this page when trying to get it to work.
Third: We need to set-up a flow exporter. We'll call it 'scrutinizer' of course!
tac7000# conf t
tac7000(config)# flow exporter scrutinizer
tac7000(config-flow-exporter)# description export netflow to scrutinizer
tac7000(config-flow-exporter)# destination 10.1.3.138
tac7000(config-flow-exporter)# export Version 9
tac7000(config-flow-exporter)# transport udp 6343
tac7000(config-flow-exporter)# source vlan613
Notice above that we specified:
The name "scrutinizer."
A description "export netflow to scrutinizer."
The destination (i.e. the IP address of Scrutinizer).
The version of NetFlow (i.e. v9).
The UDP port it will receive on (i.e. 6343).
The interface the flows need to exit to reach the NetFlow collector (aka Scrutinizer).
Fourth: We need to bind the record to the exporter using a flow monitor. We'll call it 'Monitortac7000':
Please pay close attention to what happened above. We bound the record 'netflow-original' to the exporter 'scrutinizer' and the name of this flow monitor is called 'Monitortac7000.'
Fifth: Now it is time to apply the flow monitor 'Monitortac7000' to each interface:
Above we configured input (i.e. ingress) captured flows on every interface. We could of typed in the exact command again using 'output' (i.e. egress) in place of 'input' to export egress flows. However, this would have doubled the volume of NetFlow exported and egress NetFlow is only necessary for a few select reasons.
If you want to check all your work, try the below show commands that I got from this Cisco Nexus NetFlow document:
tac7000# show flow record netflow-original
tac7000# show flow exporter
tac7000# show flow monitor Monitortac7000
tac7000# sh run
tac7000# sh run int vlan612
Below are screen captures of what the "sh flow record" command will look like:
You should know that this monster can kick out tens of thousands of flows per second. This is more than any single NetFlow collector on the market can handle. In my next BradReese.Com Blog, I'll cover NetFlow Sampling.
