What is Netflow:

NetFlow is a Cisco feature that provides the capability to collect statistics and information on IP traffic as it enters or exits an interface. NetFlow provides operators with network and security monitoring, network planning, traffic analysis, and IP accounting capabilities.

Cisco NX-OS supports both traditional NetFlow (Version 5) and Flexible NetFlow (Version 9) export formats, but using flexible NetFlow is recommended on Nexus platforms. With traditional NetFlow, all the keys and fields exported are fixed and it supports only IPv4 flows. By default, a flow is defined by seven unique keys:

• Source IP address
• Destination IP address
• Source port
• Destination port
• Layer 3 protocol type
• TOS byte (DSCP markings)
• Input logical interface (ifindex)

The NetFlow version is template based, so users can specify what data has to be exported.

NetFlow Configuration Steps:

Step 1. Enable the NetFlow feature:

First Step is to Enable Netflow feature on Nexus devices:

feature netflow

Step 2. Define a flow record by specifying key and nonkey fields of interest:

A user has the flexibility to select the collect parameters that can be used in either Version 5 or Version 9, except for IPv6 parameters, which can be used only with Version 9

* Flow record for L2 traffic:

! Flow record for Layer 2 Traffic

flow record Bil2

match datalink mac source-address

match datalink mac destination-address

match datalink vlan

match datalink ethertype

collect counter packets

collect flow sampler id

* Flow record for L3 traffic:

! Flow Record for Layer 3 Traffic

flow record Bil3

match ipv4 source address

match ipv4 destination address

match ip protocol

match ip tos

collect timestamp sys-uptime last

collect flow sampler id

collect ip version

Step3: Define a Flow Exporter:

NetFlow data is exported to a remote collector using UDP frames. The data is exported periodically upon the expiration of a flow timeout that is configurable by the user. The default flow timeout value is 30 minutes.

NetFlow standard (RFC 3954) does not specify a specific NetFlow listening port. The standard or most common UDP port used by NetFlow is UDP port 2055, but other ports, such as 9555, 9995, 9025, and 9026, can also be used.

Under the flow export, the following fields are defined:

• Collector IPv4/IPv6 address
• Source interface
• Virtual Routing and Forwarding (VRF)
• Version
• UDP port number

flow exporter Bil_Flow_Exp

destination 192.168.4.1 use-vrf management

transport udp 2055

source mgmt0

version 9

Step 4: Define and Apply the Flow Monitor to an interface:

Bind the flow record and the flow exporter to a flow monitor. When the flow monitor is defined, the flow monitor can be attached to an interface for collecting NetFlow statistics.

flow monitor FL_MON

record Bil3

exporter Bil_Flow_Exp

!

interface Eth3/31-32

ip flow monitor FL_MON input

ip flow monitor FL_MON output

Verifications:

#show run netflow

#show hardware flow ip

Refrences:

https://www.ciscopress.com/articles/article.asp?p=2928194&seqNum=3 https://www.ciscopress.com/articles/article.asp?p=2812391&seqNum=4