How to Configure NetFlow:  Cisco NX-OS devices by David Brooks

How to Configure NetFlow:  Cisco NX-OS devices

To build upon my blog post from last week on configuring NetFlow on Cisco devices, this week we’ll be concentrating on NX-OS devices. These devices differ slightly from their IOS counterparts in numerous ways; NetFlow configuration is just one of them. As I pointed out last week, there are some common rules that we’ll need to follow, particularly around the active and inactive timeout values. These values should always be set to 1 minute (or 60 seconds in NX-OS) and 15 seconds respectively.  Additionally, it should only be necessary to export NetFlow on ingress (or input in NX-OS land) traffic only.

NX-OS devices have some convenient built-in templates to use for NetFlow configuration.  One of them, ‘netflow-original’, suits our purposes just fine. Of course, you have the option of specifying your own fields if you so choose – in order to do that, you may wish to consult supplementary Cisco documentation on configuring NetFlow on NX-OS devices.

It should also be noted that the Nexus 5000 switch does not have any built-in support for NetFlow.  If you find yourself with Nexus 5000’s that you’d like to receive flow visibility from, you may want to consider one of Lancope’s FlowSensor appliances, which can generate flexible NetFlow/IPFIX records from a SPAN port or a tap. Cisco also provides their NetFlow Generation appliances which are also more than capable of feeding the StealthWatch infrastructure with flow analytics. To determine which option may be best for you, feel free to contact your Lancope account representative.

Another set of gotchas on the NX-OS environment is that, if you desire to send NetFlow to multiple destinations, those destinations must be configured as an exporter entry and tied to the monitor record itself. Then, add the single monitor record to the interface you wish to export from. You may only add one monitor per interface per traffic direction – in short, if you are attempting to tie one monitor record to input traffic on gi0/1, you may not utilize any other monitor record on that same interface for input traffic. You may be able to attach a second monitor interface to the outbound traffic, but doing so may affect reporting fidelity, and is generally out of scope for this blog entry.

With that in mind, let’s steam ahead.

NetFlow Configuration on Nexus 7000 and 3000:

1. Enter configuration mode (conf t), and enable the NetFlow feature and set the active and inactive timeouts:

switch(config)# feature netflow
switch(config)# flow timeout active 60
switch(config)# flow timeout inactive 15

2. Create a NetFlow record and specify the fields to export. This step is essentially blank here, since we’ll be using a pre-defined template, netflow-original, as mentioned above. If for some reason you are specifying your own template format, this would be the place to do it.

3. Create a flow exporter (specify where and how the NetFlow is to be sent).  Replace items in BOLD with values that match your environment.

switch(config)# flow exporter netflow_to_stealthwatch
switch(config-flow-exporter)# description Export NetFlow to StealthWatch
switch(config-flow-exporter)# destination <flow_collector_IP_address>
switch(config-flow-exporter)# source <interface>
switch(config-flow-exporter)# transport udp 2055
switch(config-flow-exporter)# version 9

NOTE:  When specifying a source interface, it is generally best to use an interface that should never go down, such as Loopback0.

4. Create a flow monitor (tie the flow record to the flow exporter record created above in step 3).  Once again, we’ll be using the netflow-original built-in record format in this example, and it should be sufficient for most environments.

switch(config)# flow monitor standard_v9netflow
switch(config-flow-monitor)# record netflow-original
switch(config-flow-monitor)# exporter netflow_to_stealthwatch

5. Assign the flow monitor to selected interfaces. It’s best to assign to every layer-3 interface for complete visibility, and only on ingress/input traffic. As in step 3, replace items in BOLD with values that match your particular environment.

switch(config)# interface <interface>
switch(config-if)# ip flow monitor standard_v9netflow input

NOTE:  Repeat this step for every interface on which you will be enabling NetFlow.

That’s it!  You should now be exporting NetFlow from the interfaces which you’ve configured NetFlow on. But, some of you may be saying something along the lines of:

But I’m using a Nexus 1000v on my virtual infrastructure!

No problem at all. NetFlow can also be enabled on the Nexus 1000v switch in a similar manner as above, but there are a few differences.  In general, there are only four steps as opposed to the five steps outlined above for the physical Nexus devices, and a few commands which differ. I’ll detail it below.

1. Enter configuration mode (conf t), define a flow record and specify the fields to output.  Once again, this step is blank for our example because we’re simply going to use the built-in netflow-original template.

2. Create a flow exporter (specify where and how the NetFlow is to be sent). Replace items in BOLD with values that match your environment.

n1000v(config)# flow exporter netflow_to_stealthwatch
n1000v(config-flow-exporter)# description Export NetFlow to StealthWatch
n1000v(config-flow-exporter)# destination <flow_collector_IP_address>
n1000v(config-flow-exporter)# source mgmt 0
n1000v(config-flow-exporter)# transport udp 2055
n1000v(config-flow-exporter)# version 9

NOTE:  Unlike the physical Nexus switches, here we will be sourcing NetFlow from the mgmt0 interface, as opposed to Loopback0.

3.  Create a flow monitor (tie the flow record to the flow exporter record created above in step 3).  Once again, we’ll be using the netflow-original built-in record format in this example, and it should be sufficient for most environments. Here, unlike the physical switches, is where we will be defining both the active and inactive timeout.

n1000v(config)# flow monitor standard_v9netflow
n1000v(config-flow-monitor)# record netflow-original
n1000v(config-flow-monitor)# exporter netflow_to_stealthwatch
n1000v(config-flow-monitor)# timeout active 60
n1000v(config-flow-monitor)# timeout inactive 15

4. Assign the flow monitor to selected interfaces. It’s best to assign to every layer-3 interface for complete visibility, and only on ingress/input traffic. As in step 3, replace items in BOLD with values that match your particular environment.

n1000v(config)# interface <interface>
n1000v(config-if)# ip flow monitor standard_v9netflow input

NOTE:  Repeat this step for every interface on which you will be enabling NetFlow.

…and you’re done!

Validate Configuration:

In order to validate the NetFlow configuration you’ve just made, take a look at the output of the following commands from the enable prompt:

switch# show flow record netflow-original
switch# show flow monitor standard_v9netflow statistics
switch# show flow monitor standard_v9netflow cache

For additional information on configuring NetFlow on NX-OS devices, you may wish to consult some supplementary documentation (Nexus 7000, Nexus 1000v) provided by Cisco directly.

As always, look for future posts from me in the “How to Configure NetFlow” series in the near future. If you have any specific questions about configuration of NetFlow on your devices, contact the Lancope Customer Support department @ support@lancope.com if you are an existing customer, or your Lancope account team for additional information on trying the StealthWatch System in your environment.

Follow David Brooks on .