This post is a part of my CCIE:DC studies, but will be useful for anyone needing to quickly configure NetFlow in NXOS. For CCIE:DC purposes, an understanding of how NetFlow is configured in NXOS cannot hurt, especially since it is mentioned in the blueprint (1.5.b – Implement Netflow).
Unlike IOS, there are few steps involved to get Netflow functioning, here is a quick run down:
1. Enable Netflow
2. Configure a Netflow Flow Record
3. Configure a Netflow Flow Exporter
4. Configure a Netflow Flow Monitor
5. Apply the Netflow Monitor to the your L3 interfaces
6. (Optional) Configure a Netflow Sampler
7. (Optional) Configure Netflow timers
1. Enable Netflow
feature netflow
2. Configure a Netflow Flow Record
A Netflow record details what information you want to collect. You can create a custom record, or use the built in record.
Built-in:
N7K1# show flow record netflow-original
Flow record netflow-original:
Description: Traditional IPv4 input NetFlow with origin ASs
No. of users: 1
Template ID: 256
Fields:
match ipv4 source address
match ipv4 destination address
match ip protocol
match ip tos
match transport source-port
match transport destination-port
match interface input
match interface output
match flow direction
collect routing source as
collect routing destination as
collect routing next-hop address ipv4
collect transport tcp flags
collect counter bytes
collect counter packets
collect timestamp sys-uptime first
collect timestamp sys-uptime last
Create your own:
flow record custom-netflow-record
description Custom Netflow Record
match ipv4 source address
match ipv4 destination address
match transport destination-port
collect counter bytes
collect counter packets
3. Configure a NetFlow Flow Exporter
Flow exporters are your colletors, where you send the exported flow information to.
flow exporter exporter-1
description Fluke Collector
destination 10.255.255.100
source Vlan10
transport udp 2055
version 9
flow exporter exporter-2
description Scrutinizer
destination 10.255.255.101
source Vlan10
transport udp 2055
version 9
4. Configure a NetFlow Flow Monitor
Flow Monitors bind the Flow Record to the Flow Exporter
flow monitor netflow-monitor-1
record custom-netflow-record
exporter exporter-1
or you can use the built-in Netflow Flow Record:
flow monitor netflow-monitor-2
record netflow-original
exporter exporter-2
You can also apply multiple exporters to the same monitor:
flow monitor netflow-monitor-3
record custom-netflow-record
exporter exporter-1
exporter exporter-2
5. Apply the Netflow Monitor to the your L3 interfaces
interface eth3/10
ip flow monitor netflow-monitor-1 input
exit
6. (Optional) Configure a Netflow Sampler
Netflow samplers become important when you’re running mixed M1/F2(e) VDCs. Due to the L3 proxy routing required for F2(e), netflow traffic is CPU processed. The CPU will automatically rate limit netflow traffic to 1 out of a 1000 packets to protect the control plane. An error will prompt when trying to configure this in a mixed environment:
N7K1(config)# interface vlan 10
N7K1(config-if)# ip flow monitor netflow-monitor-1 input
ERROR: A sampler must be configured for an interface on an F2 card or F2e mixed vdc
So, let’s configure a sampler to sample 1 out of every 1000 packets:
N7K1(config)# sampler netflow-sampler
N7K1(config-flow-sampler)# mode 1 out-of 1000
N7K1(config-flow-sampler)# exit
N7K1(config)# interface vlan 10
N7K1(config-if)# ip flow monitor netflow-monitor-1 input sampler netflow-sampler
Recommended sampler is 1 out-of 4956 to avoid rate limiting.
An additional 1:100 sampler, over the configured sampler is applicable for F2/F2e ports
We have a new message. The bottom part is important to understand. This says that whatever sampling rate you have configured, we will only sample 1 of those packets out of every 100. So, if our sampler was configured for 1 out of 1000, the actual sampling rate would be 1 out of 100,000. As you can imagine, this could result in useless netflow statistics. Some math is involved, but what I did is set it to the maximum permitted, however your environments may vary.
sampler netflow-sampler
mode 1 out-of 10
7. (Optional) Configure Netflow timers
Just know that these are available:
flow timeout active 120 (default is 1800 seconds)
flow timeout inactive 32 (default is 15 seconds)
flow timeout fast 32 threshold 100 (default is disabled)
flow timeout session (default is disabled)
flow timeout aggresive threshold 75 (default is disabled)
Show commands
show flow record netflow-original
show flow record custom-netflow-record
show flow exporter < This is where you'll see statistics
show flow monitor netflow-monitor
show sampler
Verify statistics:
N7K1# show flow export
Flow exporter exporter-1:
Description: Fluke Collector
Destination: 10.255.255.100
VRF: default (1)
Destination UDP Port 2055
Source Interface Vlan10 (10.10.10.5)
Export Version 9
Exporter Statistics
Number of Flow Records Exported 726
Number of Templates Exported 1
Number of Export Packets Sent 37
Number of Export Bytes Sent 38712
Number of Destination Unreachable Events 0
Number of No Buffer Events 0
Number of Packets Dropped (No Route to Host) 0
Number of Packets Dropped (other) 0
Number of Packets Dropped (LC to RP Error) 0
Number of Packets Dropped (Output Drops) 0
Time statistics were last cleared: Tue Jul 8 21:12:06 2014
Full sample config:
feature netflow
flow record custom-netflow-record
description Custom Netflow Record
match ipv4 source address
match ipv4 destination address
match transport destination-port
collect counter bytes
collect counter packets
flow exporter exporter-1
description Fluke Collector
destination 10.255.255.100
source Vlan10
transport udp 2055
version 9
flow monitor netflow-monitor-1
record custom-netflow-record
exporter exporter-1
interface eth3/10
ip flow monitor netflow-monitor-1 input
!
sampler netflow-sampler
mode 1 out-of 10
interface vlan 10
ip flow monitor netflow-monitor-1 input sampler netflow-sampler
Thank for the tutorial. I have a Nexus 7k running 6.2 and I followed your instructions but my netflow collector (PRTG) is telling me a maximum of 0.180 kbit/s which is impossible. I tried different sampling rates but the results are the same.
In all honesty, Netflow on Nexus 7Ks with mixed line cards has been a thorn for me. This could be due to a bug in NXOS. Which version of 6.2 are you running?
Thanks David
If want to capture vlan traffic, should i apply under svi or vlan configuration ?
I personally capture at the SVI. If you have a large amount of East-West traffic traversing your 7K at layer 2, then maybe VLAN-based netflow is better. You can configure as such:
# Go into VLAN configuration mode (example VLAN 30), and configure your flow monitor
switch(config)# vlan configuration 30
switch(config-vlan-config)# ip flow monitor MonitorTest input
I would compare the results in your Netflow collector to ensure you’re getting what you expect. I had better results using the SVI.
Can we capture on both SVI and vlan configuration at the same time. Is that make any sense. Shall we get doubled traffic on the collector side?
Can we capture on both SVI and VLAN at the same time. What is the result? Is this recommended and supported? Does it make any sense do capture on SVI and VLAN?
BR
Viktor
The configuration allows you to capture both SVI and VLAN at the same time. To my knowledge, it really only makes sense to capture via one method or the other. If you happen to test this out in a lab environment and can find a benefit of capturing via both methods simultaneously (other than seeing intra-VLAN traffic), please let me know!