I’m a big fan of Solarwinds and their suite of network management products. If you’ve never seen or tried their products, head on over to their demo site and check it out. I recently added their Netflow product Network Traffic Analyzer and wanted to add netflow collection to my new 4500X switches.
The 4500X only support Flexible Netflow, aka Version 9, and doesn’t include any prebuilt flow record templates, so there are basically 4 steps to the configuration:
- Create a flow record
- Create a flow exporter
- Create a flow monitor
- Apply the monitor to an interface
Let’s look at each and go through a basic configuration.
The flow record defines the fields that will be used to group traffic into unique flows. Key fields are those which are used to distinguish traffic flows from each other. If a key field is different and doesn’t match an existing flow, a new flow will be added. Key fields are matched.
Non key fields aren’t used to distinguish flows from each other, but are collected as part of the data set you want to glean from each flow. Non key fields are collected.
For my flow record I used the following configuration:
flow record IPV4-FLOW-RECORD match ipv4 tos match ipv4 protocol match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port collect interface input collect interface output collect counter bytes long collect counter packets long
So in my flow record, each flow will be distinguished by ToS, Protocol, Src/Dst address, src/dst port. I’m also interested in collecting the input and output interfaces, as well as the number of bytes and packets in each flow.
A flow exporter is basically a place to send the flow data you collect. By default, Cisco will send data to UDP/9995 but Orion expects it to arrive on UDP/2055. I also specified the source interface for the data so it will match the address that Orion uses to manage this node.
flow exporter Orion destination 192.168.0.245 source Loopback0 transport udp 2055
The flow monitor is where you link records and exporters together.
flow monitor IPV4-FLOW description Used for Monitoring IPv4 Traffic record IPV4-FLOW-RECORD exporter Orion
Once you’ve defined all the elements, it’s time to apply to an interface.
Applying the configuration
This particular 4500X install doesn’t have any routed interfaces, so my intention was to apply the flow monitor to an SVI. This resulted in the following error:
4500X-1(config-if)#ip flow monitor IPV4-FLOW input % Flow Monitor: Flow Monitor 'IPV4-FLOW' : Configuring Flow Monitor on SVI interfaces is not allowed. Instead configure Flow Monitor in vlan configuration mode via the command `vlan config <vlan number>'
Ok, we’ll try again:
4500X-1(config)#vlan config 2 4500X-1(config-vlan-config)#ip flow monitor IPV4-FLOW input
No problems there!
When I attempted to configure the flow monitor in the output direction, I received this error:
4500X-1(config-if)#ip flow monitor IPV4-FLOW output % Flow Monitor: 'IPV4-FLOW' could not be added to interface due to invalid sub-traffic type: 0
I reread the Flexible netflow section in the configuration guide, and sure enough the very first limitation for 4500’s in a VSS configuration:
- The Catalyst 4500 series switch supports ingress flow statistics collection for switched and routed packets; it does not support Flexible Netflow on egress traffic.
Looks I won’t be able to configure collection for output statistics,at least not at this junction in the network.
Overall I thought the configuration was fairly straight forward. I ended up using the same configuration on the other routers in my network and this was the only instance where I was unable to collect output traffic statistics.