Getting Flexible Netflow v9 on a Cisco 9300 to Export to Solarwinds NTA

I have recently begun a project to replace an aging fleet of Cisco 2911 routers across our WAN with new Cisco Catalyst 9300 switches.

One of the features we needed to retain with this upgrade was the use of netflow data to monitor all-the-things.

I couldn’t find much documentation on the internet for getting the flexible netflow on the 9300s to work with our netflow collector Solarwinds NTA (Netflow Traffic Analyzer).

At the time of this posting there were a couple people posting on the Solarwinds forums and not getting much help as well as a few documents from Solarwinds referencing the older Catalyst 3K switches.

Fortunately, I already had a 4500x running IOS-XE that was using flexible netflow and working. So I used it as a basis to build my config and then tweaked it from there based on the information I found from Solarwinds for the Cat3Ks and in Cisco’s official documentation here:

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/16-9/configuration_guide/nmgmt/b_169_nmgmt_9300_cg/configuring_flexible_netflow.html

Before I give you the 9300 flexible netflow settings, let me first share how I have my 9300s configured in my WAN.

My 9300 WAN Setup

My wan consists of a pair of 4500Xs at the core and then spokes of 9300s running 16.9 (Fuji) as the L3 router and L2 switch stacks at each WAN site.

The WAN uses EIGRP on Vlan100 on each device.

Each device is managed, and thus added to Solarwinds, using the IP address set on the Vlan100 interface.

I use physical interface Gi1/0/48 for the WAN uplink port, which is the only port I poll in Solarwinds.

I then have a LAN configured on Vlan200 on the inside of each 9300 and the remaining interfaces set to access vlan 200.

My 9300 Netflow Setup for Solarwinds

Normally, I monitor netflow via ingress on each port on my routers. This worked fine with the 2911s and Solarwinds since I only had two interfaces on each router (WAN/Outisde and LAN/Inside or Gi0/0 and Gi0/1 if you will). I also monitored/managed both of those interfaces with Solarwinds NPM.

With the 9300s, I didn’t want to monitor/manage all of the access ports with Solarwinds NPM. If I were to monitor the netflow ingress traffic on each interface, Solarwinds would bark about receiving netflow data from unmanaged interfaces (or sources, I can’t remember now).

My solution was to monitor netflow via both ingress and egress from the physical WAN uplink since Flexible Netflow v9 in the Fuji release of the 9300s supports both ingress and egress flow monitoring and recording.

WARNING: Monitoring both ingress and egress flows can result in duplication of reported data if you monitor more than one interface. Since I’m only going to be monitoring flows on one interface, this will be fine, and shouldn’t result in any duplication of data and false reporting (it didn’t, I checked!).

To do this, I needed to do the following:

Configure Ingress and Egress Flow Records

flow record ORION_REC_INGRESS
match flow direction
match ipv4 source address
match ipv4 destination address
match ipv4 protocol
match transport source-port
match transport destination-port
match ipv4 tos
match interface input
collect interface output
collect counter bytes long
collect counter packets long
collect timestamp absolute first
collect timestamp absolute last

flow record ORION_REC_EGRESS
match flow direction
match ipv4 source address
match ipv4 destination address
match ipv4 protocol
match transport source-port
match transport destination-port
match ipv4 tos
match interface output
collect interface input
collect counter bytes long
collect counter packets long
collect timestamp absolute first
collect timestamp absolute last

Configure Flow Exporter

flow exporter ORION_EXP
destination 10.10.10.10 //ip of Solarwinds NTA collector
source Vlan100
transport udp 2055

Configure Flow Monitors

flow monitor ORION_MON_INGRESS
record ORION_REC_INGRESS
exporter ORION_EXP
cache timeout active 60
cache timeout inactive 15

flow monitor ORION_MON_EGRESS
record ORION_REC_EGRESS
exporter ORION_EXP
cache timeout active 60
cache timeout inactive 15

Assign Flow Monitors to Uplink Interface
int gi1/0/48
ip flow monitor ORION_MON_INGRESS input
ip flow monitor ORION_MON_ENGRESS output

Verify Netflow is Working

Once my configuration was in place I checked the flow caches to make sure flow data was populating. I did this using the following commands:

9300#show flow monitor ORION_MON_INGRESS cache
Cache type:                               Normal (Platform cache)
Cache size:                                10000
Current entries:                             305
 
Flows added:                               34802
Flows aged:                                34497
- Active timeout      (    60 secs)       2123
- Inactive timeout    (    15 secs)      32374
 
9300#show flow monitor ORION_MON_EGRESS cache
Cache type:                               Normal (Platform cache)
Cache size:                                10000
Current entries:                             322
 
Flows added:                               29354
Flows aged:                                29032
- Active timeout      (    60 secs)        790
- Inactive timeout    (    15 secs)      28242

That looked good so I checked the Solarwinds NTA web interface.

My 9300 shows up as a netflow source! Lets see if we are getting flow data.

Yep!

Now that I had my netflow configuration figured out. I just needed to add it to my baseline in Solarwinds NCM and create a script to push the settings out to the remaining 9300s.

Btw, if you haven’t tried NCM yet, and you’re primarily a Cisco shop, I highly recommend checking it out (I have a link below to learn more about it). It’s way more powerful than some give it credit for.

I’ll be sharing how I’m using NCM to keep on top of my 9300s in some future posts.

Stay tuned.

Recommended for You: Solarwinds Network Configuration Manager (NCM)

What would you do if one of your pieces of networking equipment failed? Could you rebuild it quickly? Do you know exactly what configuration it had? What ports were on what vlan? What about port channels?

You get the point.

Automate backing up configurations and updating of all your switching, routing, and firewall equipment without needing to know a single line of code with Solarwinds Network Configuration Manager.

This is one of those tools that pays for itself in man hours the first time you need to rely on it. Plus, you’ll sleep easier knowing you really have backed up all the things.

Leave a Reply

Your email address will not be published. Required fields are marked *