I have recently begun a project to replace an aging fleet of Cisco 2911 routers across our WAN with new Cisco Catalyst 9300 switches.
One of the features we needed to retain with this upgrade was the use of netflow data to monitor all-the-things.
I couldn’t find much documentation on the internet for getting the flexible netflow on the 9300s to work with our netflow collector Solarwinds NTA (Netflow Traffic Analyzer).
At the time of this posting there were a couple people posting on the Solarwinds forums and not getting much help as well as a few documents from Solarwinds referencing the older Catalyst 3K switches.
Fortunately, I already had a 4500x running IOS-XE that was using flexible netflow and working. So I used it as a basis to build my config and then tweaked it from there based on the information I found from Solarwinds for the Cat3Ks and in Cisco’s official documentation here:
Before I give you the 9300 flexible netflow settings, let me first share how I have my 9300s configured in my WAN.
My 9300 WAN Setup
My wan consists of a pair of 4500Xs at the core and then spokes of 9300s running 16.9 (Fuji) as the L3 router and L2 switch stacks at each WAN site.
The WAN uses EIGRP on Vlan100 on each device.
Each device is managed, and thus added to Solarwinds, using the IP address set on the Vlan100 interface.
I use physical interface Gi1/0/48 for the WAN uplink port, which is the only port I poll in Solarwinds.
I then have a LAN configured on Vlan200 on the inside of each 9300 and the remaining interfaces set to access vlan 200.
My 9300 Netflow Setup for Solarwinds
Normally, I monitor netflow via ingress on each port on my routers. This worked fine with the 2911s and Solarwinds since I only had two interfaces on each router (WAN/Outisde and LAN/Inside or Gi0/0 and Gi0/1 if you will). I also monitored/managed both of those interfaces with Solarwinds NPM.
With the 9300s, I didn’t want to monitor/manage all of the access ports with Solarwinds NPM. If I were to monitor the netflow ingress traffic on each interface, Solarwinds would bark about receiving netflow data from unmanaged interfaces (or sources, I can’t remember now).
My solution was to monitor netflow via both ingress and egress from the physical WAN uplink since Flexible Netflow v9 in the Fuji release of the 9300s supports both ingress and egress flow monitoring and recording.
WARNING: Monitoring both ingress and egress flows can result in duplication of reported data if you monitor more than one interface. Since I’m only going to be monitoring flows on one interface, this will be fine, and shouldn’t result in any duplication of data and false reporting (it didn’t, I checked!).
To do this, I needed to do the following:
Configure Ingress and Egress Flow Records
flow record ORION_REC_INGRESS match flow direction match ipv4 source address match ipv4 destination address match ipv4 protocol match transport source-port match transport destination-port match ipv4 tos match interface input collect interface output collect counter bytes long collect counter packets long collect timestamp absolute first collect timestamp absolute last flow record ORION_REC_EGRESS match flow direction match ipv4 source address match ipv4 destination address match ipv4 protocol match transport source-port match transport destination-port match ipv4 tos match interface output collect interface input collect counter bytes long collect counter packets long collect timestamp absolute first collect timestamp absolute last
Configure Flow Exporter
flow exporter ORION_EXP destination 10.10.10.10 //ip of Solarwinds NTA collector source Vlan100 transport udp 2055
Configure Flow Monitors
flow monitor ORION_MON_INGRESS record ORION_REC_INGRESS exporter ORION_EXP cache timeout active 60 cache timeout inactive 15 flow monitor ORION_MON_EGRESS record ORION_REC_EGRESS exporter ORION_EXP cache timeout active 60 cache timeout inactive 15 Assign Flow Monitors to Uplink Interface int gi1/0/48 ip flow monitor ORION_MON_INGRESS input ip flow monitor ORION_MON_ENGRESS output
Verify Netflow is Working
Once my configuration was in place I checked the flow caches to make sure flow data was populating. I did this using the following commands:
9300#show flow monitor ORION_MON_INGRESS cache Cache type: Normal (Platform cache) Cache size: 10000 Current entries: 305 Flows added: 34802 Flows aged: 34497 - Active timeout ( 60 secs) 2123 - Inactive timeout ( 15 secs) 32374 9300#show flow monitor ORION_MON_EGRESS cache Cache type: Normal (Platform cache) Cache size: 10000 Current entries: 322 Flows added: 29354 Flows aged: 29032 - Active timeout ( 60 secs) 790 - Inactive timeout ( 15 secs) 28242
That looked good so I checked the Solarwinds NTA web interface.
My 9300 shows up as a netflow source! Lets see if we are getting flow data.
Now that I had my netflow configuration figured out. I just needed to add it to my baseline in Solarwinds NCM and create a script to push the settings out to the remaining 9300s.
Btw, if you haven’t tried NCM yet, and you’re primarily a Cisco shop, I highly recommend checking it out (I have a link below to learn more about it). It’s way more powerful than some give it credit for.
I’ll be sharing how I’m using NCM to keep on top of my 9300s in some future posts.
Recommended for You: Solarwinds Network Configuration Manager (NCM)What would you do if one of your pieces of networking equipment failed? Could you rebuild it quickly? Do you know exactly what configuration it had? What ports were on what vlan? What about port channels?
You get the point.
Automate backing up configurations and updating of all your switching, routing, and firewall equipment without needing to know a single line of code with Solarwinds Network Configuration Manager.
This is one of those tools that pays for itself in man hours the first time you need to rely on it. Plus, you’ll sleep easier knowing you really have backed up all the things.