Cisco 3K Switches now supports NetFlow export

A very good news for Network Administrators using Cisco 3K switches on their network and for administrator who are going to procure new Cisco 3K series. Let us start with networks which already have Cisco 3K switches.

In the past, we used to get a lot of emails and support calls to check if NetFlow export is supported in Cisco 3K series switches we had to unfortunately say “No”.  So, tracking user-specific traffic on the network which has only layer 3 switch as a Cisco 3K series becomes impossible. Since there will be Proxy server or Firewall located after the Cisco 3K switch, which actually changes the Internal IP into NAT-ed IP and the edge router reports only the NAT-ed IP on the Analyzer report.

This problem can be solved with newer software IOS upgrade on Cisco 3k and 2900 series catalyst switches. The IOS version is 12.2(58)SE and supported platform are (3750-X, 3560-X, 3750-E, 3750G, 3560-E, 3560G, 2960, and 2960-S ). This IOS upgrade will enable NetFlow export which is different from normal NetFlow export from Routers and other layer 3 Switches. I hope all are aware of NSEL(NetFlow Secure Event Logging) export from ASA , something similar to this is supported in this IOS version (12.2(58)SE) which is called Cisco Smart Logging and Telemetry (SLT).

 Cisco Smart Logging and Telemetry:

This is a unique NetFlow v9 export, which can not be used as regular NetFlow v9 which generates reports on Top Applications, ports, hosts etc.

This technology provides a mechanism to log and telemetry of traffic that is associated to a specific event on a switch (for example, an event triggered by an ACL-permitted or -denied packet).

Therefore, Any NetFlow v9 capable software can receive these packet sections along with additional information when an event is triggered on a switch. SLT also allows the analyzing software to generate application visibility data up to Layer 7 from the collected packet information.

As always there are limitations like, this NetFlow export can not be used for complete bandwidth monitoring or Billing purposes. But you can use this technology to track users traffic denial and flow creations etc and also can be used for security analytics.

You can soon see this SLT support in NetFlow Analyzer.

New Cisco 3K Switches with Flexible NetFlow Support :-

The Cisco 3750 X series and 3560 X series with new NetFlow service module (C3KX-SM-10G )supports complete flexible NetFlow export for Uplink ports.

The new Cisco Service Module enables the following services:

1. Flexible NetFlow for Network Monitoring and Security Anomaly Detection.
2. Supported NetFlow version .

This NetFlow export can be used for:

•   Application Performance monitoring.
•   Top Talkers
•   Security anomaly detection
•   Network Planning and Trend Analysis

Flexible NetFlow Configuration:-

Flow Record Creation :-

flow record NFA1

match ipv4 tos

match ipv4 protocol

match ipv4 source address

match ipv4 destination address

match transport source-port

match transport destination-port

collect interface input snmp

collect interface output snmp

collect counter bytes

collect counter packets

collect timestamp sys-uptime first

collect timestamp sys-uptime last

Configuring Flow Exporter:-

flow exporter NFA!

destination <ip address of ME NFA server>

transport udp 9996

Configuraing Flow Monitor

flow monitor NFA1

record NFA1 IPV4 original

exporter NFA1

cache timeout active 60

cache timeout inactive 60

Associating Flow monitor to Uplink Port:-

!

interface TenGigabitEthernet1/1/1

 switchport trunk encapsulation dot1q

 switchport mode trunk

 ip flow monitor NFA1 input

 ip flow monitor NFA1 output

This  C3KX-SM-10G module cannot be deployed on existing 3K switches, It is available only with the new 3K series catalyst switches Chassis.

Praveen Kumar
NetFlow Analyzer Technical Team

Download | Interactive Demo  | Twitter | Customers