A very good news for Network Administrators using Cisco 3K switches on their network and for administrator who are going to procure new Cisco 3K series. Let us start with networks which already have Cisco 3K switches.

In the past, we used to get a lot of emails and support calls to check if NetFlow export is supported in Cisco 3K series switches we had to unfortunately say “No”.  So, tracking user-specific traffic on the network which has only layer 3 switch as a Cisco 3K series becomes impossible. Since there will be Proxy server or Firewall located after the Cisco 3K switch, which actually changes the Internal IP into NAT-ed IP and the edge router reports only the NAT-ed IP on the Analyzer report.

This problem can be solved with newer software IOS upgrade on Cisco 3k and 2900 series catalyst switches. The IOS version is 12.2(58)SE and supported platform are (3750-X, 3560-X, 3750-E, 3750G, 3560-E, 3560G, 2960, and 2960-S ). This IOS upgrade will enable NetFlow export which is different from normal NetFlow export from Routers and other layer 3 Switches. I hope all are aware of NSEL(NetFlow Secure Event Logging) export from ASA , something similar to this is supported in this IOS version (12.2(58)SE) which is called Cisco Smart Logging and Telemetry (SLT).

 Cisco Smart Logging and Telemetry:

This is a unique NetFlow v9 export, which can not be used as regular NetFlow v9 which generates reports on Top Applications, ports, hosts etc.

This technology provides a mechanism to log and telemetry of traffic that is associated to a specific event on a switch (for example, an event triggered by an ACL-permitted or -denied packet).

Therefore, Any NetFlow v9 capable software can receive these packet sections along with additional information when an event is triggered on a switch. SLT also allows the analyzing software to generate application visibility data up to Layer 7 from the collected packet information.

As always there are limitations like, this NetFlow export can not be used for complete bandwidth monitoring or Billing purposes. But you can use this technology to track users traffic denial and flow creations etc and also can be used for security analytics.

You can soon see this SLT support in NetFlow Analyzer.

New Cisco 3K Switches with Flexible NetFlow Support :-

The Cisco 3750 X series and 3560 X series with new NetFlow service module (C3KX-SM-10G )supports complete flexible NetFlow export for Uplink ports.

The new Cisco Service Module enables the following services:

  1. Flexible NetFlow for Network Monitoring and Security Anomaly Detection.
  2. Supported NetFlow version .

This NetFlow export can be used for:

  •   Application Performance monitoring.
  •   Top Talkers
  •   Security anomaly detection
  •   Network Planning and Trend Analysis

Flexible NetFlow Configuration:-

Flow Record Creation :-

flow record NFA1

match ipv4 tos

match ipv4 protocol

match ipv4 source address

match ipv4 destination address

match transport source-port

match transport destination-port

collect interface input snmp

collect interface output snmp

collect counter bytes

collect counter packets

collect timestamp sys-uptime first

collect timestamp sys-uptime last

Configuring Flow Exporter:-

flow exporter NFA!

destination <ip address of ME NFA server>

transport udp 9996

Configuraing Flow Monitor

flow monitor NFA1

record NFA1 IPV4 original

exporter NFA1

cache timeout active 60

cache timeout inactive 60

Associating Flow monitor to Uplink Port:-

!

interface TenGigabitEthernet1/1/1

 switchport trunk encapsulation dot1q

 switchport mode trunk

 ip flow monitor NFA1 input

 ip flow monitor NFA1 output

This  C3KX-SM-10G module cannot be deployed on existing 3K switches, It is available only with the new 3K series catalyst switches Chassis.

Praveen Kumar
NetFlow Analyzer Technical Team

Download | Interactive Demo  | Twitter | Customers

Related posts :

  1. Rahul O . S

    Dear All here is the revised and working command

    Flexible NetFlow Configuration:-

    Flow Record Creation :-

    flow record NFA1
    match ipv4 tos
    match ipv4 protocol
    match ipv4 source address
    match ipv4 destination address
    match transport source-port
    match transport destination-port
    collect interface input snmp
    collect interface output snmp
    collect counter bytes
    collect counter packets
    collect timestamp sys-uptime first
    collect timestamp sys-uptime last

    Configuring Flow Exporter:-

    flow exporter NFA1
    destination 192.168.1.50
    transport udp 9996

    Configuraing Flow Monitor

    flow monitor NFA1
    record NFA1
    exporter NFA1
    cache timeout active 60
    cache timeout inactive 60

    Associating Flow monitor to Uplink Port:-

    interface TenGigabitEthernet1/1/1
    ip flow monitor NFA1 input
    ip flow monitor NFA1 output

    switchport trunk encapsulation dot1q
    switchport mode trunk

    • dr packet

      Dear Rahul
      I tried bases on your instruction with my 3750G-24PS, but when i apply flow monitor to uplink port, i received this error:
      Error: Flexible Net Flow is not supported on this interface
      could you pls help me.
      thx for help

  2. Steven Williams

    I enjoyed your article, but after many hours of research, the 2960 series switch does NOT support the SLT feature. This is confirmed by the Cisco Feature Navigator Tool and data sheets from Cisco’s website. If you know something, or have found something I haven’t I would love for you to share because I was hoping that the SLT feature was going to work on my access layer switches.