A very good news for Network Administrators using Cisco 3K switches on their network and for administrator who are going to procure new Cisco 3K series. Let us start with networks which already have Cisco 3K switches.
In the past, we used to get a lot of emails and support calls to check if NetFlow export is supported in Cisco 3K series switches we had to unfortunately say “No”. So, tracking user-specific traffic on the network which has only layer 3 switch as a Cisco 3K series becomes impossible. Since there will be Proxy server or Firewall located after the Cisco 3K switch, which actually changes the Internal IP into NAT-ed IP and the edge router reports only the NAT-ed IP on the Analyzer report.
This problem can be solved with newer software IOS upgrade on Cisco 3k and 2900 series catalyst switches. The IOS version is 12.2(58)SE and supported platform are (3750-X, 3560-X, 3750-E, 3750G, 3560-E, 3560G, 2960, and 2960-S ). This IOS upgrade will enable NetFlow export which is different from normal NetFlow export from Routers and other layer 3 Switches. I hope all are aware of NSEL(NetFlow Secure Event Logging) export from ASA , something similar to this is supported in this IOS version (12.2(58)SE) which is called Cisco Smart Logging and Telemetry (SLT).
Cisco Smart Logging and Telemetry:
This is a unique NetFlow v9 export, which can not be used as regular NetFlow v9 which generates reports on Top Applications, ports, hosts etc.
This technology provides a mechanism to log and telemetry of traffic that is associated to a specific event on a switch (for example, an event triggered by an ACL-permitted or -denied packet).
Therefore, Any NetFlow v9 capable software can receive these packet sections along with additional information when an event is triggered on a switch. SLT also allows the analyzing software to generate application visibility data up to Layer 7 from the collected packet information.
As always there are limitations like, this NetFlow export can not be used for complete bandwidth monitoring or Billing purposes. But you can use this technology to track users traffic denial and flow creations etc and also can be used for security analytics.
You can soon see this SLT support in NetFlow Analyzer.
New Cisco 3K Switches with Flexible NetFlow Support :-
The Cisco 3750 X series and 3560 X series with new NetFlow service module (C3KX-SM-10G )supports complete flexible NetFlow export for Uplink ports.
The new Cisco Service Module enables the following services:
- Flexible NetFlow for Network Monitoring and Security Anomaly Detection.
- Supported NetFlow version .
This NetFlow export can be used for:
- Application Performance monitoring.
- Top Talkers
- Security anomaly detection
- Network Planning and Trend Analysis
Flexible NetFlow Configuration:-
Flow Record Creation :-
flow record NFA1
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
collect interface input snmp
collect interface output snmp
collect counter bytes
collect counter packets
collect timestamp sys-uptime first
collect timestamp sys-uptime last
Configuring Flow Exporter:-
flow exporter NFA!
destination <ip address of ME NFA server>
transport udp 9996
Configuraing Flow Monitor
flow monitor NFA1
record NFA1 IPV4 original
cache timeout active 60
cache timeout inactive 60
Associating Flow monitor to Uplink Port:-
switchport trunk encapsulation dot1q
switchport mode trunk
ip flow monitor NFA1 input
ip flow monitor NFA1 output
This C3KX-SM-10G module cannot be deployed on existing 3K switches, It is available only with the new 3K series catalyst switches Chassis.