Monitoring NetFlow-Lite data in new Cisco 2900 and 4900 Series switches using NetFlow Analyzer

Using NetFlow technology, network administrators can efficiently monitor bandwidth usage for capacity planning and resource allocation. Until now, NetFlow monitoring was supported only in Cisco high-end switches, such as Cisco Catalyst 3K, 4K, and 6K series switches. Cisco's NetFlow-Lite is a light-weight, packet based sampling technology  to monitor switching traffic in widely-used switches. With Cisco NetFlow-Lite, administrators can now easily monitor bandwidth across a variety of Cisco switches. NetFlow-Lite is currently supported on the Cisco Catalyst 2960-X and 4948E. NetFlow-Lite can be configured as Version9 or IPFIX export fields. As of now, only ingress monitoring is available in NetFlow-Lite. Currently, NetFlow-Lite includes new fields like MAC addresses and option-templates, but these fields are not now available in the NetFlow Analyzer UI. However, they might be included in future releases. Unlike traditional NetFlow, sampling is mandatory for NetFlow-Lite. There are two types of sampling algorithm available: deterministic and random sampling. Random sampling can monitor all interfaces. Deterministic sampling can be used for limited interfaces of the device. You can use the following commands to configure the switch to export NetFlow-Lite flows to a NetFlowAnalyzer server. These commands are supported in Cisco IOS 15.0(2)EX1.

Creating as Flow Record in Switch config mode

Switch(config)#    flow record NfliteRecord

Switch(config-flow-record)#    collect counter bytes long

Switch(config-flow-record)#    collect counter packets long

Switch(config-flow-record)#    collect flow sampler

Switch(config-flow-record)#    collect interface input

Switch(config-flow-record)#  collect timestamp sys-uptime first

Switch(config-flow-record)#  collect timestamp sys-uptime last

Switch(config-flow-record)#  collect transport tcp flags ack

Switch(config-flow-record)#  collect transport tcp flags fin

Switch(config-flow-record)#  collect transport tcp flags rst

Switch(config-flow-record)#  match datalink ethertype

Switch(config-flow-record)#  match datalink mac source address input

Switch(config-flow-record)#  match datalink mac destination address input

Switch(config-flow-record)#  match ipv4 protocol

Switch(config-flow-record)#  match ipv4 destination address

Switch(config-flow-record)#  match ipv4 source address

Switch(config-flow-record)#  match ipv4 tos

Switch(config-flow-record)#  match ipv6 protocol // optional : for IPv6 only

Switch(config-flow-record)#  match ipv6 destination address // optional : for IPv6 only

Switch(config-flow-record)#  match ipv6 source address // optional : for IPv6 only

Switch(config-flow-record)#  match ipv6 tos // optional : for IPv6 only

Switch(config-flow-record)#  match transport destination-port

Switch(config-flow-record)#  match transport source-port

Creating as Flow Exporter in Switch config mode

Switch(config)#     flow exporter NfliteExporter

Switch(config-flow-exporter)#  destination 10.10.10.10 // Nfa server IP

Switch(config-flow-exporter)#  export-protocol netflow-v9

Switch(config-flow-exporter)#  option interface-table

Switch(config-flow-exporter)#  option exporter-stats

Switch(config-flow-exporter)#  option sampler-table

Switch(config-flow-exporter)#  source loopback 0 // source interface can be any L3 interface

Switch(config-flow-exporter)#   template data timeout 60

Switch(config-flow-exporter)#   transport udp 9996

Creating as Flow Monitor in Switch config mode

Switch(config)#    flow monitor NfliteMonitor

Switch(config-flow-monitor)#   record NfliteRecord

Switch(config-flow-monitor)#  exporter NfliteExporter

Switch(config-flow-monitor)#  cache timeout active 60

Switch(config-flow-monitor)#  cache timeout inactive 15

Switch(config-flow-monitor)#  cache type normal

Switch(config-flow-monitor)#  statistics packet protocol

Creating as Flow Sampler in Switch config mode

Switch(config)#     sampler NfliteSampler

Switch(config-sampler)#     mode random 1 out-of 32        // The range can be 32 to 1022

Applying Flow Monitor to an interface in Interface config mode

Switch(config)#         interface gigabitethernet 0/0

Switch(config-if)#     ip flow monitor NfliteMonitor sampler NfliteSampler input // Repeat this command on all interfaces.