Sei sulla pagina 1di 7

Cisco Catalyst 3850 NetFlow Configuration

NetFlow Cisco Catalyst 3850 Overview


The Cisco Catalyst 3850 supports both ingress and egress FnF on all ports of the switch
at line rate. Switch raw scalability is up to 24 cached flows! whereas it is 8 for ingress
and "# for egress per $%&' %S(C. The Cisco Catalyst 3850 supports )etFlow *ersion
+! with (',4! (',#! -ayer 2 flows! and sa.pled )etFlow. TC' flags are also e/ported as
part of the flow infor.ation. 0hen Cisco Catalyst 3850 switches are stac1ed together!
each
indi,idual stac1 .e.ber e/ports its own flows to the collector. The Cisco Catalyst 3850
supports up to "# flow .onitors with eight different collectors si.ultaneously per flow
.onitor. 2icroflow policing is supported only for wireless clients.
The FnF feature on the Cisco Catalyst 3850 is enabled on the (' base ,ersion and
earlier. The Cisco Catalyst 3850 483port switch has two $%&' %S(Cs per switch! and the
Cisco Catalyst 3850 243port switch has one $%&' %S(C.
NetFlow Configuration on Cisco Catalyst 3850 Switch
There are three co.ponents of FnF configuration4 flow record! flow e/porter! and flow
.onitor.
Flow Record
The )etFlow flow record is .ade up of pri.ary fields and nonpri.ary fields. 'ri.ary
fields are the fields fro. pac1et headers that are used for classifying and characteri5ing
the flow. %dditional infor.ation can be added to the flow record! and this infor.ation is
contained in nonpri.ary fields. 2atch co..ands as seen in the following are used to
define pri.ary fields! while collect co..ands are used to define the nonpri.ary fields.
Configuring a Flow Record (Ingress)
flow record ,4
.atch ip,4 tos
.atch ip,4 protocol
.atch ip,4 source address
.atch ip,4 destination address
.atch transport source3port
.atch transport destination3port
.atch interface input
collect interface output
collect transport tcp flags
collect counter bytes long
collect counter pac1ets long
collect ti.esta.p absolute first
collect ti.esta.p absolute last
1
collect counter bytes layer2 long
)ote4 6.atch interface output7 cannot be configured in the ingress flow .onitor. (n order
to get the egress interface infor.ation! use the 6collect interface output7 co..and in an
ingress flow record.
Si.ilarly! 6.atch interface input7 is not supported on an egress flow record8 use 6collect
interface input7 as shown in the following4
Configuring a Flow Record (Egress)
flow record ,4out
.atch ip,4 protocol
.atch ip,4 tos
.atch ip,4 source address
.atch ip,4 destination address
.atch transport source3port
.atch transport destination3port
.atch interface output
collect interface input
collect transport tcp flags
collect counter bytes long
collect counter pac1ets long
collect ti.esta.p absolute first
collect ti.esta.p absolute last
collect counter bytes layer2 long
E!orter"Collector Infor#ation
There are two pri.ary .ethods to access )etFlow data4 using a C-( with show
co..ands or using an application that recei,es e/ported )etFlow infor.ation sent
periodically by the switch.
flow e/porter Collector
destination "0.".".28
dscp 48
transport udp 2055
te.plate data ti.eout 30
option e/porter3stats ti.eout 30
Flow e/porter co..ands specify the destination (' address of the e/porter9collector.
&SC' specifies the &SC' ,alue for datagra.s sent to the e/porter9collector. The ne/t
co..and specifies the -4 port on which the e/porter9collector application listens for the
)etFlow e/port pac1ets fro. the switch. Te.plate co..ands enable
2
the switch to send the )etFlow te.plate after specified nu.ber of seconds to the
e/porter9collector. The Cisco Catalyst 3850 supports up to eight different
e/porters9collectors si.ultaneously per flow .onitor.
Flow $onitor
Flow .onitors are the FnF co.ponent that is applied to interfaces. Flow .onitors consist
of a record! cache para.eters! and the e/porter9collector. The flow .onitor cache is
auto.atically created at the ti.e the flow .onitor is configured on the first interface.
Flow #onitor is the container for the following infor#ation%

Flow record

Flow cache parameters

Exporter/collector information
flow .onitor ,4
e/porter Collector
e/porter Collector "
cache ti.eout acti,e #0
cache ti.eout inacti,e 20
record ,4
&ttaching a Flow $onitor to Su!!orted 'ort (y!es
)ired 'ort
interface :igabit;thernet"909"
description (nterface for 0(<;& C-(;)T in C=)*;<:;& *-%)
switchport access ,lan "0
switchport .ode access
ip flow .onitor ,4 input
ip flow .onitor ,4out output
load3inter,al 30
no shutdown
>
)ireless )*&N 'ort
wlan SS(& " SS(&
client ,lan "2
ip flow .onitor ,4 input
ip flow .onitor ,4out output
no shutdown
>
+*&N Interface
*lan configuration 500
ip flow .onitor ,4 input
3
ip flow .onitor ,4out output
>
Configure Si#!le Networ, $anage#ent 'rotocol for E!orter
sn.p3ser,er co..unity public <=
sn.p3ser,er co..unity pri,ate <=
Si.ple )etwor1 2anage.ent 'rotocol ?S)2'@ configurations enable the e/ternal
collectors to read the configuration related to )etFlow on the switch and collect flows.
Flei-le NetFlow .ut!uts

To display the fle/ible )etFlow configuration status for an interface! use the 6Show Flow
(nterface7 co..ands in pri,ileged ;A;C .ode.
To display aggregated flow statistics fro. a flow .onitor cache! use the 6Show flow
.onitor cache for.at table7 co..and.
4

To display top ) destination aggregated flow statistics fro. a flow .onitor cache! use the
following co..and.
To display top ) source address aggregated flow statistics fro. a flow .onitor cache!
use the following co..and
5
To display the status and statistics for (',# fle/ible )etFlow flow .onitor! use the 6Show
Flow .onitor7 co..and in pri,ileged ;A;C .ode.
To display top ) (',# destination address aggregated flow statistics fro. a flow .onitor
cache! use the following co..and4
To display top ) source address aggregated flow statistics fro. a flow .onitor cache!
use the following co..and4
6
(t is referred from www.cisco.com
$ore Cisco !roducts and Re/iews you can /isit% http://www.3anetwork.com/blog

3%networ1.co. is a world leading Cisco networ1ing products wholesaler! we wholesale
original new Cisco networ1ing eBuip.ents! including Cisco Catalyst switches! Cisco
routers! Cisco firewalls! Cisco wireless products! Cisco .odules and interface cards
products at co.petiti,e price and ship to worldwide.
=ur website4 http499www.3anetwor1.co.
Telephone4 C852330#+3DD33
;.ail4 infoE3%networ1.co.
%ddress4 239F -uc1y 'la5a! 3"5332" -oc1hart <oad! 0anchai! Fong1ong
7