search
Ctrlk

Cisco Catalyst 3650/3850 (IPFIX/Netflow)

This is a basic guide to configure Cisco Catalyst 3650 or 3850 switches to output IPFIX or Netflow to a collector.

circle-info

The Catalyst switch must be licensed for IP Base or IP Services. A LAN Base license may not enable full Netflow/IPFIX features. The Catalyst switch must also be running IOS XE version 3.6.xE, or 16.x or above.

hashtag
Access the switch CLI

Connect to your Cisco Catalyst switch via SSH or a console cable. If connecting via SSH, use a tool like PuTTY or the built-in SSH client in your terminal, and enter the switch's IP address, username, and password to log in.

hashtag
Enter global configuration mode

Once logged in, elevate to enable mode and then enter global configuration mode by typing the following command:

configure terminal

Configuring Netflow/IPFIX consists of 4 steps: configuring the flow record, the flow exporter, the flow monitor, and then applying the monitor to VLANs or Interfaces.

hashtag
Step 1: Flow record configuration

Configure the flow record details. This is an example of how to match and collect common data to be exported in flow records. Many other options are available, so please reference Cisco documentation for a full list of options. Here we will create a new flow record called FLOWRECORD that we will reference later in the configuration.

flow record FLOWRECORD
description IPv4flow
match datalink vlan input
match datalink mac source address input
match datalink mac destination address input
match ipv4 tos
match ipv4 ttl
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface input
match flow direction
collect transport tcp flags
collect interface output
collect counter bytes long
collect counter packets long
collect timestamp absolute first
collect timestamp absolute last
collect counter bytes layer2 long

hashtag
Step 2: Flow exporter configuration

Configure the flow exporter details next. We will create a new exporter called FLOWEXPORT that will be referenced later in the configuration. This is the collector that will be sent flow records from this device. Ensure you have the correct IP address and UDP port for the collector and that it is reachable from the source vlan or interface. You can also select the export-protocol to use here, either netflow or ipfix.

hashtag
Step 3: Flow monitor configuration

Configure the flow monitor details next. We will create a new monitor called FLOWMONITOR that will be referenced later in the configuration. This is the monitor that will be applied to VLANs or Interfaces in the next step. Make sure you reference the correct names of the record and exporter we configured earlier.

hashtag
Step 4: Apply monitor to VLANs or Interfaces

In the final step, we will turn on the flow export feature by applying the monitor to VLANs, interfaces, or both.

To capture flow records within a VLAN, use the following command. You can specificy a single VLAN or a range of VLANs by ID.

To capture flow records on a single interface, use the following configuration:

To save time, you can also apply the configuration to multiple interfaces with a single configuration by using the range command:

hashtag
Save the configuration

Finally, exit configuration mode and save your configuration to flash so it starts again on a reboot:

hashtag
Verify operation on the device

You can verify that flow records are being sent to the collector by running the following operational command:

If everything is operating correctly, you should see output similar to this:

PreviousCatalyst (sFlow)NextOpenWRT (softflowd)

Last updated

Was this helpful?