# Cisco Catalyst 3650/3850 (IPFIX/Netflow) This is a basic guide to configure Cisco Catalyst 3650 or 3850 switches to output IPFIX or Netflow to a collector. {% hint style="info" %} The Catalyst switch must be licensed for IP Base or IP Services. A LAN Base license may not enable full Netflow/IPFIX features. The Catalyst switch must also be running IOS XE version 3.6.xE, or 16.x or above. {% endhint %} ### Access the switch CLI Connect to your Cisco Catalyst switch via SSH or a console cable. If connecting via SSH, use a tool like PuTTY or the built-in SSH client in your terminal, and enter the switch's IP address, username, and password to log in. ### Enter global configuration mode Once logged in, elevate to enable mode and then enter global configuration mode by typing the following command: ```shell configure terminal ``` Configuring Netflow/IPFIX consists of 4 steps: configuring the flow record, the flow exporter, the flow monitor, and then applying the monitor to VLANs or Interfaces. ### Step 1: Flow record configuration Configure the flow record details. This is an example of how to match and collect common data to be exported in flow records. Many other options are available, so please reference Cisco documentation for a full list of options. Here we will create a new flow record called FLOWRECORD that we will reference later in the configuration. ```shell flow record FLOWRECORD description IPv4flow match datalink vlan input match datalink mac source address input match datalink mac destination address input match ipv4 tos match ipv4 ttl match ipv4 protocol match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port match interface input match flow direction collect transport tcp flags collect interface output collect counter bytes long collect counter packets long collect timestamp absolute first collect timestamp absolute last collect counter bytes layer2 long ``` ### Step 2: Flow exporter configuration Configure the flow exporter details next. We will create a new exporter called FLOWEXPORT that will be referenced later in the configuration. This is the collector that will be sent flow records from this device. Ensure you have the correct IP address and UDP port for the collector and that it is reachable from the source vlan or interface. You can also select the export-protocol to use here, either netflow or ipfix. ```shell flow exporter FLOWEXPORT destination 192.168.0.111 source Vlan100 transport udp 4739 export-protocol ipfix template data timeout 240 ``` ### Step 3: Flow monitor configuration Configure the flow monitor details next. We will create a new monitor called FLOWMONITOR that will be referenced later in the configuration. This is the monitor that will be applied to VLANs or Interfaces in the next step. Make sure you reference the correct names of the record and exporter we configured earlier. ```shell flow monitor FLOWMONITOR exporter FLOWEXPORT cache timeout active 60 record FLOWRECORD ``` ### Step 4: Apply monitor to VLANs or Interfaces In the final step, we will turn on the flow export feature by applying the monitor to VLANs, interfaces, or both. To capture flow records within a VLAN, use the following command. You can specificy a single VLAN or a range of VLANs by ID. ```shell vlan configuration 1-4094 ip flow monitor FLOWMONITOR input ``` To capture flow records on a single interface, use the following configuration: ```shell interface GigabitEthernet1/0/1 ip flow monitor FLOWMONITOR input ``` To save time, you can also apply the configuration to multiple interfaces with a single configuration by using the range command: ```shell interface range gigabit 1/0/1 - 48 ip flow monitor FLOWMONITOR input ``` ### Save the configuration Finally, exit configuration mode and save your configuration to flash so it starts again on a reboot: ```shell copy running-config startup-config ``` ### Verify operation on the device You can verify that flow records are being sent to the collector by running the following operational command: ```shell show flow exporter FLOWEXPORT statistics ``` If everything is operating correctly, you should see output similar to this: ```shell Flow Exporter FLOWEXPORT: Packet send statistics (last cleared 3d00h ago): Successfully sent: 27333 (9098972 bytes) Client send statistics: Client: Flow Monitor FLOWMONITOR Records added: 66318 - sent: 66318 Bytes added: 5239122 - sent: 5239122 ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.elastiflow.com/additional-resources-reference-articles/guides/configuring-flow-logs-on-devices/cisco-catalyst-3650-3850-ipfix-netflow.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.