- Unifying Excellence with Strategic Partnerships: Cisco Black Belt Academy and VQ Communications
- Navigating the API Security Landscape: A CEO's Perspective on Embedding Zero Trust Principles
- Top 5 Global Cyber Security Trends of 2023, According to Google Report
- What is a virtual machine, and why are they so useful?
- U.K. and U.S. Warn of Pro-Russia Hacktivist Attacks on Operational Technology Systems
Cisco NX-OS/IOS Netflow Comparison
Cisco NX-OS/IOS Netflow Comparison
Objective
This tech note outlines the main differences in NetFlow between Cisco® NX-OS Software and Catalyst 6500 Sup720/Sup32 running Cisco IOS® Software. Sample configurations are included for Cisco NX-OS and Cisco IOS Software for some common features to demonstrate the similarities and differences. Please refer to the NX-OS documentation on Cisco.com for a complete list of supported features.
It should be noted that the Catalyst 6500 range now ships a new supervisor, the sup2T, which supports Flexible NetFlow in a similar manner to the NX-OS Software. More details of this and of the sup2T can be obtained from http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/white_paper_c11-652021.html#wp9000272
NetFlow Overview
NetFlow provides flow-based statistics collection that is useful for troubleshooting, traffic analysis, performance monitoring, and security threat prevention. Cisco NX-OS supports a flexible architecture that allows an administrator collect different data for different applications per interface.
Important Cisco NX-OS and Cisco IOS Software Differences
In Cisco NX-OS:
- The NetFlow feature supports stateful process restarts and In-Service-Software-Upgrades (ISSU) if two supervisors are present in a chassis.
- Non NetFlow features do not have any dependencies on NetFlow. In Cisco IOS Software, Reflexive ACLs, NAT, TCP Intercept, SLB, and WCCP have dependencies on the flow mask configuration.
- NetFlow command-line interface (CLI) configuration and verification commands are not available until you enable the NetFlow feature with the feature netflow command.
- Two flow modes are supported: full and sampled for layer-2 and layer-3 NetFlow collection. The NX-OS supports layer-2 NetFlow (MAC accounting), whereas Cisco IOS Software supports Bridged NetFlow (IP accounting in a VLAN).
- Sampled mode supports packet-based sampling (1-64 out of 1-8192).
- In sampled mode, the sampling occurs before the NetFlow cache is populated.
- The M1 series line-card modules support 512,000 NetFlow cache entries (ingress and egress flows). F1 series line-card modules do not support NetFlow.
- The M1 series line-card modules perform the NetFlow Data Export (NDE) packet formatting processing on the local CPU to offload processing from the supervisor module. The supervisor module sends the NDE formatted packet to the NetFlow export destination(s).
- A flexible architecture is used that consist of flow records, flow exports, and flow monitors that allows different NetFlow collection requirements to be applied to different interfaces for ingress and egress traffic flows.
- Cisco NX-OS supports more key and non-key fields (L2 and L3) when creating flow records. It can also collect additional information such as TCP flags, which are useful for security auditing.
- NetFlow collects multicast traffic statistics by default. Cisco IOS software requires the global ip multicast netflow output-counters command.
- NetFlow Versions 5 and 9 export formats are supported (Version 9 is recommended for the greatest flexibility and is required for layer-2 NetFlow).
- A source interface must be configured for each flow export.
- Cisco NX-OS defaults to User Datagram Protocol (UDP) port 9995 for NetFlow Data Export. Cisco IOS Software requires the UDP port to be specified.
- A NetFlow export packet can be configured with a specific DSCP QoS value using the dscp <#> flow-export command.
- Cisco NX-OS provides more granular aging timers (session timer and aggressive threshold).
- The default aging timer values are different than in Cisco IOS Software.
Things You Should Know
The following list provides some additional facts about Cisco NX-OS that should be helpful when configuring and managing NetFlow.
- Configuring NetFlow is a four-step process: Configure the record or use a predefined record, configure the exporter, configure the monitor, and apply the monitor to an interface or VLAN.
- If the feature netflow command is removed, all relevant NetFlow configuration information is also removed.
- NetFlow consumes hardware resources (ternary content-addressable memory [TCAM], CPU, etc.), so understanding the resource utilization on a device is important before enabling NetFlow.
- NetFlow is processed after the ACL processing on an interface, so an ACL (ingress or egress) will impact what flows are collected.
- Sampling mode preserves CPU and NetFlow cache entries in high-traffic environments.
- A traffic direction (input or output) needs to be specified when a flow monitor is applied to an interface. Layer-2 NetFlow (MAC accounting) only supports the input option.
- Egress NetFlow is supported allowing packets to be captured after they are un-encapsulated.
- Multiple NetFlow export destinations can be configured per exporter to improve resiliency.
- NetFlow is VRF aware so exported data can be sent to a collector in a specified VRF instance. This is configured under a flow exporter with the destination x.x.x.x use-vrf <instance> command.
- The active-aging flow timeout is 1800 seconds by default
- The inactive-aging flow timeout is 15 seconds by default.
- The fast-aging flow timeout is disabled by default.
- The aggressive-aging flow threshold is disabled by default.
- TCP session aging is disabled by default.
- The show running-config netflow command can be used to view the running NetFlow configuration.
Configuration Comparison
The following sample code shows configuration similarities and differences between the Cisco NX-OS and Cisco IOS Software CLIs. There are several significant differences: Cisco NX-OS allows NetFlow to be enabled and disabled globally, and it uses a more flexible architecture that allows different statistics to be collected for different applications, whereas the Cisco IOS Software on the Catalyst 6500 supports one flow mask and export pair for the entire chassis. The Cisco IOS Software syntax shown here is from Cisco IOS Software release 12.2SXH.
| Cisco IOS CLI | Cisco NX-OS CLI |
|---|---|
| Enabling the NetFlow Feature |
| Cisco IOS Software does not have the ability to enable or disable NetFlow. | feature netflow |
|---|
| Configuring a Layer-3 NetFlow Flow Record (Custom) |
| Cisco IOS Software does not have the ability to create custom layer-3 NetFlow records. A system wide flow mask is defined. The following example uses interface-full. mls netflow interface mls flow ip interface-full mls nde sender version 5 |
flow record Netflow-Record-1description Custom-Flow-Record
match ipv4 source address match ipv4 destination address match transport destination-port collect counter bytes collect counter packets |
|---|
| Configuring a Layer-2 NetFlow Flow Record (Custom) |
| Cisco IOS Software does not have the ability to create custom layer-2 NetFlow records to capture MAC address information or reference it as a key field. | flow record Netflow-Record-1description Layer-2-Flow-Record
match datalink mac source-address match datalink mac destination-address collect counter bytes collect counter packets |
|---|
| Configuring a NetFlow Flow Export |
| ip flow-export source GigabitEthernet2/2ip flow-export version 9
ip flow-export destination 192.168.11.2 2000 |
flow exporter Netflow-Exporter-1description Production-Netflow-Exporter
destination 192.168.11.2 source Ethernet2/2 version 9 |
|---|
| Configuring a NetFlow Monitor with a Custom Record |
| Cisco IOS Software does not have the ability to create flow monitors that associate NetFlow records to NetFlow exporters. | flow monitor Netflow-Monitor-1description Applied Inbound-Eth-1/1
record Netflow-Record-1 exporter Netflow-Exporter-1 |
|---|
| Configuring a NetFlow Monitor with an Original Record |
| Cisco IOS Software does not have the ability to create flow monitors that associate NetFlow records to NetFlow exporters. | flow monitor Netflow-Monitor-2description Use Predefined “Original-Netflow-Record”
record netflow-original exporter Netflow-Exporter-1 |
|---|
| Adjusting NetFlow Timers |
| mls aging fastmls aging long 120
mls aging normal 32 |
flow timeout active 120flow timeout inactive 32
flow timeout fast 32 threshold 100 flow timeout session flow timeout aggressive threshold 75 |
|---|
| Configuring a NetFlow Sampler |
| mls sampling packet-based 64 8000mls flow int-full
mls nde sender version 5 |
sampler NF-Sampler-1description Sampler-for-high-traffic-environment
mode 1 out-of 1000 |
|---|
| Applying a NetFlow Monitor to an Interface |
| interface gigabitethernet 1/1ip flow ingress | interface ethernet 1/1ip flow monitor Netflow-Monitor-1 input |
|---|
| Applying a NetFlow Monitor to a VLAN |
| ip flow ingress layer2-switched vlan 10 | vlan configuration 10ip flow monitor Netflow-Monitor input |
|---|
| Applying a Layer-2 NetFlow Monitor an Interface |
| Cisco IOS Software does not have the ability to apply a layer-2 flow monitor to an interface and specify the input or output direction. Cisco IOS software uses a global command to specify the VLAN for which only ingress bridged-traffic is captured. See the previous example. | interface etherent 1/1switchport
switchport access vlan 100 mac packet-classify layer2-switched flow monitor Netflow-Monitor-L2 input |
|---|
| Applying a NetFlow Sampler to an Interface |
| interface gigabitethernet1/1mls netflow sampling | interface ethernet 1/1ip flow monitor Netflow-Monitor-1 input sampler NF-Sampler-1 |
|---|
| Applying a NetFlow Sampler to a VLAN |
| Cisco IOS Software does not have the ability to apply a sampler to a VLAN. | vlan configuration 10ip flow monitor Netflow-Monitor-1 input sampler NF-Sampler-1 |
|---|---|
| Applying a Layer-2 NetFlow Sampler an Interface |
| Cisco IOS Software does not have the ability to apply a layer-2 sampler to an interface. | interface etherent 1/1switchport
switchport access vlan 100 mac packet-classify layer2-switched flow monitor Netflow-Monitor-L2 input sampler NF-Sampler-1 |
|---|
Verification Command Comparison
The following table compares some useful show commands for verifying and troubleshooting NetFlow.
| Cisco NX-OS NetFlow | Cisco IOS Software NetFlow | Command Description |
|---|---|---|
| show flow exporter | show mls nde | Displays the configured exporter maps |
| show flow interface | – | Displays interfaces configured for NetFlow |
| show flow monitor | – | Displays information about monitor maps |
| show flow record | – | Displays information about record maps |
| show flow timeout | – | Displays the NetFlow timeout value |
| show hardware flow aging | show mls netflow aging | Displays the NetFlow table aging timeout value |
| show hardware flow entry | show mls netflow ip flow | Displays flow-specific information |
| show hardware flow ip | show mls netflow ip | Displays the IP NetFlow table |
| show hardware flow l2 | – | Displays the Layer-2 NetFlow table |
| show hardware flow sampler | show mls sampling | Displays the NetFlow sampling configuration |
| show hardware flow utilization module | show mls netflow table summary | Displays NetFlow table utilization per module |
| show sampler | show flow-sampler | Displays information about sampler maps |
