IPFIX Flow Data Not showing up in Network Flow Logs

[keegoid-nr]

Confirming the following flow records are correct to send to New Relic from Cisco Catalyst 9300 and 9500 switches. Some data is arriving, some is not.

match ipv4 version
match ipv4 protocol
match application name
match connection client ipv4 address
match connection server ipv4 address
match connection server transport port
match flow observation point
collect timestamp absolute first
collect timestamp absolute last
collect flow direction
collect connection initiator
collect connection client counter packets long
collect connection client counter bytes network long
collect connection server counter packets long
collect connection server counter bytes network long
collect connection new-connections

Prior to adding the above flow records, the following attributes were showing up in New Relic (missing source/destination IPs and bytes metrics fields):

“allKeys”: [
          “FlowDirection”,
          “SamplerAddress”,
          “Type”,
          “[collector.name](https://collector.name/)”,
          “company_id”,
          “device_id”,
          “device_name”,
          “dst_endpoint”,
          “entity.guid”,
          “[entity.name](https://entity.name/)”,
          “entity.type”,
          “[instrumentation.name](https://instrumentation.name/)”,
          “instrumentation.provider”,
          “nr.customEventSource”,
          “protocol”,
          “provider”,
          “sample_rate”,
          “src_endpoint”,
          “tags.container_service”,
          “timestamp”
        ]

Do you see any issues with the following general steps?

1. Create a Flow Record: In this example, we will create a flow record named "NewRelicFlowRecord" that includes the following fields:

   • Match fields:
     • Source IP address
     • Destination IP address
     • Source port
     • Destination port
   • Collect fields:
     • Packets
     • Bytes

   The configuration command for creating the flow record would be:

   flow record NewRelicFlowRecord
   match ipv4 source address
   match ipv4 destination address
   match transport source-port
   match transport destination-port
   collect counter packets
   collect counter bytes

2. Configure the Cisco Catalyst 9300 and 9500 switches: Follow the appropriate Cisco documentation[1][4] to configure the switches according to your network requirements.

3. Configure the IPFIX Exporter: Set up the IPFIX exporter on your Cisco Catalyst switches to send flow records to the New Relic collector. Specify the IP address of the New Relic collector and the interface to send the flows from. In this example, we will use interface GigabitEthernet1/0/48 as the source interface. The configuration command for the IPFIX exporter would be:

   flow exporter NewRelicExporter
   description Export to New Relic
   destination <New Relic collector IP address>
   source GigabitEthernet1/0/48
   transport udp 2055
   template data timeout 60

4. Apply Flow Monitor to Interfaces: After combining the flow record and exporter values into a flow monitor, you can apply the flow monitor to the desired interfaces. Specify the direction (input or output) and the interfaces to monitor. In this example, we will apply the flow monitor to the input direction of interface GigabitEthernet1/0/1. The configuration command would be:

   flow monitor NewRelicMonitor
   record NewRelicFlowRecord
   exporter NewRelicExporter
   cache timeout active 60
   cache timeout inactive 15
   interface GigabitEthernet1/0/1
   direction input

5. Configure New Relic to receive IPFIX data: Follow the New Relic documentation[2] to set up the necessary configurations for receiving IPFIX data from the Cisco Catalyst switches.

6. Visualize network traffic flows: Once the configurations are in place, you can use New Relic One Network Monitoring to visualize network traffic flows and track network infrastructure metrics alongside other telemetry data[6].

Please note that the above example is a general guide, and the specific configuration commands may vary depending on your network setup and requirements. Always refer to the official documentation for your specific switch model and software version.

References:

1. Cisco Catalyst 9300 NetFlow Configuration - Plixer
2. New Relic documentation
3. Cisco NetFlow Configuration - Cisco
4. Cisco Catalyst 9300 / 9500 NetFlow Configuration - Noction
5. Cloudflare Magic Network Monitoring docs - Netflow/IPFIX configuration
6. New Relic Forum - Configuration IPFix New Relic

Citations: [1] https://www.examtopics.com/discussions/cisco/view/74413-exam-350-701-topic-1-question-141-discussion/ [2] https://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/netflow/Cisco_NetFlow_Configuration.pdf [3] https://www.noction.com/blog/cisco-catalyst-netflow-configuration [4] https://www.plixer.com/blog/cisco-catalyst-9300-netflow-configuration/ [5] https://developers.cloudflare.com/magic-network-monitoring/routers/netflow-ipfix-config/ [6] https://forum.newrelic.com/ForumsRedirectPage?old_topic=155875

[i3149]

I think this looks good to me. @tma-tik -- can you confirm? Thanks!

Kentik has some config snippits at https://github.com/kentik/config-snippets but I don't see an explicit 9500 series one there.

[tma-tik]

it looks good but to truly confirm that, is to actually configure it on the actual device, which we don't have.

however, we are using

• https://github.com/kentik/config-snippets/blob/master/Cisco/IOS-XE/netflow-9.conf to configure a Catalyst 8000v router, which runs IOS-XE version 17.x.

the catalyst cat8k and cat9k series runs on IOS-XE 17.x, i think it should be fine.

[github-actions[bot]]

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

[github-actions[bot]]

This issue was closed because it has been stalled for 5 days with no activity.