TABLE OF CONTENTS
Overview
The following steps will configure a Cisco switch to send netflow records with the required template fields to the ADR Collector (CCE) VM.
Note: Make sure to allow UDP port 9995 from the firewall between your switch and the CCE VM.
For more details see:
https://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/netflow/Cisco_NetFlow_Configuration.pdf
Steps of Configuration
Note: In the steps below,
- replace <CCE_IP_Address> with the IP address of your CCE VM
- replace <InterfaceName> with the interfaces that you are interested in monitoring traffic for, e.g. TenGigabitEthernet1/0/8-10. Use the command show interfaces for more detail.
First, login to the device. Then run the configuration steps below.
Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# flow exporter aria Switch(config-flow-exporter)# destination <CCE_IP_Address> Switch(config-flow-exporter)# transport udp 9995 Switch(config-flow-exporter)# exit Switch(config)# flow record aria Switch(config-flow-record)# match ipv4 source address Switch(config-flow-record)# match ipv4 destination address Switch(config-flow-record)# match ipv4 protocol Switch(config-flow-record)# match transport source-port Switch(config-flow-record)# match transport destination-port Switch(config-flow-record)# collect transport tcp flags Switch(config-flow-record)# collect counter bytes Switch(config-flow-record)# collect counter packets Switch(config-flow-record)# collect timestamp sys-uptime first Switch(config-flow-record)# collect timestamp sys-uptime last Switch(config-flow-record)# exit Switch(config)# flow monitor MonitorAria Switch(config-flow-monitor)# record aria Switch(config-flow-monitor)# exporter aria Switch(config-flow-monitor)# exit Switch(config)# interface range <InterfaceName> Switch(config-if)# ip flow monitor MonitorAria input Switch(config-if)# end
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article