Netflow Monitoring

NetFlow Monitoring

NetFlow is a standard network protocol for collecting IP traffic data. NetFlow enables you to define a flow in terms of unidirectional IP packets that share certain characteristics. All packets that match the flow definition are collected and exported to one or more external NetFlow Collectors, where they can be further aggregated, analyzed, and used for application-specific processing.

Cisco UCS Manager uses NetFlow-capable adapters (Cisco UCS Cisco UCS VIC 1300 series, Cisco UCS VIC 1400 series, Cisco UCS VIC 14000 series, and Cisco UCS VIC 15000 series) to communicate with the routers and switches that collect and export flow information.

Starting from 4.3(2b) release, NetFlow monitoring is supported on Cisco UCS 6400 and 6500 series Fabric Interconnects.

Starting from 4.3(4b) release, NetFlow monitoring is supported on Cisco UCS Fabric Interconnects 9108 100G (Cisco UCS X-Series Direct).

Network Flows

A flow is a set of unidirectional IP packets that have common properties such as, the source or destination of the traffic, routing information, and protocol used. Flows are collected when they match the definitions in the flow record definition.

Flow Record Definitions

A flow record definition contains information about the properties used to define the flow, which can include both characteristic properties or measured properties. Characteristic properties, also called flow keys, are the properties that define the flow. Cisco UCS Manager supports IPv4, IPv6, and Layer 2 keys. Measured characteristics, also called flow values or non-keys, measurable values such as the number of bytes contained in all packets of the flow, or the total number of packets.

A flow record definition is a specific combination of flow keys and flow values. The two types of flow record definitions are:

  • System-defined—Default flow record definitions supplied by Cisco UCS Manager.

  • User-defined—Flow record definitions that you can create yourself.

Flow Exporters, Flow Exporter Profiles, and Flow Collectors

Flow exporters transfer the flows to the flow connector based on the information in a flow exporter profile. The flow exporter profile contains the networking properties used to export NetFlow packets. The networking properties include a VLAN, the source IP address, and the subnet mask for each fabric interconnect.


Note

In the Cisco UCS Manager GUI, the networking properties are defined in an exporter interface that is included in the profile. In the Cisco UCS Manager CLI, the properties are defined in the profile.

Flow collectors receive the flows from the flow exporter. Each flow collector contains an IP address, port, external gateway IP, and VLAN that defines where the flows are sent.

Flow Monitors and Flow Monitor Sessions

A flow monitor consists of a flow definition, one or two flow exporters, and a timeout policy. You can use a flow monitor to specify which flow information you want to gather, and where you want to collect it from. Each flow monitor operates in either the egress or ingress direction.

A flow monitor session contains up to four flow monitors: two flow monitors in the ingress direction and two flow monitors in the egress direction. A flow monitor session can also be associated with a vNIC.

NetFlow Limitations

The following limitations apply to NetFlow monitoring:

  • NetFlow monitoring is supported on Cisco UCS VIC 1300, 1400, 14000, and 15000 series adapters. On Cisco UCS VIC 1200 series adapters, NetFlow is not recommended with FCoE traffic.

  • For Cisco UCS Fabric Interconnects 9108 100G, Cisco UCS 6500 series, and Cisco UCS 6400 Series Fabric Interconnects:

    • Netflow monitoring includes both host receive and transmit directions. The NetFlow monitoring session applied to the Host Receive Direction Monitor will enable both transmit and receive monitoring, while NetFlow monitoring session applied to the Host Transmit Direction Monitor is a NO-OP.

    • Vethernet interface netflow monitor will always have NFM_RECORD_L2_SRC_VLAN enabled.

    • Active Timeout and Inactive Timeout values in Flow Timeout Policy cannot be modified.

  • You can have up to 64 flow record definitions, flow exporters, and flow monitors.

  • NetFlow is not supported in vNIC template objects.

  • PVLANs and local VLANs are not supported for service VLANs.

  • All VLANs must be public and must be common to both fabric interconnects.

  • VLANs must be defined as an exporter interface before they can be used with a flow collector.

  • You cannot use NetFlow with usNIC, Virtual Machine Queue, Virtual Machine Multiple Queues, RoCE, SRIOV, Geneve, or Linux ARFS enabled vNIC.

  • Enabling NetFlow Monitoring does not allow you to downgrade Cisco UCS Manager software. To downgrade, disable Netflow Monitoring feature.

Enabling or Disabling NetFlow Monitoring

Procedure

  Command or Action Purpose

Step 1

UCS-A# scope eth-flow-mon

Enters the ethernet flow monitor mode.

Step 2

UCS-A /eth-flow-mon # enable|disable

Enables the Netflow feature and deploys any existing configuration present in Cisco UCS Manager onto NX-OS.

Or, disables the Netflow feature and removes any configuration from the NX-OS. Even when you disable NetFlow monitoring, Cisco UCS Manager retains the Netflow configuration and deploys the same configuration when you enable Netflow monitoring.

Note

 

Disabling Netflow removes all Netflow related configuration from backend. All the flow sessions, which are in use are removed.

Step 3

UCS-A /eth-flow-mon # commit-buffer

Commits the transaction to the system configuration.

Example

The following example shows how to disable NetFlow monitoring: 

UCS-A# scope eth-flow-mon
UCS-A /eth-flow-mon # disable
Warning: Disabling Netflow will Remove all Netflow related configuration from backend. 
All the flow session which is in use will get cleaned up.
UCS-A /eth-flow-mon* # commit-buffer
UCS-A /eth-flow-mon #

Configuring a Flow Record Definition

Procedure

  Command or Action Purpose

Step 1

UCS-A# scope eth-flow-mon

Enters the ethernet flow monitor mode.

Step 2

UCS-A /eth-flow-mon # enter flow-record flow-record-name

Enters flow record mode for the specified flow record.

Step 3

UCS-A /eth-flow-mon/flow-record # set keytype {ipv4keys | ipv6keys | l2keys}

Specifies the key type.

Step 4

UCS-A /eth-flow-mon/flow-record # set ipv4keys {dest-port | ip-protocol | ip-tos | ipv4-dest-address | ipv4-src-address | src-port}

Specifies the attributes for the key type that you selected in Step 3.

Note

 

Use this command only if you chose ipv4keys in step 3.

Step 5

UCS-A /eth-flow-mon/flow-record # set ipv6keys {dest-port | ip-protocol | ipv6-dest-address | ipv6-src-address | src-port}

Specifies the attributes for the key type that you selected in Step 3.

Note

 

Use this command only if you chose ipv6keys in Step 3.

Step 6

UCS-A /eth-flow-mon/flow-record # set l2keys {dest-mac-address | ethertype | src-mac-address}

Specifies the attributes for the key type that you chose in Step 3.

Note

 

Use this command only if you selected l2keys in step 3.

Step 7

UCS-A /eth-flow-mon/flow-record # set nonkeys {counter-bytes-long | counter-packets-long | sys-uptime-first | sys-uptime-last}

Specifies the nonkey attributes.

Step 8

UCS-A /eth-flow-mon/flow-record # commit-buffer

Commits the transaction to the system configuration.

Example

The following example shows how to create a flow record definition with Layer 2 keys and commit the transaction: 

UCS-A# scope eth-flow-mon
UCS-A /eth-flow-mon # enter flow-record r1
UCS-A /eth-flow-mon/flow-record* # set keytype l2keys
UCS-A /eth-flow-mon/flow-record* #set l2keys dest-mac-address src-mac-address
UCS-A /eth-flow-mon/flow-record* # set nonkeys sys-uptime counter-bytes counter-packets
UCS-A /eth-flow-mon/flow-record* # commit-buffer
UCS-A /eth-flow-mon/flow-record #

Configuring an Exporter Profile

Procedure

  Command or Action Purpose

Step 1

UCS-A# scope eth-flow-mon

Enters the ethernet flow monitor mode.

Step 2

UCS-A /eth-flow-mon # scope flow-profile profile-name

Enters the flow profile mode for the specified profile.

Step 3

UCS-A /eth-flow-mon/flow-profile # show config

Displays the flow profile configuration.

Step 4

UCS-A /eth-flow-mon/flow-profile # enter vlan vlan-name

Specifies the VLAN associated with the exporter profile. PVLANs and local VLAN are not supported. All VLAN must be public and must be common to both fabric interconnects.

Step 5

UCS-A /eth-flow-mon/flow-profile/vlan # enter fabric {a | b}

Enters flow profile mode for the specified fabric.

Step 6

UCS-A /eth-flow-mon/flow-profile/vlan/fabric/ # set addr ip-addr subnet ip-addr

Specifies the source IP and subnet mask for the exporter profile on the fabric.

Important

 

Make sure the IP address you specify is unique within the Cisco UCS domain. IP address conflicts can occur if you specify an IP address that is already being used by Cisco UCS Manager.

Step 7

UCS-A /eth-flow-mon/flow-profile/vlan/fabric/ # commit-buffer

Commits the transaction to the system configuration.

Example

The following example shows how to configure the default exporter profile, set the source IP and subnet mask for the exporter interface on each fabric, and commit the transaction: 

UCS-A# scope eth-flow-mon
UCS-A /eth-flow-mon # scope flow-profile default
UCS-A /eth-flow-mon/flow-profile # enter vlan 100
UCS-A /eth-flow-mon/flow-profile/vlan* # enter fabric a
UCS-A /eth-flow-mon/flow-profile/vlan/fabric* # set addr 10.10.10.10 subnet 255.255.255.0
UCS-A /eth-flow-mon/flow-profile/vlan/fabric* # up
UCS-A /eth-flow-mon/flow-profile/vlan* # enter fabric b
UCS-A /eth-flow-mon/flow-profile/vlan/fabric* # set addr 10.10.10.11 subnet 255.255.255.0
UCS-A /eth-flow-mon/flow-profile/vlan/fabric* # commit-buffer
UCS-A /eth-flow-mon/flow-profile/vlan/fabric #

Configuring a Netflow Collector

Procedure

  Command or Action Purpose

Step 1

UCS-A# scope eth-flow-mon

Enters the ethernet flow monitor mode.

Step 2

UCS-A /eth-flow-mon # enter flow-collector flow-collector-name

Enters the flow collector mode for the specified flow collector.

Step 3

UCS-A /eth-flow-mon/flow-collector # set dest-port port_number

Specifies the destination port for the flow collector.

Step 4

UCS-A /eth-flow-mon/flow-collector # set vlan vlan_id

Specifies the VLAN ID for the flow collector.

Step 5

UCS-A /eth-flow-mon/flow-collector # enter ip-if

Enters IPv4 configuration mode.

Step 6

UCS-A /eth-flow-mon/flow-collector/ip-if # set addr ip-address

Specifies the exporter IP address.

Step 7

UCS-A /eth-flow-mon/flow-collector/ip-if # set exporter-gw gw-address

Specifies the exporter gateway address.

Step 8

UCS-A /eth-flow-mon/flow-collector/ip-if # commit-buffer

Commits the transaction to the system configuration.

Example

The following example shows how to configure a NetFlow collector, set the exporter IP and gateway address, and commit the transaction: 

UCS-A# scope eth-flow-mon
UCS-A /eth-flow-mon # enter flow-collector c1
UCS-A /eth-flow-mon/flow-collector* # set dest-port 9999
UCS-A /eth-flow-mon/flow-collector* # set vlan vlan100
UCS-A /eth-flow-mon/flow-collector* # enter ip-if 
UCS-A /eth-flow-mon/flow-collector/ip-if* # set addr 20.20.20.20
UCS-A /eth-flow-mon/flow-collector/ip-if* # set exporter-gw 10.10.10.1
UCS-A /eth-flow-mon/flow-collector/ip-if* # commit-buffer
UCS-A /eth-flow-mon/flow-collector/ip-if #

Configuring a Flow Exporter

Procedure

  Command or Action Purpose

Step 1

UCS-A# scope eth-flow-mon

Enters the ethernet flow monitor mode.

Step 2

UCS-A /eth-flow-mon # enter flow-exporter flow-exporter-name

Enters the flow exporter mode for the specified flow exporter.

Step 3

UCS-A /eth-flow-mon/flow-exporter # set dscp dscp_number

Specifies the differentiated services code point.

Step 4

UCS-A /eth-flow-mon/flow-exporter # set flow-collector flow-collector_name

Specifies the flow collector.

Step 5

UCS-A /eth-flow-mon/flow-exporter # set exporter-stats-timeout timeout_number

Specifies the timeout period for resending NetFlow flow exporter data.

Step 6

UCS-A /eth-flow-mon/flow-exporter # set interface-table-timeout timeout_number

Specifies the time period for resending the NetFlow flow exporter interface table.

Step 7

UCS-A /eth-flow-mon/flow-exporter # set template-data-timeout timeout_number

Specifies the timeout period for resending NetFlow template data.

Step 8

UCS-A /eth-flow-mon/flow-exporter # commit-buffer

Commits the transaction to the system configuration.

Example

The following example shows how to configure a flow exporter, set the timeout values, and commit the transaction: 

UCS-A# scope eth-flow-mon
UCS-A /eth-flow-mon # enter flow-exporter ex1
UCS-A /eth-flow-mon/flow-exporter* # set dscp 6
UCS-A /eth-flow-mon/flow-exporter* # set flow-collector c1
UCS-A /eth-flow-mon/flow-exporter* # set exporter-stats-timeout 600
UCS-A /eth-flow-mon/flow-exporter* # set interface-table-timeout 600
UCS-A /eth-flow-mon/flow-exporter* # set template-data-timeout 600
UCS-A /eth-flow-mon/flow-exporter* # commit-buffer
UCS-A /eth-flow-mon/flow-exporter #

Configuring a Flow Monitor

Procedure

  Command or Action Purpose

Step 1

UCS-A# scope eth-flow-mon

Enters the ethernet flow monitor mode.

Step 2

UCS-A /eth-flow-mon # enter flow-monitor flow-monitor-name

Enters the flow monitor mode for the specified flow monitor.

Step 3

UCS-A /eth-flow-mon/flow-monitor # set flow-record flow-record-name

Specifies the flow record.

Step 4

UCS-A /eth-flow-mon/flow-monitor # create flow-exporter flow-exporter-name

Specifies the first flow exporter.

Step 5

UCS-A /eth-flow-mon/flow-monitor # create flow-exporter flow-exporter-name

Specifies the second flow exporter.

Step 6

UCS-A /eth-flow-mon/flow-monitor # commit-buffer

Commits the transaction to the system configuration.

Example

The following example shows how to create a flow monitor and commit the transaction: 

UCS-A# scope eth-flow-mon
UCS-A /eth-flow-mon # enter flow-monitor m1
UCS-A /eth-flow-mon/flow-monitor* # set flow-record r1
UCS-A /eth-flow-mon/flow-monitor* # create flow-exporter ex1
UCS-A /eth-flow-mon/flow-monitor* # create flow-exporter ex2
UCS-A /eth-flow-mon/flow-monitor* # commit-buffer
UCS-A /eth-flow-mon/flow-monitor #

Configuring a Flow Monitor Session

Procedure

  Command or Action Purpose

Step 1

UCS-A# scope eth-flow-mon

Enters the ethernet flow monitor mode.

Step 2

UCS-A /eth-flow-mon # enter flow-mon-session flow-monitor-session-name

Enters the flow monitor session mode for the specified flow monitor session.

Step 3

UCS-A /eth-flow-mon/flow-mon-session # create flow-monitor flow-monitor-1

Specifies the first flow monitor.

Step 4

UCS-A /eth-flow-mon/flow-mon-session # create flow-monitor flow-monitor-2

Specifies the second flow monitor.

Step 5

UCS-A /eth-flow-mon/flow-mon-session # commit-buffer

Commits the transaction to the system configuration.

Example

The following example shows how to create a flow monitor session with two flow monitors: 

UCS-A# scope eth-flow-mon
UCS-A /eth-flow-mon # enter flow-mon-session s1
UCS-A /eth-flow-mon/flow-mon-session* # create flow-monitor m1
UCS-A /eth-flow-mon/flow-mon-session* # create flow-monitor m2
UCS-A /eth-flow-mon/flow-mon-session* # commit-buffer
UCS-A /eth-flow-mon/flow-mon-session #

Configuring a NetFlow Cache Active and Inactive Timeout

Procedure

  Command or Action Purpose

Step 1

UCS-A# scope eth-flow-mon

Enters the ethernet flow monitor mode.

Step 2

UCS-A /eth-flow-mon # scope flow-timeout timeout-name

Enters the flow timeout mode for the specified flow timeout.

Step 3

UCS-A /eth-flow-mon/flow-timeout # set cache-timeout-active timeout-value

Specifies the active timeout value. This value can be between 60 and 4092 seconds. The default value is 120 seconds.

Step 4

UCS-A /eth-flow-mon/flow-timeout # set cache-timeout-inactive timeout-value

Specifies the inactive timeout value. This value can be between 15 and 4092 seconds. The default value is 15 seconds.

Step 5

UCS-A /eth-flow-mon/flow-timeout # commit-buffer

Commits the transaction to the system configuration.

Example

The following example shows how to change the NetFlow timeout values and commit the transaction: 

UCS-A# scope eth-flow-mon
UCS-A /eth-flow-mon # scope flow-timeout default
UCS-A /eth-flow-mon/flow-timeout # set cache-timeout-active 1800
UCS-A /eth-flow-mon/flow-timeout* # set cache-timeout-inactive 20
UCS-A /eth-flow-mon/flow-timeout* # commit-buffer
UCS-A /eth-flow-mon/flow-timeout #

Associating a Flow Monitor Session to a vNIC

Procedure

  Command or Action Purpose

Step 1

UCS-A# scope org org-name

Enters the organization mode for the specified organization. To enter the root organization mode, enter / as the org-name .

Step 2

UCS-A /org # scope service-profile profile-name

Enters the organization service profile mode for the specified service profile.

Step 3

UCS-A /org/service-profile # scope vnic vnic-name

Enters the organization service profile mode for the specified vNIC.

Step 4

UCS-A /org/service-profile/vnic # enter flow-mon-src flow-monitor-session-name

Associates the flow monitor session to the vNIC.

Step 5

UCS-A /org/service-profile/vnic # commit-buffer

Commits the transaction to the system configuration.

Example

The following example shows how to associate the flow monitor session s1 to the vNIC eth5: 

UCS-A# scope org /
UCS-A /org # scope service-profile sp1
UCS-A /org/service-profile # scope vnic eth5
UCS-A /org/service-profile/vnic # enter flow-mon-src s1
UCS-A /org/service-profile/vnic # commit-buffer