Cisco NetFlow-Lite on the Cisco Catalyst 2960-X, 2960-XR, 2960-CX, and 3560-CX Series Switches

Output from Cisco NetFlow-Lite

Differences between Flexible NetFlow-Lite, Flexible NetFlow, and sFlow

We discussed the Cisco Catalyst 4948E NetFlow-lite/NFLite before. What’s the difference between the NetFlow and Netflow-Lite? We knew that NetFlow-lite was first introduced with Catalyst 4948E, and it bridges the gap by providing a lightweight solution that allows capturing of important flow information through packet sampling mechanisms combined with the extensibility of NetFlow version 9 and IPFIX. NetFlow-Lite introduces traffic visibility on the Cisco Catalyst 2960-X, 2960-XR, 2960-CX, and 3560-CX Series Switches for the first time.

NetFlow-Lite collects packets randomly, classifies them into flows, and measures flow statistics as they pass through the switch. It is a true flow-based traffic-monitoring mechanism that conserves valuable forwarding bandwidth when exporting flow-based data for analysis and reporting.

In the following part it provides visibility into traffic that is switched through the Cisco Catalyst 2960-X, 2960-XR, 2960-CX, and 3560-CX Series Switches.

Firstly we can read what NetFlow-Lite is used for again

NetFlow-Lite offers network administrators and engineers the following capabilities:

● Unprecedented visibility: NetFlow-Lite provides real-time information about traffic flows from endpoints such as PCs, phones, IP cameras, etc. You can use this information for traffic monitoring of Layer 2 and Layer 3 traffic as well as capacity planning.

● Network planning: You can use NetFlow-Lite to capture data over a long period of time so that customers can understand traffic patterns, top talkers, top applications, etc. This feature provides accurate data to track and anticipate network growth and plan upgrades.

● Simplified troubleshooting: You can use NetFlow-Lite flow-based analysis techniques to understand traffic patterns, which can help in proactively detecting problems, troubleshooting efficiently, and resolving problems quickly.

NetFlow-Lite Capabilities

NetFlow-Lite provides a granular packet-sampling mechanism that is adjustable up to 1:32 and available for all interfaces. The implication is that a subset of all packets passing through the switch is selected for reporting.

NetFlow-Lite on the Cisco Catalyst 2960-X, 2960-XR, 2960-CX, and 3560-CX Series Switches have the following capabilities:

• NetFlow-Lite is supported on all downlink and uplink ports.
• NetFlow-Lite is natively available with no additional hardware required.
• The sampling range is from 1:32 to 1:1022.
• The application measures 16,000 flows per switch.
• Physical ports and VLAN Interfaces (switched virtual interfaces [SVI]) are supported.
• NetFlow-Lite supports ingress flows only.
• Export using standards-based IP Information export (IPFIX) or Version 9 record format.

NetFlow-Lite Sampling Techniques

The sampling method of the traffic can be random or deterministic. Random sampling chooses one packet randomly out of a configured sample size, whereas deterministic sampling chooses the first packet out of a configured sample size. For example, for 1:32 sampling, deterministic mode would choose the 1st, 33rd, 65th, 97th, and so on packet coming into an interface, and random mode can choose the 5th, 39th, 72nd, 103rd, and so on packet coming into an interface. Random packet sampling is statistically more accurate than deterministic packet sampling.

NetFlow-Lite Solution-NetFlow-Lite configuration on the Cisco Catalyst 2960-X, 2960-XR, 2960-CX, and 3560-CX Series Switches

Steps-Only 5 Steps

Step1. Configure a Flow Record, which defines the data collection. You can customize it for specific requirements. You can use the following example with most NetFlow collectors:

flow record v4

 match ipv4 tos

 match ipv4 protocol

 match ipv4 source address

 match ipv4 destination address

 match transport source-port

 match transport destination-port

 collect transport tcp flags

 collect interface input

 collect flow sampler

 collect counter bytes long

 collect counter packets long

 collect timestamp sys-uptime first

 collect timestamp sys-uptime last

Step2. Configure a Flow Exporter, which defines where the collected data needs to be sent. Please refer to the NetFlow collector application user guides and manual for specific details such as port number, differentiated services code point (DSCP), and other options. The configuration follows:

flow exporter Replicator

 description Exporter to Cisco Prime 2.0

 destination 10.2.44.12

 source GigabitEthernet1/0/1

 dscp 16

 template data timeout 60

 option interface-table

Step3. Configure a Flow Monitor, which binds the flow record and exporter along with options to configure the flow cache:

flow monitor v4

 record v4

 exporter Replicator

 cache timeout active 30

Step4. Configure a Flow Sampler. Define the sampling technique and sample size. The configuration follows:

sampler v4

 mode random 1 out-of 32

Step5. Attach the Flow Monitor and Sampler to the interface:

interface GigabitEthernet1/0/1

 ip flow monitor v4 sampler v4 input

Reference from http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-2960-x-series-switches/solution_overview_c22-728776.html

Lists the License and Software Requirements for Cisco Netflow-Lite