Nazaudy, a spark in your curious mind

Enable NetFlow V9 in Cisco Switches with PRTG

In this article we will explore what I did to enable NetFlow version 9 in our Cisco switches, to work in conjunction with a PRTG system. It is advisable to enable NetFlow V9 in Cisco Switches with PRTG, so you not only monitor the traffic but also the "source" and "destination" IP addresses from which the traffic is generated, giving you a better insight of what is happening in your network, and whom or what is utilising the bandwidth

The principle of this configuration can be organised in two blocks, the first one deals with your Cisco switches and the second one with the PRTG console. In the first section we'll do the following in the Cisco switches:

  1. Create a flow record
  2. Create a flow exporter
  3. Create a flow monitor
  4. Configure a sampler for packets
  5. Configure the interfaces to send flow data
  6. Configure DNS and SNMP in your Cisco switch

For the second part of this article, we will cover the PRTG configuration, as follows:

  1. Set Mbits units for your PRTG
  2. Ensure the channels you're monitoring are 64-bit
  3. Add the NetFlow V9 sensor
  4. Add Source and Destination IP Toplist
  5. Set Primary Toplist
  6. Create a NetFlow V9 PRTG map

Important note: which Cisco switches are compatible?

I have tested these settings with Cisco C2960X, C3850 and C9300, in devices with the newer IOS 15.0(2a) EX5 and 03.07.04E, and the configuration works really well

In older IOS switches (like the C2960S) you will get the error "(%Unrecognized command)" when issuing the command (config)#flow? , and only the flow sampler comes up. For these type of switches, where you're missing the flow command, verify first of all which type of "sdm template" (Switch Database Management) you are using by entering this command:

show sdm prefer

 If it shows that the "default" template is in use, you would need to update the firmware of the switch to a "lanbase-default" IOS

Use the Cisco sdm command to show the switch template

Follow my other article about how to upgrade the IOS in your switch: http://www.nazaudy.com/index.php/12-technology/cisco/35-upgrade-ios-in-cisco-switches-c2960s , and see if your unit support IOS version 15.0(2)EX5 so that you have the "flow" command available and are clear to proceed

One more thing, as you know well with Cisco, most of the cool features are bound to....yeap... licensing. Some Cisco switches will support NetFlow but will only capture input traffic while the output traffic is reserve by those who dare to buy the license for their devices. Have a look at this great matrix to find out under which category your switch falls into: https://community.cisco.com/t5/security-documents/netflow-support-matrix/ta-p/3644638

A good rationale presented by Praveen Manohar about this situation of monitoring the NetfFlow traffic only in one direction can be read here:

 

1. Create a flow record

In order to enable NetFlow V9 in Cisco Switches with PRTG, start by logging to your Cisco switch and enter this in global configuration mode (config)#

 

flow record PRTG-FLOW-RECORD
 description Record-Network-Traffic
 match ipv4 tos
 match ipv4 protocol
 match ipv4 source address
 match ipv4 destination address
 match transport source-port
 match transport destination-port
 collect transport tcp flags
 collect counter bytes long
 collect counter packets long
 collect timestamp sys-uptime first
 collect timestamp sys-uptime last

 

2. Create a flow exporter

Type "exit" to go back to (config)# mode, then copy and paste the code below, ensuring that you use your own management vlan (in my example is vlan 41) and the IP address of your PRTG server (192.168.0.41 in my example). For transport UDP, use the default port 9997

 

flow exporter PRTG-EXPORTER
 description Export-Flow-to-PRTG
 destination 192.168.0.41
 source vlan41
 transport udp 9997

 

3. Create a flow monitor

Type "exit" again, and paste the following code to create a flow monitor. In the example I use a cache timeout of 60 seconds, meaning that after this time the collected data in the switch cache will be sent to the PRTG exported; the longer the cache the more load you will incur on your switches

 

flow monitor PRTG-MONITOR
 description Monitor-PRTG-Flow
 record PRTG-FLOW-RECORD
 exporter PRTG-EXPORTER
 cache timeout active 60

 

4. Configure a sampler for packets

Type "exit" one more time, and then paste the code below, resulting in a Sampler monitoring 1 packet out of a window of 32 bytes. This will help us later to tunnel the data to our PRTG server

 

sampler PRTG-SAMPLER
 mode random 1 out-of 32

 

5. Configure the interfaces to send flow data

Finally, select all of the physical interfaces in your switch (do int rang g10/01 - 28 or similar) and issue this command so that they start monitoring NetFlow traffic:

 

ip flow monitor PRTG-MONITOR sampler PRTG-SAMPLER input

 

  • If you get the error message: "Flow Monitor: Flow Monitor 'PRTG-MONITOR' can't be applied on switch 1", then make sure that you don't have the "ip flow egress/ingress" configured on any of the interfaces 
  • You do not need to add the above line into your any of your port-channels, if you have created any 
  • You do need to add, however, the above ip flow monitor command to your management vlan, and whichever other interface vlan you have configured an IP address in

NetFlow V9 in Cisco works with ip flow monitor

6. Configure DNS and SNMP in your Cisco switch

Before we jump into the PRTG configuration, let's ensure that your Cisco switch can resolve names by issues these commands; the first 2 lines will help the switch resolve names (replace nazaudy.local for your current Active Directory domain name), the name-server and ntp server should both point to your Forest Root Domain Controller, and finally add as well an ip default-gateway pointing to your router

 

ip domain-name nazaudy.local 
ip domain-lookup
ip name-server 192.168.0.10
ntp server 192.168.0.10
ip default-gateway 192.168.0.1

 

Enter the following commands too, where 192.168.0.27 is the IP of your PRTG server and "Nazaudy" is the community name for your SNMP settings. The below commands will ensure that the SNMP traffic generated by your Cisco switch is reachable only by your SNMP server

 

logging host 192.168.0.27
access-list 1 remark Restric-access-to-snmp
access-list 1 permit 192.168.0.27 0.0.0.255 log
snmp-server community Nazaudy RO 1

 

At this stage, you can execute #show logging in your Cisco switch, and hopefully you'll see some NetFlow traffic going to your PRTG server

 Verify NetFlow traffic

 

 

 1. Set Mbits units for your PRTG

Jumping now to your PRTG system, we are going to explore now the last part about how to enable NetFlow V9 in Cisco Switches with PRTG. The first thing we should do is to ensure that the units in use by our network switches are all set to Mbits per second. To do that, edit the group in PRTG where (I suppose, and I hope so!) all your network switches are grouped into, and modify the "Channel Unit Configuration" to read as follows:

Change Channel Unit Configuration in PRTG

This way, PRTG will nicely show you all your traffic in Mbits, rather than the default of Kbits which is quite confusing

Enable NetFlow V9 in Cisco Switches with PRTG

2. Ensure the channels you´re monitoring are 64-bit, and use SNMP v2 or v3

I take it your computer runs at 64-bit, therefore ensure that when you add channel sensors to your cisco device in PRTG, there are all set to 64-bit, otherwise they'll give you incorrect data. Just remember that SNMP v1 does not support 64-bit, therefore please ensure that you're using either SNMP v2 or v3 to monitor your Cisco devices

Change sensors to 64-bit in PRTG

If you happens to have a 32-bit sensor, just delete it and add it again; it should add as a 64-bit sensor instead

Verify sensors are 64-bit

3. Add the NetFlow V9 sensor

Once you have added your Cisco switch device in PRTG, right-click on it and choose "add sensor",  then add the NetFlow V9 sensor, and configure it with these settings:

 NetFlow V9 specific settings

And yes, set the Sampling Mode to "on", and ensure the Active Flow Timeout is set to 1 minute, and the "Sampling Rate" set to 32, just as we configured our sampler PRTG-SAMPLER in the Cisco switch earlier

PRTG Sampling Rate

4. Add Source and Destination IP Toplist

Wait for a bit until you start receiving data in your PRTG (the sensor should turn on green), then click on the "Add Toplist" button in the NetFlow V9 sensor:

Sensor in PRTG NetFlow V9

Name your toplist "Source IP", then select "Custom" in the type of traffic and tick the "Source IP" filed name

PRTG Source IP address

Do the same thing for "Destination IP", so that at the end you end up with the configuration below, where you can see separate entities for both Source and Destination IP:

Top Lists

5. Set Primary Toplist

Visit your NetFlow V9 sensor > Settings and set the Primary Toplist to be your "Source IP", this is so that on the maps we can see the IP address from which the traffic is coming from, singling out any possibly misuse of the bandwidth. If you want, of course, you can choose the "Destination IP" toplist instead to be your default. I much prefer the Source IP

PRTG Sensor NetFlow V9 Source IP address

We are now ready to do the most exciting part of this configuration: the PRTG maps! yay! :)

6. Create a NetFlow v9 PRTG map

Add a new map to your PRTG "maps" section, and when ready drag the item Graphs > Live graph (large fonts) in the white space of the Map Designer area. Then on the "Device Tree", look for the Netflow sensor of the device you're creating the map for, and drag the sensor over the "live graph (large fonts)" item

 Drag NetFlow sensor over the object

Do the same thing for 2 x more objects:

  • Drag the object Graphs > Primary toplist of a sensor, and put on it the NetFlow V9 sensor
  • Drag the object Status Icons > Channel (gauges), and put on it the NetFlow V9 sensor
  • Drag a Custom HTML > Custom HTML Element, and edit its properties to fill it with these details:
    • HMTL Before: <font size='14' color='blue'><b>Basement</b>
    • HTML After:</font>

If all goes well, you will end up with this kind of graph, just change the "Basement" string on my example for the location of your choice; very well done! :) You can see on the graph below how a single IP address is using all of the bandwidth of the switch:

 PRTG map

Here is the same graph, after the bandwidth process for that single IP address was stopped

 Analysing traffic in PRTG with enabled NetFlow V9

Thank you for reading!

If you enjoyed this article of mine about Enable NetFlow V9 in Cisco Switches with PRTG, I recommend you to please follow this other article "Use rConfig to manage your Cisco switches and Cisco tips" for more ideas and tips about Cisco switches: https://www.nazaudy.com/use-rconfig-to-manage-your-cisco-switches-and-cisco-useful-tips 

 

London, 30 March 2019

 

References