topic Re: Netflow config on switches for Stealthwatch in Security Analytics

Netflow config on switches for Stealthwatch

dijix1990 — Tue, 26 Mar 2024 03:09:50 GMT

Anybody know if the c9606R and c9300X-24Y can work with Stealthwatch?

I try to configure on the c9606R and c9300x-24y

flow record REC-IN match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port match ipv4 protocol match interface input match ipv4 tos match flow direction collect interface output collect counter bytes long collect counter packets long collect transport tcp flags collect timestamp absolute first collect timestamp absolute last flow record REC-OUT match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port match ipv4 protocol match interface output match ipv4 tos match flow direction collect interface input collect counter bytes long collect counter packets long collect transport tcp flags collect timestamp absolute first collect timestamp absolute last flow monitor MON-IN exporter SFC_Exp cache timeout active 10 record REC-IN flow monitor MON-OUT exporter SFC_Exp cache timeout active 10 record REC-OUT flow exporter SFC_Exp destination 192.168.100.1 source Loopback0 transport udp 2055 Twe1/0/1 ip flow monitor MON-IN input ip flow monitor MON-OUT output

exporter appeared on the Stealthwatch, Stealthwatch could read name of interfaces but there is not any traffic

Re: Netflow config on switches for Stealthwatch

balaji.bandi — Mon, 25 Mar 2024 17:26:21 GMT

high level should work, what config on Twe1/0/1 ? what IOS XE code running on switch :

example working one :

Netflow Example on Cat Switches | Balaji Bandi

https://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/netflow/config-trouble-netflow-stealth.pdf

Re: Netflow config on switches for Stealthwatch

Aref Alsouqi — Mon, 25 Mar 2024 21:24:41 GMT

Yes it should work without any problem. If you want you can specify the NetFlow v9 under the flow exporter with the command "export-protocol netflow-v9" but even without specifying it it should work. What I think you are mainly missing is defining the flow record under the flow monitor, you should add that with the command "record ...".

How to configure NetFlow for Cisco routers and switches running IOS - video (site.com)

Re: Netflow config on switches for Stealthwatch

dijix1990 — Tue, 26 Mar 2024 03:24:28 GMT

But I have recorder in my config

flow monitor MON-IN exporter SFC_Exp cache timeout active 10 record REC-IN

BTW my config works with cisco vnam analyzer perfectly

and it's strange I found out that on the stealthwatch I can see only outside traffic (outside is shown correctly) but inside isn't correctly

Re: Netflow config on switches for Stealthwatch

dijix1990 — Tue, 26 Mar 2024 03:27:05 GMT

ios xe 17.9.4a and stealthwatch 7.5.0

I found out that for cisco vnam my config is correct but stealthwatch shows only outside traffic correctly but inside not correctly