Buy or Renew
Buy or Renew
Cisco DNA Center is now Catalyst Center. New name, same great product. Learn more about Catalyst Center here.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
319
Views
1
Helpful
3
Replies

Catalyst Center + NetFlow

fatalXerror
Level 5
Level 5

‎06-10-2024 10:51 AM

Hi,

I would like to check if the following is supported by Catalyst Center,

1. Be a NetFlow Server?

2. Integrate NetFlow solution like Solarwinds NetFlow (NTA) or Stealthwatch solution?

3. If item 2 is possible, what can be done once integrated? Only displaying the NetFlow or I can also configure the NetFlow via the Catalyst Center?

Thank you

Labels:
0 Helpful
3 Replies 3

balaji.bandi
Hall of Fame
Hall of Fame

‎06-10-2024 01:04 PM

1 and 2 below can answer document :

https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/2-3-7/user_guide/b_cisco_dna_center_ug_2_3_7/b_cisco_dna_center_ug_2_3_7_chapter_01010.html#id_133258

DNAC can work most of the Catalyst switches if they are supported with DNAC Matrix - check the supported matrix.

NTA of solarwinds for all device, i was not sure about 3rd party devices with DNAC can work. (never tested).

 I can also configure the NetFlow via the Catalyst Center?

If the device managed by DNAC using template you can configure or you can also configure command level.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Preston Chilcote
Cisco Employee
Cisco Employee

‎06-11-2024 09:00 AM

Catalyst Center will configure itself as a netflow server when you "Enable Application Telemetry" on your cat9ks.  There is a Stealthwatch integration workflow in Catalyst Center, but its purpose is to help with configuration of netflow configs to point the switches at your Stealthwatch Server.  There is no visibility of Stealthwatch data in Catalyst Center.

In general, the best practice, for sending netflow data from a single switch to multiple destinations is to use Cisco Telemetry Broker (CTB).  This is because there are scenarios where we don't support multiple netflow monitors on a single port, so it's easiest to use a single monitor and have CTB send the copies to other destinations.

DJW487
Level 1
Level 1

‎08-06-2024 06:46 PM - edited ‎08-06-2024 06:48 PM

We use nProbe/nTopNG as our main netflow monitoring tool. It uses the standard netflow fields that most flow monitoring systems use.

DNAC/Catalyst center however, provisions the AVC flow capture which most other systems don't know how to read.

I spent some time working on a a flow record that uses a combination of the match/collect fields from both, that sends to both my dnac exporter and nprobe exporter. Both dnac and nprobe then get the info they need (and ignore the other fields) and I only need one monitor on the interface.

Our existing flow record:

 

flow record FNF-input
 description IPv4 NetFlow
 match ipv4 source address
 match ipv4 destination address
 match transport source-port
 match transport destination-port
 match ipv4 protocol
 match interface input
 match ipv4 tos
 match flow direction
 collect interface output
 collect counter bytes long
 collect counter packets long
 collect transport tcp flags
 collect timestamp absolute first
 collect timestamp absolute last

flow record FNF-output
 description IPv4 NetFlow
 match ipv4 source address
 match ipv4 destination address
 match transport source-port
 match transport destination-port
 match ipv4 protocol
 match interface output
 match ipv4 tos
 match flow direction
 collect interface input
 collect counter bytes long
 collect counter packets long
 collect transport tcp flags
 collect timestamp absolute first
 collect timestamp absolute last

 

My new flow record that uses the DNAC provisioned record but adds the required 'collect' fields for nProbe:

 

flow record nProbeExtended
 description nProbe essentials with extended AVC for dnac
 match ipv4 version
 match ipv4 protocol
 match application name
 match connection client ipv4 address
 match connection server ipv4 address
 match connection server transport port
 match flow observation point
 collect timestamp absolute first
 collect timestamp absolute last
 collect flow direction
 collect connection initiator
 collect connection client counter packets long
 collect connection client counter bytes network long
 collect connection server counter packets long
 collect connection server counter bytes network long
 collect connection new-connections
 collect datalink mac source address input
 collect counter bytes long
 collect counter packets long
 collect transport tcp flags
 collect transport source-port
 collect ipv4 source address
 collect transport destination-port
 collect ipv4 destination address
 collect interface input
 collect interface output

 

And then I just list both exporters in the monitor field:

 

flow monitor nProbeMonitor
 exporter nProbeExporter
 exporter dnacexporter
 cache timeout inactive 10
 cache timeout active 60
 record nProbeExtended

And then add the monitor to the interface for both input and output if required.

 

0 Helpful
Customers Also Viewed These Support Documents