06-10-2024 10:51 AM
Hi,
I would like to check if the following is supported by Catalyst Center,
1. Be a NetFlow Server?
2. Integrate NetFlow solution like Solarwinds NetFlow (NTA) or Stealthwatch solution?
3. If item 2 is possible, what can be done once integrated? Only displaying the NetFlow or I can also configure the NetFlow via the Catalyst Center?
Thank you
06-10-2024 01:04 PM
1 and 2 below can answer document :
DNAC can work most of the Catalyst switches if they are supported with DNAC Matrix - check the supported matrix.
NTA of solarwinds for all device, i was not sure about 3rd party devices with DNAC can work. (never tested).
I can also configure the NetFlow via the Catalyst Center?
If the device managed by DNAC using template you can configure or you can also configure command level.
06-11-2024 09:00 AM
Catalyst Center will configure itself as a netflow server when you "Enable Application Telemetry" on your cat9ks. There is a Stealthwatch integration workflow in Catalyst Center, but its purpose is to help with configuration of netflow configs to point the switches at your Stealthwatch Server. There is no visibility of Stealthwatch data in Catalyst Center.
In general, the best practice, for sending netflow data from a single switch to multiple destinations is to use Cisco Telemetry Broker (CTB). This is because there are scenarios where we don't support multiple netflow monitors on a single port, so it's easiest to use a single monitor and have CTB send the copies to other destinations.
08-06-2024 06:46 PM - edited 08-06-2024 06:48 PM
We use nProbe/nTopNG as our main netflow monitoring tool. It uses the standard netflow fields that most flow monitoring systems use.
DNAC/Catalyst center however, provisions the AVC flow capture which most other systems don't know how to read.
I spent some time working on a a flow record that uses a combination of the match/collect fields from both, that sends to both my dnac exporter and nprobe exporter. Both dnac and nprobe then get the info they need (and ignore the other fields) and I only need one monitor on the interface.
Our existing flow record:
flow record FNF-input
description IPv4 NetFlow
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match ipv4 protocol
match interface input
match ipv4 tos
match flow direction
collect interface output
collect counter bytes long
collect counter packets long
collect transport tcp flags
collect timestamp absolute first
collect timestamp absolute last
flow record FNF-output
description IPv4 NetFlow
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match ipv4 protocol
match interface output
match ipv4 tos
match flow direction
collect interface input
collect counter bytes long
collect counter packets long
collect transport tcp flags
collect timestamp absolute first
collect timestamp absolute last
My new flow record that uses the DNAC provisioned record but adds the required 'collect' fields for nProbe:
flow record nProbeExtended
description nProbe essentials with extended AVC for dnac
match ipv4 version
match ipv4 protocol
match application name
match connection client ipv4 address
match connection server ipv4 address
match connection server transport port
match flow observation point
collect timestamp absolute first
collect timestamp absolute last
collect flow direction
collect connection initiator
collect connection client counter packets long
collect connection client counter bytes network long
collect connection server counter packets long
collect connection server counter bytes network long
collect connection new-connections
collect datalink mac source address input
collect counter bytes long
collect counter packets long
collect transport tcp flags
collect transport source-port
collect ipv4 source address
collect transport destination-port
collect ipv4 destination address
collect interface input
collect interface output
And then I just list both exporters in the monitor field:
flow monitor nProbeMonitor
exporter nProbeExporter
exporter dnacexporter
cache timeout inactive 10
cache timeout active 60
record nProbeExtended
And then add the monitor to the interface for both input and output if required.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide