Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
316
Views
0
Helpful
1
Replies

Catalyst Centre Provisioned NetFlow/IPFIX and 3rd party collector

DJW487
Level 1
Level 1

‎06-30-2024 10:14 PM - edited ‎06-30-2024 10:17 PM

We run a 3rd party netflow collector, NtopNG with nProbe.

Our switches were running a netflow template we have had for years. I decided to wipe it and allow Catalyst Centre to input its own netflow config so I can also get some app info in Catalyst Centre.

I notice the fields that have been provisioned in the netflow record are all different, and I am not seeing anything in ntop.

I did some digging and found I can enable the IPFIX fields in the nprobe template, but I need to know which ones it's receiving, by matching from the list here: https://www.ntop.org/guides/nprobe/cli_options.html#netflow-v9-ipfix-format-t or maybe even the extender file here: https://github.com/ntop/nProbe/blob/master/custom_fields/Cisco/avc_custom_fields.txt

The flow record config is:

match ipv4 version
match ipv4 protocol
match application name
match connection client ipv4 address
match connection server ipv4 address
match connection server transport port
match flow observation point
collect timestamp absolute first
collect timestamp absolute last
collect flow direction
collect connection initiator
collect connection client counter packets long
collect connection client counter bytes network long
collect connection server counter packets long
collect connection server counter bytes network long
collect connection new-connections
collect datalink mac source address input

Does anyone know specifically which match/collect fields line up with which IPFIX labels in the list provided in link?

 

For reference, the old flow record config was:

match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match ipv4 protocol
match interface input
match ipv4 tos
match flow direction
collect interface output
collect counter bytes long
collect counter packets long
collect transport tcp flags
collect timestamp absolute first
collect timestamp absolute last

Which was used when we had Scrutinizer and it worked with Ntop when we moved to that, using the following default template fields:

%IN_SRC_MAC
%OUT_DST_MAC
%SRC_VLAN
%IPV4_SRC_ADDR
%IPV4_DST_ADDR
%L4_SRC_PORT
%L4_DST_PORT
%IPV6_SRC_ADDR
%IPV6_DST_ADDR
%IP_PROTOCOL_VERSION
%PROTOCOL
%L7_PROTO
%IN_BYTES
%IN_PKTS
%OUT_BYTES
%OUT_PKTS
%FIRST_SWITCHED
%LAST_SWITCHED
%FLOW_TO_APPLICATION_ID
%FLOW_TO_USER_ID
%INITIATOR_GW_IP_ADDR
%EXPORTER_IPV4_ADDRESS

 

Edit: Would be nice if Cisco made a document that explained what netflow commands lines up with what element ID is provided here https://www.iana.org/assignments/ipfix/ipfix.xml#ipfix-set-ids

If they did, then I can't find it

Labels:
0 Helpful
1 Reply 1

DJW487
Level 1
Level 1

‎07-01-2024 05:57 PM

I found the field ID's by doing the following command:

sh flow exporter dnacexporter templates details

DJW487_0-1719881814856.png

 

 

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card