Solved: NetFlow on 3560x

marcio.tormente · ‎06-10-2015

Dear,

I´m trying to configure NetFlow on 3560x (WS-C3560X-48T-S), but I read a post (9 years ago) que say 3560 doesn´t support NetFlow, but after 9 years I think tecnology hav been change.

The current version is: c3560e-universalk9-mz.122-55.SE3.bin, this version I saw in Cisco Feature Navigator that doesn´t support NetFlow, than, I can update to (c3560e-universalk9-mz.150-2.SE8.bin ), but in the Cisco FN I coundn´t find this version.

Anyone knows if this version support NetFlow?

Thanks

Marcio

Joseph W. Doherty · ‎06-10-2015

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

You need the service module C3KX-SM-10G. Beware all the "got-chas".

Service Module

The new Cisco Service Module offers enhanced security and Flexible Netflow (FNF) features on the uplink ports of the Catalyst 3750-X and 3560-X. The service module is supported with IP Base or IP Services feature set. It can be used with SFP or SFP+ at 1G or 10G speeds. The new Cisco Service Module has custom dedicated hardware for FNF monitoring, separate from the dedicated hardware for MACSec. Therefore there is no impact on packet forwarding performance & latency. It offers flexibility with the user being able to define flows. The new Cisco Service Module enables the following services:

● Line rate (40G) Flexible NetFlow for Network Monitoring and Security Anomaly Detection

- Supported version 9

- 32,000 simultaneous flows

- 128 of simultaneous active monitors

● Line rate (40G) MACsec encryption (please refer to MACsec section below)

FNF is a networking monitoring technology. A NetFlow table can be used to collect flow statistics. The flow information can be used by customers for a variety of use cases like understanding:

1. Applications running on the network, and identify undesired applications, P2P etc

2. Granular Local and aggregated Campus view (Top N applications, drill down etc).

3. Top talkers (ports, users, applications) for application usage, productivity and asset utilization etc.

4. Security Anomaly Detection by examining flows that do not traverse trust boundaries for inside the perimeter attacks

5. Impacts of network and application changes

6. Compliance conformation

7. Traffic patterns for capacity planning

Enabling FNF at the access switch ensures you get all flows. The access switch is the most logical place in the network for collecting statistics and monitoring all flows. With Netflow, you can obtain MAC-address and access port information associated with the flow, to get directly to the source of the flow. Most collectors are able to leverage the location based on MAC-address and interface port number provided by the access switch to the collector. Thus by enabling FNF at the access switch you are able to get the location information of the flow. The access switch has a variety of identity mechanism for user authentication and adding user awareness is the natural progression that can be developed. Access switches are an order of magnitude greater than distribution and core which makes them scale well for FNF and ensure there are no performance impacts of oversubscription at aggregation and core.

Q. I have a Cisco Catalyst 3750X/3560X switch with LAN Base license on it. Can I use the Service Module to configure MACSec and Netflow?

A. No. In order to use the Netflow and MACSec features, the switch must be running IP Base or IP Services license levels.

Q. Is my Service Module ready to use when I plug it into my Cisco Catalyst 3750x/3560X switch?

A. Service Module is ready for use if the Hardware Board Revision number of the switch is 0x03. Hardware Board Revision Number can be obtained from executing the "show version" CLI on the switch console.

Snippet from the CLI output:

512K bytes of flash-simulated non-volatile configuration memory.

Base ethernet MAC Address : F8:66:F2:2B:62:00

Motherboard assembly number : 73-12557-04

Motherboard serial number : FDO14290JB6

Model revision number : A0

Motherboard revision number : A0

Model number : WS-C3560X-48P-S

Daughterboard assembly number : 800-32786-01

Daughterboard serial number : FDO1429068M

System serial number : FDO1429K02V

Top Assembly Part Number : 800-31328-01

Top Assembly Revision Number : A0

Version ID : V01

CLEI Code Number : COMJP00ARA

Hardware Board Revision Number : 0x03

If the Hardware Board Revision number is not 0x03, the Service Module can only be used as a regular uplink module. Netflow and MACSec cannot be used. In order to upgrade your switch to Hardware Board Revision number 0x03, please refer to the field notice on Cisco.com.

Q. Can I monitor every flow in my switch using the Service Module?

A. All flows that pass the uplink ports are supported. Flows that do not traverse the uplinks like the flows between two access ports on the same switch or switch stack are not supported at FCS.

Q. Where can I find more information on Flexible Netflow?

A. More information is available at http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6555/ps6601/
ps6965/prod_qas0900aecd804be091.html.

View solution in original post

Joseph W. Doherty · ‎06-10-2015

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

You need the service module C3KX-SM-10G. Beware all the "got-chas".

Service Module

The new Cisco Service Module offers enhanced security and Flexible Netflow (FNF) features on the uplink ports of the Catalyst 3750-X and 3560-X. The service module is supported with IP Base or IP Services feature set. It can be used with SFP or SFP+ at 1G or 10G speeds. The new Cisco Service Module has custom dedicated hardware for FNF monitoring, separate from the dedicated hardware for MACSec. Therefore there is no impact on packet forwarding performance & latency. It offers flexibility with the user being able to define flows. The new Cisco Service Module enables the following services:

● Line rate (40G) Flexible NetFlow for Network Monitoring and Security Anomaly Detection

- Supported version 9

- 32,000 simultaneous flows

- 128 of simultaneous active monitors

● Line rate (40G) MACsec encryption (please refer to MACsec section below)

FNF is a networking monitoring technology. A NetFlow table can be used to collect flow statistics. The flow information can be used by customers for a variety of use cases like understanding:

1. Applications running on the network, and identify undesired applications, P2P etc

2. Granular Local and aggregated Campus view (Top N applications, drill down etc).

3. Top talkers (ports, users, applications) for application usage, productivity and asset utilization etc.

4. Security Anomaly Detection by examining flows that do not traverse trust boundaries for inside the perimeter attacks

5. Impacts of network and application changes

6. Compliance conformation

7. Traffic patterns for capacity planning

Enabling FNF at the access switch ensures you get all flows. The access switch is the most logical place in the network for collecting statistics and monitoring all flows. With Netflow, you can obtain MAC-address and access port information associated with the flow, to get directly to the source of the flow. Most collectors are able to leverage the location based on MAC-address and interface port number provided by the access switch to the collector. Thus by enabling FNF at the access switch you are able to get the location information of the flow. The access switch has a variety of identity mechanism for user authentication and adding user awareness is the natural progression that can be developed. Access switches are an order of magnitude greater than distribution and core which makes them scale well for FNF and ensure there are no performance impacts of oversubscription at aggregation and core.

Q. I have a Cisco Catalyst 3750X/3560X switch with LAN Base license on it. Can I use the Service Module to configure MACSec and Netflow?

A. No. In order to use the Netflow and MACSec features, the switch must be running IP Base or IP Services license levels.

Q. Is my Service Module ready to use when I plug it into my Cisco Catalyst 3750x/3560X switch?

A. Service Module is ready for use if the Hardware Board Revision number of the switch is 0x03. Hardware Board Revision Number can be obtained from executing the "show version" CLI on the switch console.

Snippet from the CLI output:

512K bytes of flash-simulated non-volatile configuration memory.

Base ethernet MAC Address : F8:66:F2:2B:62:00

Motherboard assembly number : 73-12557-04

Motherboard serial number : FDO14290JB6

Model revision number : A0

Motherboard revision number : A0

Model number : WS-C3560X-48P-S

Daughterboard assembly number : 800-32786-01

Daughterboard serial number : FDO1429068M

System serial number : FDO1429K02V

Top Assembly Part Number : 800-31328-01

Top Assembly Revision Number : A0

Version ID : V01

CLEI Code Number : COMJP00ARA

Hardware Board Revision Number : 0x03

If the Hardware Board Revision number is not 0x03, the Service Module can only be used as a regular uplink module. Netflow and MACSec cannot be used. In order to upgrade your switch to Hardware Board Revision number 0x03, please refer to the field notice on Cisco.com.

Q. Can I monitor every flow in my switch using the Service Module?

A. All flows that pass the uplink ports are supported. Flows that do not traverse the uplinks like the flows between two access ports on the same switch or switch stack are not supported at FCS.

Q. Where can I find more information on Flexible Netflow?

A. More information is available at http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6555/ps6601/
ps6965/prod_qas0900aecd804be091.html.

marcio.tormente · ‎06-10-2015

Joseph,

And about Netflow Egress Accounting, this feature is available, but I´m not sure if is enough to work. What do you think?

Joseph W. Doherty · ‎06-10-2015

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

Sorry, I don't have any first hand experience with that platform and module.