Configure the Discover appliance to collect traffic from NetFlow and sFlow devices

You must configure network interface and port settings on the ExtraHop Discover appliance before you can collect NetFlow or sFlow data from remote flow networks (flow exporters). The ExtraHop system supports the following flow technologies: Cisco NetFlow v5 and v9, AppFlow, IPFIX, and sFlow.

Before you begin

You must log in as a user with full system privileges to complete the following steps.

Configure the interface on your Discover appliance

In addition to configuring your Discover appliance, you must configure your network devices to send sFlow or NetFlow traffic. Refer to your vendor documentation or see sample Cisco configurations at the end of this document.
  1. Log into the Admin UI on your Discover appliance.
  2. In the Network Settings section, click Connectivity.
  3. In the Interfaces section, click the name of the interface that should receive the flow data.
  4. Select Management Port + Flow Target in the Interface Mode drop-down list.
    Note:The EDA 1100 and EDA 1000v must be configured for either flow data or wire data because these appliances cannot process flow data and wire data simultaneously. If these appliances are configured for flow data, you must set the monitoring port to Disabled.
  5. If Enable DHCPv4 is selected, click Save. Otherwise, configure the remaining network settings and then click Save.

Configure the flow type and the UDP port over which flow data is collected

  1. In the Network Settings section, click Flow Networks.
  2. In the Ports section, type the UDP port number in the Port field. The default port for Net Flow is 2055 and the default port for sFlow is 6343. You can add additional ports as needed for your environment.
  3. From the Flow Type drop-down menu, select NetFlow or sFlow. For AppFlow traffic, select NetFlow.
  4. Click the plus icon (+) to add the port.
  5. Save the running configuration file to preserve your changes by clicking View and Save Changes at the top of the Flow Networks page, and then click Save.

Add the pending flow networks on the Discover appliance

  1. In the Network Settings section, click Flow Networks
  2. In the Pending Flow Networks section click Add Flow Network.
  3. Type a name to identify this flow network in the Flow Network ID field.
  4. Select the Automatic records checkbox to send records from this flow network to a connected Explore appliance.
  5. Select the Enable SNMP polling checkbox to enable SNMP polling.
  6. If you enable SNMP polling, select one of the following options from the SNMP credentials drop-down menu:
    • Inherit from CIDR. If you select this option, the SNMP credentials are applied based on the Shared SNMP Credentials settings.
    • Custom credentials. Select v1, v2, or v3 from the SNMP version drop-down list and then configure the remaining settings for the specific polling type.
  7. Click Save.
    The flow network appears in the Approved Flow Networks table. If you do not see the flow network, you can manually add it by clicking Add Flow Network in the Approved Flow Networks section and completing the information as described above.

View configured flow networks

After you configure your flow networks, log into the Web UI on the Discover appliance to view built-in charts and modify settings and configurations.

  1. Log into the Web UI on your Discover appliance.
  2. Click Metrics and then click Networks.
  3. Click the drop-down arrow next to the flow network name to see a list of flow interfaces and their attributes.
  4. Select the checkbox next to the flow network or interface name. From the top bar, you can create a chart, assign a trigger, assign an alert, rename the flow interface, and set the interface speed.
  5. Click the flow network name or flow interface name to view built-in charts on summary pages. From the summary pages, you can click the regions and charts and add them to a new or existing dashboard.

Configure Cisco NetFlow devices

The following examples of basic Cisco router configuration for NetFlow. NetFlow is configured on a per-interface basis. When NetFlow is configured on the interface, IP packet flow information will be exported to the Discover appliance.

Important:NetFlow takes advantage of the SNMP ifIndex value to represent ingress and egress interface information in flow records. To ensure consistency of interface reporting, enable SNMP ifIndex persistence on devices sending NetFlow to the Discover appliance. For more information on how to enable SNMP ifIndex persistence on your network devices, refer the configuration guide provided by the device manufacturer.

For more information on configuring NetFlow on Cisco switches, see your Cisco router documentation or the Cisco website at www.cisco.com.

Configure an exporter on the Cisco Nexus switch

Define a flow exporter by specifying the export format, protocol, and destination.

Log in to the switch command-line interface and run the following commands:
  1. Enter global configuration mode:
    config t
  2. Create a flow exporter and enter flow exporter configuration mode.
    flow exporter <name>
    For example:
    flow exporter Netflow-Exporter-1
  3. (Optional) Enter a description:
    description <string>
    For example:
    description Production-Netflow-Exporter
  4. Set the destination IPv4 or IPv6 address for the exporter.
    destination <eda_mgmt_ip_address>
    For example:
    destination 192.168.11.2
  5. Specify the interface needed to reach the NetFlow collector at the configured destination.
    source <interface_type> <number>
    For example:
    source ethernet 2/2
  6. Specify the NetFlow export version:
    version 9

Configure Cisco switches through the Cisco IOS CLI

  1. Log into the Cisco IOS command-line interface and run the following commands.
  2. Enter global configuration mode:
    config t
  3. Specify the interface, and enter interface configuration mode.
    • Cisco 7500 series routers:
      interface <type> <slot>/<port-adapter>/<port>
      For example:
      interface fastethernet 0/1/0
    • Cisco 7200 series routers:
      interface <type> <slot>/<port>
      For example:
      interface fastethernet 0/1
  4. Enable NetFlow:
    ip route-cache flow
  5. Export NetFlow statistics:
    ip flow-export <ip-address> <udp-port> version 5

    Where <ip-address> is the Management Port + Flow Target interface on the Discover appliance and <udp-port> is the configured collector UDP port number.

Published 2017-11-14 20:34