CCNP ENCOR Certification Cram Notes : Network Assurance

4.3 Configure and verify NetFlow and Flexible NetFlow

NetFlow is a network protocol developed by Cisco Systems that allows network administrators to collect information about IP traffic passing through a router, switch, or other network device. The information collected by NetFlow can be used for network traffic analysis, network planning, security, accounting, and billing purposes.

Flexible NetFlow is an advanced version of NetFlow that provides more control over the types of data that are collected and the way they are exported. With Flexible NetFlow, you can define your own flow records and export templates to match your specific needs.

To configure and verify NetFlow and Flexible NetFlow on a Cisco device, follow these steps:

1. Enable NetFlow on the device:

scssCopy code
Router(config)# ip flow-export version 9
Router(config)# ip flow-export destination <IP address of NetFlow collector> <port number>
Router(config)# interface <interface name>
Router(config-if)# ip flow ingress

2. Configure the flow records:

scssCopy code
Router(config)# flow record <record name>
Router(config-flow-record)# match <match criteria>
Router(config-flow-record)# collect <fields to collect>

3. Apply the flow records to the interfaces:

Router(config)# interface <interface name>
Router(config-if)# ip flow monitor <monitor name> input

4. Verify that NetFlow is working by checking the statistics:

Router# show ip cache flow

To configure Flexible NetFlow, you can use the same commands as for NetFlow, but with some additional options for defining the flow records and templates. For example:

Router(config)# flow record <record name>
Router(config-flow-record)# match ipv4 protocol
Router(config-flow-record)# match ipv4 source address
Router(config-flow-record)# match ipv4 destination address
Router(config-flow-record)# match transport source-port
Router(config-flow-record)# match transport destination-port
Router(config-flow-record)# collect interface input
Router(config-flow-record)# collect interface output
Router(config-flow-record)# collect routing source as
Router(config-flow-record)# collect routing destination as
Router(config-flow-record)# collect transport tcp flags
Router(config-flow-record)# collect counter bytes
Router(config-flow-record)# collect counter packets
Router(config-flow-record)# collect timestamp sys-uptime first
Router(config-flow-record)# collect timestamp sys-uptime last
Router(config-flow-record)# collect application name
Router(config-flow-record)# collect application response-time
Router(config-flow-record)# collect flow direction
Router(config-flow-record)# collect flow sampler
Router(config-flow-record)# collect flow start milliseconds
Router(config-flow-record)# collect flow end milliseconds
Router(config-flow-record)# collect flow exporter
Router(config)# flow exporter <exporter name>
Router(config-flow-exporter)# description <description>
Router(config-flow-exporter)# destination <IP address of NetFlow collector> <port number>
Router(config-flow-exporter)# source <interface name>
Router(config-flow-exporter)# transport udp 9999
Router(config-flow-exporter)# option application-table timeout 60
Router(config-flow-exporter)# option exporter-stats timeout 60
Router(config-flow-exporter)# option interface-table timeout 60
Router(config-flow-exporter)# option sampler-table timeout 60
Router(config-flow-exporter)# option flow-cache timeout active 60
Router(config-flow-exporter)# option flow-cache timeout inactive 15
Router(config)# flow monitor <monitor name>
Router(config-flow-monitor)# exporter <exporter name>
Router(config-flow-monitor)# cache timeout active 60
Router(config-flow-monitor)# cache timeout inactive 15
Router(config-flow-monitor)# record <record name>

To verify that Flexible NetFlow is working, you can use the same command as for NetFlow:

Router# show ip cache flow

4.4 Configure and verify SPAN/RSPAN/ERSPAN

SPAN (Switched Port Analyzer), RSPAN (Remote Switched Port Analyzer), and ERSPAN (Encapsulated Remote Switched Port Analyzer) are features in Cisco IOS that allow network administrators to monitor network traffic.

SPAN allows network administrators to monitor network traffic passing through one or more switch ports by forwarding a copy of that traffic to another port on the same switch or to a port on a different switch connected to the same network.

RSPAN extends this functionality to remote switches by allowing the monitoring of traffic from VLANs across multiple switches, while ERSPAN extends the same functionality over Layer 3 networks.

To configure SPAN on a Cisco switch, you can use the following commands:

1. Define the SPAN session:

switch# configure terminal
switch(config)# monitor session 1 source interface GigabitEthernet0/1
switch(config)# monitor session 1 destination interface GigabitEthernet0/2

This configures a SPAN session to monitor traffic on GigabitEthernet0/1 and forwards a copy of that traffic to GigabitEthernet0/2.

2. Verify the SPAN session configuration:

phpCopy code
switch# show monitor session 1

This command displays the configuration details of the SPAN session.

To configure RSPAN, you can use the following commands:

1. Configure the RSPAN VLAN:

cCopy code
switch# configure terminal
switch(config)# vlan 900
switch(config-vlan)# remote-span

This creates VLAN 900 as an RSPAN VLAN.

2. Configure the RSPAN source and destination:

phpCopy code
switch(config)# monitor session 1 source interface GigabitEthernet0/1
switch(config)# monitor session 1 destination remote vlan 900

This configures a SPAN session to monitor traffic on GigabitEthernet0/1 and forwards a copy of that traffic to the RSPAN VLAN.

3. Verify the RSPAN session configuration:

phpCopy code
switch# show monitor session 1

This command displays the configuration details of the RSPAN session.

ERSPAN configuration is similar to RSPAN configuration, but uses an ERSPAN source and destination instead of an RSPAN source and destination.