ACI
Background overview : https://www.youtube.com/watch?v=m8cXOPZ-vAE
What is Cisco ACI? Why should I care about Cisco ACI NetFlow Support? If you have to ask, you’re not alone. Application Centric Infrastructure (ACI) is the software-defined networking (SDN) offering for data center and cloud networks introduced by Cisco after its acquisition of Insieme Networks. As you have already realized, there is Cisco ACI NetFlow support available, but one thing at a time: let’s go over the SDN benefits and what sets Cisco ACI apart first.
Software-Defined Networking Explained
Software-defined networking is an approach to computer networking that enables network engineers and administrators to react quickly to changing business requirements via a centralized control console. It includes multiple kinds of network technologies that segregate the network’s control and forwarding planes. The network control becomes directly programmable with the underlying infrastructure abstracted for applications and network services.
As shown below, Software-defined networking offers multiple benefits to its users. For instance, its policies provide enterprise campuses with network access control and network monitoring. Carrier and service providers benefit from bandwidth on demand. For cloud and data centers, network virtualization for multi-tenants offers better usage of resources and network segregation.
Cisco ACI Features and Capabilities
With a comprehensive SDN architecture, Cisco ACI accommodates distributed applications in private cloud deployments and data centers. It’s based on integrated overlays and a centralized controller to deliver centralized automation and policy-driven application network profiles. These profiles allow for automated configuration and transparent support of diverse physical and virtual nodes with Layer 2 to 7 network services. This reduces application deployment times from weeks to minutes and drastically improves visibility of the entire infrastructure.
The three major parts of Cisco ACI are:
- Application Centric Policy (Cisco Application Policy Infrastructure Controller)
- Cisco ACI Fabric (Cisco Nexus 9000 Series Switches and the Cisco Application Virtual Switch)
- Cisco ACI Partner Ecosystem
The Application Policy Infrastructure Controller (APIC) manages the flow of traffic and services through the underlying Cisco 9K infrastructure. It becomes crucial to have the necessary visibility into the communication between the APIC and the nodes as well as to be able to correlate network traffic to what the controller expects the switches to be doing. This is where the Cisco ACI NetFlow support comes into play.
NetFlow Support for Cisco ACI
With Cisco ACI NetFlow support in place, a network team can determine the source and destination of the traffic, class of service, and the cause of congestion. This is very helpful in planning network capacity, optimizing resource usage, and enhancing network security by monitoring and alerting to anomalous traffic based on its behavior.
While it is worth mentioning that Cisco 9k switches support sFlow, there are some pros and cons in enabling it. Long story short, going with sFlow relieves some of the burden NetFlow exports can put on a switch, but too low of a sample rate can result in significant network events being missed. Also, as you can imagine, enabling NetFlow on an individual switch offers a limited view of traffic that the switch sees.
With this in mind, a centralized approach to NetFlow generation is a much preferable option. Not only does it offer visibility into NetFlow statistics across the network, but it also does not affect the performance of the production switches. Another bonus of the centralized approach is gaining NetFlow visibility across a multi-vendor network.
Cisco Nexus 9000 NetFlow Configuration
Cisco Nexus 9000 NetFlow configuration. This device has a slightly different approach to configuring NetFlow. What we’re used to seeing from Cisco is a 4-step process of defining your NetFlow record, defining your NetFlow exporter, creating your monitor and applying the monitor to an interface.
Nexus 9000 supports sFlow.
Enabling NetFlow
In order to configure sFlow on our Nexus 9000, we’ll first need to enable it:
switch# configure terminal
#Enter config mode
switch(config)#
switch(config)# feature sflow
#Enables sFlow (“no feature sflow” to disable)
switch(config)# show feature
#Displays the enabled/disabled features
switch(config)# copy running-config startup-config
#Copies the running configuration to the startup configuration
Configure our sampling rate
Now let’s configure our sampling rate:
switch# configure terminal
switch(config)#switch(config)# sflow sampling-rate 50000
#Configures the sFlow sampling rate for packets
#The sampling rate can be an integer between 4096 and 1000000000
#A sampling rate of 0 disables sampling
switch(config)# show sflow
switch(config)# copy running-config startup-config
Configure the maximum sampled size
Here we can configure the maximum number of bytes that should be copied from a sampled packet:
switch# configure terminal
switch(config)#
switch(config)# sflow max-sampled-size 200
#Configures the sFlow maximum sampling size
#The range for the sampling-size is from 64 to 256 bytes
switch(config)# show sflow
switch(config)# copy running-config startup-config
Configuring the counter poll interval
Here we’ll configure the maximum number of seconds between successive samples of the counters that are associated with the data source:
switch# configure terminal
switch(config)#
switch(config)# sflow counter-poll-interval 100
#The range for the poll-interval can be between 0 and 2147483647
#A sampling interval of 0 disables counter sampling
switch(config)# show sflow
switch(config)# copy running-config startup-config
Configure the maximum datagram size
Here we can configure the maximum number of data bytes that can be sent in a single datagram:
switch# configure terminal
switch(config)#
switch(config)# sflow max-datagram-size 2000
#The range for datagram-size is from 200 to 9000 bytes
switch(config)# show sflow
switch(config)# copy running-config startup-config
Configure sFlow collector address
Here we’ll telling the device the destination to export flows to:
switch# configure terminal
switch(config)#
switch(config)# sflow collector-ip x.x.x.x vrf management
#Configures the IPv4 address for the sFlow collector
#If the IP address is set to 0.0.0.0 all sampling is disabled
#The vrf can be:
A user-defined VRF name – You can specify a maximum of 32 alphanumeric characters.
vrf management – You must use this option if the sFlow data collector is on the network connected to the management port.
vrf default – You must use this option if the sFlow data collector is on the network connected to the front-panel ports.
switch(config)# show sflow
switch(config)# copy running-config startup-config
Configure sFlow collector port
Here we’ll define the listening port of our collector
switch# configure terminal
switch(config)#
switch(config)# sflow collector-port 6343
#The range for the collector port is from 0 to 65535
#Common ports include 2055, 2056, 9995 and 9996
switch(config)# show sflow
switch(config)# copy running-config startup-config
Configure sFlow agent address
Now we’ll configure the IPv4 address of the sFlow agent:
switch# configure terminal
switch(config)#
switch(config)# sflow agent-ip x.x.x.x
#The default IP address is 0.0.0.0 which means that all sampling is disabled on the switch.
You must specify a valid IP address to enable sFlow functionality
#This IP address is not necessarily the source IP address for sending the sFlow datagram to the collector
switch(config)# show sflow
switch(config)# copy running-config startup-config
Configure the sFlow sampling data source
Here you can configure the source of the data for the sFlow sampler as a Ethernet port, a range of Ethernet ports or a port channel:
switch# configure terminal
switch(config)#
switch(config)# sflow data-source interface ethernet 1/5-12
#sflow data-source interface [ethernet slot/port{-port}] | port-channel channel-number
#For an Ethernet daa source, slot is the slot number and port can be either a single port number or a range of ports designated as port-port
switch(config)# show sflow
switch(config)# copy running-config startup-config
verify our configuration:
switch# show running-config sflow [all]
#Displays the current sFlow running configuration
Config for Nexus 7K
Summary
Flexible Netflow is complex due to flexibility
Think of £ elements
What info fields to I want to collect RECORD
What interfaces do I want listen on MONITOR
Where do I want to send it EXPORTER
It is necessary for a user to follow
the steps in this guide to configure their Cisco Nexus 7k to export the flow.
http://www.cisco.com/c/en/us/support/docs/switches/nexus-7000-
series-switches/112213-netflow-nexus7000-nsox-configex.html.
Apply commands to your Nexus 7k
The following commands need to be applied to your Nexus 7k.
Turn on NetFlow
feature netflow
Create a Flow Exporter
flow exporter GF-FLOWEXPORTER
description Exporter to Gigaflow
source mgmt 0 ßUsed as the fixed source ip of sender of flow to GF tied to L3 interface ip eg loopback
destination 172.16.7.11
transport udp 2055
version 9
Create a Flow Record
flow record GF-FLOWRECORD
description Flow record to be sent to GF .
match ipv4 source address
match ipv4 destination address
match ip protocol
match ip tos
match transport source-port
match transport destination-port
collect flow sampler id
collect routing source as
collect routing destination as
collect routing next-hop address ipv4
collect transport tcp flags
collect counter bytes
collect counter packets
collect timestamp sys-uptime first
collect timestamp sys-uptime last
collect routing next-hop address ipv4
collect transport tcp flags
Create a Flow Monitor
flow monitor GF-FLOWMONITOR
description Monitor and exporter tie up
exporter GF-FLOWEXPORTER
Apply the Flow Monitor to interfaces Chose if you want cache in out or both as seen below Both will double account
interface Ethernet1/47
ip flow monitor GF-FLOWMONITOR input
ip flow monitor GF-FLOWMONITOR output
Config Documentation : https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/kb/b_KB_Cisco_APIC_and_NetFlow.html
How to configure videos :
Please log in or sign up to comment.