The OT-BASE Asset Discovery engine can import Netflow data. This data will then be associated with the respective devices. Results can be examined in the device details (use the drop-down menu and select "data flow"). In OT-BASE Asset Center, flow data will be shown in device profiles and network profiles.
In order to use this feature, network switches that support Netflow (or SFlow) must be configured to
a) activate flow data sampling and
b) export flow data to an OT-BASE Asset Discovery node.
In order for an OT-BASE Asset Discovery node to receive and process Netflow data, the only thing you have to do is to check the respective checkbox during installation and provide the port number that your switch will use. Note that these settings can only be set during installation. If you need to apply changes later, you must re-install Asset Discovery.
According to our research, the following models / firmware versions do not support Netflow:
1783-BMS20CGP 15.2(5)EA, 1783-MS10T 15.2(5)EA, Stratix 5700 Version 15.2(1)EY1, WS-C2955T-12 12.1(22)EA6, WS-C2960+48TC-L 15.0(2)SE7, WS-C2960-48TC-L 12.2(50)SE5, WS-C2960-48TC-L 12.2(55)SE5, WS-C2960-48TC-L 12.2(55)SE7, WS-C2960-48TC-L Version 12.2(55)SE7, WS-C2960-48TC-L Version 15.0(2)SE7, WS-C2960S-48TS-L Version 15.0(2)SE7
In this case, a remedy could be to either replace a switch with a model that does support Netflow, or, if that is not possible, to use a Netflow collector (software product) that transforms packet captures from a SPAN port into Netflow data.
Netflow-lite is a stripped-down version of Netflow that cannot be processed by OT-BASE Asset Discovery. A remedy could be to use a Netflow collector (software product) that transforms Netflow-lite into Netflow data. The following switches don't support Netflow but Netflow-lite:
WS-C2960X-48LPS-L 15.2(2)E5, WS-C2960X-48LPS-L 15.2(2)E7, WS-C2960X-48TS-L 15.2(2)E7
Accoding to our research, the following switches do support Netflow, however this is also dependent on installed software and licenses:
1783-HMS16TG4CGN Version 15EASE SOFTWARE (fc4), 1783-IMS28GRAC 15.2(5)EA, WS-C3750X-48T-E 15.0(2)SE5, WS-C3850-12XS 16.3.5b, WS-C3850-12XS-S 16.3.6, WS-C6506-E 15.1(2)SY7
Configuration for switches supporting Netflow
- From the Configure menu, choose NetFlow.
- On the Configure NetFlow tab, click Add.
- Complete these fields:
- Configuration Name: <choose a name>
- Netflow Template: APPLICATION_TRAFFIC
- Collector IP Address: ip address of OT-BASE Asset Discovery used to collect netflow data
- Switch source address: choose ip address of switch to send data to collector
- Sampling Mode: deterministic
- Sampling Rate: 128
To apply a NetFlow configuration to ports, follow these steps.
- From the Configure menu, choose NetFlow.
- Click the Apply NetFlow tab.
- To select a port, click the port name and click Edit.
- You can select multiple ports and apply the same NetFlow configuration to them at one time.
- On the Apply NetFlow Configuration dialog box, choose the NetFlow configuration to apply to the port and click OK.
Configuring a Flow Record using the command line interface:
flow record ot-base
match ipv4 source address
match ipv4 destination address
match flow direction
match ipv4 protocol
match transport source-port
match transport destination-port
collect timestamp sys-uptime first
collect timestamp sys-uptime last
Creating a Flow Exporter using the command line interface:
flow exporter ot-base-exporter
destination <ip address of OT-BASE Asset Discovery>
transport udp <port number of OT-BASE Asset Discovery netflow collector>
Creating a Flow Monitor using the command line interface:
Creating a Flow Sampler using the command line interface:
mode random 1 out-of 128
Applying a Flow to an Interface using the command line interface:
enable configure terminal
interface <interface type of switch and number> e.g. GigabitEthernet1/0/1
ip flow monitor ot-base-monitor sampler ot-base-sampler input
Enable Netflow using the command line interface:
mls flow ip full
for every wanted interface do ...
interface <interface name>
ip route-cache flow
Configure data export using the command line interface:
mls sender version 5
ip flow-export source <interface name>
ip flow-export destination <ip address of OT-BASE Asset Discovery> <port number>