TABLE OF CONTENTS
Overview
This guide explains how to enable NetFlow export on Cisco switches and forward flow statistics to the ADR CCE (Collection and Control Engine). The CCE then forwards flows to the APE (Analytics and Policy Engine) for centralized monitoring, proactive threat detection, and traffic analysis.
In this example, the CCE IP is 40.0.0.2 and the export port is 9995. Replace with your actual deployment values.
Reference: Cisco NetFlow Switching Guide
Prerequisites
Administrative access to the Cisco switch (console/SSH).
IOS/IOS-XE or NX-OS image that supports NetFlow.
ADR CCE IP and UDP port 9995 open.
Correct system date/time on the switch.
Configuration Steps
- Enter global configuration mode:
Switch# configure terminal
Enable NetFlow switching:
Switch(config)# ip route-cache flow
Configure flow export to ADR CCE:
Switch(config)# ip flow-export destination 40.0.0.2 9995
Choose export version (v5 or v9):
Switch(config)# ip flow-export version 9
Exit and save:
Switch(config)# end Switch# write memory
Verification (MSSP Only)
On the Cisco Switch
Check export configuration:
Switch# show ip flow export
This will display destination IP, port, and NetFlow version.
On ADR CCE
Run:
sudo tcpdump -i any port 9995 and host <Switch_IP> -AAA
If flows are configured correctly, packets will appear.
On ADR SIEM UI
- Log in to the ADR SIEM UI.
- Navigate to: System → Logs and Flows Collection Status.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article