Solved: Basic NetFlow setup with SolarWinds

davidmesquita · ‎10-15-2012

Hello

I am trying to setup netflow with on 6509 and SolarWinds NetFlow Traffic Analyzer v3.10.0

The problem I have is that after configuring the basic settings of NetFlow on both side I can't see all the traffic I expected to capture in NetFlow.

The details of my problem.

I want to monitor the traffic on VLAN 20.

In the general configuration of the switch I have entered the following

ip flow-export source vlan 10

ip flow-export version 9

ip flow-export destination 132.5.200.123 8080

Where vlan 10 is the management vlan. Vlan10 can ping 132.5.200.123 no problem.

On VLAN20 interface I configured this

ip flow egress

ip flow ingress

ip route-cache flow

When I go to SolarWinds Netflow Traffic Analyzer I can see maybe 1 or 2 packets flows, like nothing of the data.

If I do a capture of the traffic on VLAN 20 I can see there is loads of IP traffic on that VLAN but why is netflow not capturing the statistics of those flows and reporting it to NetFlow ?

Also can someone explain to me the command "ip flow-export source vlan 10" ?

What am I doing wrong ?

Regards

Don Jacob · ‎10-22-2012

Cisco 6500 requires some additional NetFlow configuration. Please ensure you have configured as below:

Following is the configuration if you are using a Native IOS on your Cisco switch. Kindly use the following commands in sequence to configure NetFlow data export. Go to config mode and execute the following commands:

mls netflow // This enables NetFlow on the Supervisor.

mls nde sender version 7

mls aging long 64 // This breaks up long-lived flows into (roughly) one-minute segments.

mls aging normal 32 // This ensures that flows that have finished are exported in a timely manner.

If you have Supervisor Engine 720, you need to execute the below two commands to put the interface information in the netflow packets.

mls flow ip interface-full

mls nde interface

The next two commands will help to enable NetFlow data export for bridged traffic which is optional. You can specify the list of VLANs here to enable bridged traffic.

ip flow ingress layer2-switched vlan

ip flow export layer2-switched vlan

You can also find more information about these commands in the following Cisco link:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.1E/native/configuration/guide/nde.html#wp1047637

http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_example09186a0080721701.shtml

Apart from this, please configure the routing module (MSFC) to enable netflow data export using the below commands.

ip route-cache flow // (This command has to be executed on all the L3/VLAN interfaces).

ip flow-export destination {hostname|ip_address} 9996 // The hostname or IP address of the server where NetFlow Analyzer is installed

ip flow-export source {interface} // the interface through which NetFlow packets are exported. eg: FastEthernet 0/0

ip flow-export version 5

ip flow-cache timeout active 1

ip flow-cache timeout inactive 15

snmp-server ifindex persist

Note: Switch ports connected to a etherchannel or a trunk cannot be configured to export netflow data.

Please visit the following link to view additional information about configuring the IOS for NetFlow:

http://www.manageengine.com/products/netflow/help/cisco-netflow/cisco-ios-netflow.html

Regards,

Don Thomas Jacob

www.netflowanalyzer.com

NOTE: Please rate posts and close questions if your query has been answered

Regards, Don Thomas Jacob http://www.solarwinds.com/netflow-traffic-analyzer.aspx Head Geek @ SolarWinds NOTE: Please rate and close questions if you found any of the answers helpful.

View solution in original post

Don Jacob · ‎10-22-2012

Cisco 6500 requires some additional NetFlow configuration. Please ensure you have configured as below:

Following is the configuration if you are using a Native IOS on your Cisco switch. Kindly use the following commands in sequence to configure NetFlow data export. Go to config mode and execute the following commands:

mls netflow // This enables NetFlow on the Supervisor.

mls nde sender version 7

mls aging long 64 // This breaks up long-lived flows into (roughly) one-minute segments.

mls aging normal 32 // This ensures that flows that have finished are exported in a timely manner.

If you have Supervisor Engine 720, you need to execute the below two commands to put the interface information in the netflow packets.

mls flow ip interface-full

mls nde interface

The next two commands will help to enable NetFlow data export for bridged traffic which is optional. You can specify the list of VLANs here to enable bridged traffic.

ip flow ingress layer2-switched vlan

ip flow export layer2-switched vlan

You can also find more information about these commands in the following Cisco link:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.1E/native/configuration/guide/nde.html#wp1047637

http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_example09186a0080721701.shtml

Apart from this, please configure the routing module (MSFC) to enable netflow data export using the below commands.

ip route-cache flow // (This command has to be executed on all the L3/VLAN interfaces).

ip flow-export destination {hostname|ip_address} 9996 // The hostname or IP address of the server where NetFlow Analyzer is installed

ip flow-export source {interface} // the interface through which NetFlow packets are exported. eg: FastEthernet 0/0

ip flow-export version 5

ip flow-cache timeout active 1

ip flow-cache timeout inactive 15

snmp-server ifindex persist

Note: Switch ports connected to a etherchannel or a trunk cannot be configured to export netflow data.

Please visit the following link to view additional information about configuring the IOS for NetFlow:

http://www.manageengine.com/products/netflow/help/cisco-netflow/cisco-ios-netflow.html

Regards,

Don Thomas Jacob

www.netflowanalyzer.com

NOTE: Please rate posts and close questions if your query has been answered

Regards, Don Thomas Jacob http://www.solarwinds.com/netflow-traffic-analyzer.aspx Head Geek @ SolarWinds NOTE: Please rate and close questions if you found any of the answers helpful.

davidmesquita · ‎10-30-2012

Hi Don

Thank you very much for the answer it was the mls commands that were missing.

One other question related to net flow, what is the granularity of the net flow stats ?

Does it detect millisecond peaks or just pools every second or ??

I know I can configure my backend reporting system to create graphs etc in different time intervals but I am wondering about the actual granularity that the data is captured/sampled.

Regards

Don Jacob · ‎10-30-2012

Hi David,

NetFlow stats are exported from devices based on active and inactive timeout (aging in mls) values. The lowest time period at which information about still active conversation can be exported is 1 minute and the lowest for expired (inactive) conversations is 15 seconds.

Every NetFlow tool in the market is based on a lowest of 1 minute granularity but Solarwinds NTA gets their traffic values (volume, speed, packets) from SNMP polling of interfaces and not NetFlow stats and hence may be able to show in lower granularity for traffic alone.

Hope that helps.

Regards,

Don Thomas Jacob

www.netflowanalyzer.com

NOTE: Please rate posts and close questions if your query has been answered

Regards, Don Thomas Jacob http://www.solarwinds.com/netflow-traffic-analyzer.aspx Head Geek @ SolarWinds NOTE: Please rate and close questions if you found any of the answers helpful.

davidmesquita · ‎10-31-2012

Perfect just the information I was looking for.

Thank you