cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5279
Views
15
Helpful
12
Replies

Can't get Netflow to export from Catalyst 3850..

Nay-Sayer
Level 1
Level 1

Can't get Netflow information to export from my 3850 into Solarwinds.  I know that Solarwinds is properly collecting Netflow information as it's currently doing so for a pair of ASAs.  Below is my Netflow config:

 

flow record 9550-to-6111
 match ipv4 source address
 match ipv4 destination address
 match interface output
 collect counter bytes long
 collect counter packets long
 collect timestamp absolute first
 collect timestamp absolute last

 

flow exporter Solarwinds
 destination 192.168.145.16
 source Vlan410
 transport udp 2055

 

flow monitor ATTP2P
 exporter Solarwinds
 cache timeout active 60
 record 9550-to-6111

 

interface TenGigabitEthernet1/1/4
 description ATT DECAMAN 10G TO 6111 N. River Rd N5K-1 1/48
 no switchport
 ip flow monitor ATTP2P output
 ip address 10.101.0.17 255.255.255.240
 ip ospf 1 area 0
 load-interval 30

 

3850x-9111-stack#sh flow monitor ATTP2P
Flow Monitor ATTP2P:
  Description:       User defined
  Flow Record:       9550-to-6111
  Flow Exporter:     Solarwinds
  Cache:
    Type:                 normal (Platform cache)
    Status:               allocated
    Size:                 Unknown
    Inactive Timeout:     15 secs
    Active Timeout:       60 secs
    Update Timeout:       1800 secs
    Synchronized Timeout: 600 secs

 

 

Any idea of what's wrong here?

 

Thanks.

 

1 Accepted Solution

Accepted Solutions

Here a record that works:

flow record output
match flow direction
match interface output
match ipv4 destination address
match ipv4 protocol
match ipv4 source address
match ipv4 tos
match transport destination-port
match transport source-port
collect counter bytes
collect counter packets
collect interface input
collect transport tcp flags

Can you run the command show flow exporter?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

12 Replies 12

Francesco Molino
VIP Alumni
VIP Alumni
Hi

Which ios version do you have?
Are you able to ping from your source vlan your Solaris?
If you issue command "show flow monitor cache" or "show flow monitor record", do you see some infos?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

> Which ios version do you have?

 

Cisco IOS Software, IOS-XE Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version 03.06.00E RELEASE SOFTWARE (fc3)

 

 

> Are you able to ping from your source vlan your Solaris?

 

3850x-9111-stack#ping 192.168.145.16 source vlan410

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.145.16, timeout is 2 seconds:

Packet sent with a source address of 10.100.10.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

 

 

> If you issue command "show flow monitor cache" or "show flow monitor record", do you see some infos?

 

This version of IOS doesn’t have the show flow monitor “cache” or show flow monitor “record” options. 

 

3850x-9111-stack#show flow monitor ?

  ATTP2P                             User defined

  LAN-V4-IN                        User defined

  LAN-V4-OUT                    User defined

  WLAN-V4-IN                    User defined

  WLAN-V4-OUT                User defined

  broker                               Show the flow monitor broker

  name                                 Name a specific Flow Monitor

  type                                   Type of the Flow Monitor

  |                                         Output modifiers

  <cr>

 

3850x-9111-stack#show flow monitor

 

Which ios license is running?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

> Which ios license is running?

 

3850x-9111-stack#sh license right-to-use
 Slot#  License name   Type     Count   Period left
----------------------------------------------------------
 1      ipservices   permanent     N/A   Lifetime
 1      apcount      adder         50    Lifetime

License Level on Reboot: ipservices


 Slot#  License name   Type     Count   Period left
----------------------------------------------------------
 2      ipservices   permanent     N/A   Lifetime
 2      apcount      adder         13    Lifetime

License Level on Reboot: ipservices

 

Here a record that works:

flow record output
match flow direction
match interface output
match ipv4 destination address
match ipv4 protocol
match ipv4 source address
match ipv4 tos
match transport destination-port
match transport source-port
collect counter bytes
collect counter packets
collect interface input
collect transport tcp flags

Can you run the command show flow exporter?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

3850x-9111-stack#sh flow exporter
Flow Exporter PRIME-01:
  Description:              User defined
  Export protocol:          NetFlow Version 9
  Transport Configuration:
    Destination IP address: 192.168.120.140
    Source IP address:      10.100.2.1
    Source Interface:       Loopback0
    Transport Protocol:     UDP
    Destination Port:       9991
    Source Port:            49165
    DSCP:                   0x0
    TTL:                    255
    Output Features:        Used

Flow Exporter Solarwinds:
  Description:              User defined
  Export protocol:          NetFlow Version 9
  Transport Configuration:
    Destination IP address: 192.168.145.16
    Source IP address:      10.100.10.1
    Source Interface:       Vlan410
    Transport Protocol:     UDP
    Destination Port:       2055
    Source Port:            63571
    DSCP:                   0x0
    TTL:                    255
    Output Features:        Used


3850x-9111-stack#

Looks like my 3850 is now sending Netflow information to my Solarwinds Netflow collector.  I will watch and keep you updated. 

 

Thanks

I tried to apply the flow monitor to the interface inbound and got the following error messages. Do I need to create a separate flow record for inbound traffic?

3850x-9111-stack(config-if)#ip flow monitor ATTP2P input
% Flow Monitor: Flow Monitor 'ATTP2P'
Unsupported match field "interface output" for ipv4 traffic in input direction
Unsupported collect field "interface input" for ipv4 traffic in input direction
3850x-9111-stack(config-if)#

Here a sample config for IN and OUT. You can't apply the OUT record inbound because the match criteria aren't same: (specially match interface)

 

flow record RECORD-IN
match flow direction
match interface input
match ipv4 destination address
match ipv4 protocol
match ipv4 source address
match ipv4 tos
match transport destination-port
match transport source-port
collect counter bytes
collect counter packets
collect interface output
collect transport tcp flags

flow record RECORD-OUT
match flow direction
match interface output
match ipv4 destination address
match ipv4 protocol
match ipv4 source address
match ipv4 tos
match transport destination-port
match transport source-port
collect counter bytes
collect counter packets
collect interface input
collect transport tcp flags

flow monitor MONITOR_IN
exporter EXPORTER
cache timeout inactive 10
cache timeout active 60
record RECORD-IN

flow monitor MONITOR_OUT
exporter EXPORTER
cache timeout inactive 10
cache timeout active 60
record RECORD-OUT


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

That worked, thanks again. Is there a resource available online that explains the ins and outs of Netflow with regard to the Catalyst line of switches?

For sure something should be available on Cisco website. I don't have any link on mind and I'm through my iPhone right now.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Very useful!

 

 

Thanks, ~zK

Review Cisco Networking for a $25 gift card