Solved: Re: Can't get Netflow to export from Catalyst 3850..

Nay-Sayer · ‎01-16-2018

Can't get Netflow information to export from my 3850 into Solarwinds. I know that Solarwinds is properly collecting Netflow information as it's currently doing so for a pair of ASAs. Below is my Netflow config:

flow record 9550-to-6111
match ipv4 source address
match ipv4 destination address
match interface output
collect counter bytes long
collect counter packets long
collect timestamp absolute first
collect timestamp absolute last

flow exporter Solarwinds
destination 192.168.145.16
source Vlan410
transport udp 2055

flow monitor ATTP2P
exporter Solarwinds
cache timeout active 60
record 9550-to-6111

interface TenGigabitEthernet1/1/4
description ATT DECAMAN 10G TO 6111 N. River Rd N5K-1 1/48
no switchport
ip flow monitor ATTP2P output
ip address 10.101.0.17 255.255.255.240
ip ospf 1 area 0
load-interval 30

3850x-9111-stack#sh flow monitor ATTP2P
Flow Monitor ATTP2P:
Description:       User defined
Flow Record:       9550-to-6111
Flow Exporter:     Solarwinds
Cache:
    Type:                 normal (Platform cache)
    Status:               allocated
    Size:                 Unknown
    Inactive Timeout:     15 secs
    Active Timeout:       60 secs
    Update Timeout:       1800 secs
    Synchronized Timeout: 600 secs

Any idea of what's wrong here?

Thanks.

Francesco Molino · ‎01-16-2018

Here a record that works:

flow record output
match flow direction
match interface output
match ipv4 destination address
match ipv4 protocol
match ipv4 source address
match ipv4 tos
match transport destination-port
match transport source-port
collect counter bytes
collect counter packets
collect interface input
collect transport tcp flags

Can you run the command show flow exporter?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Francesco Molino · ‎01-16-2018

Hi

Which ios version do you have?
Are you able to ping from your source vlan your Solaris?
If you issue command "show flow monitor cache" or "show flow monitor record", do you see some infos?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Nay-Sayer · ‎01-16-2018

> Which ios version do you have?

Cisco IOS Software, IOS-XE Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version 03.06.00E RELEASE SOFTWARE (fc3)

> Are you able to ping from your source vlan your Solaris?

3850x-9111-stack#ping 192.168.145.16 source vlan410

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.145.16, timeout is 2 seconds:

Packet sent with a source address of 10.100.10.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

> If you issue command "show flow monitor cache" or "show flow monitor record", do you see some infos?

This version of IOS doesn’t have the show flow monitor “cache” or show flow monitor “record” options.

3850x-9111-stack#show flow monitor ?

ATTP2P User defined

LAN-V4-IN User defined

LAN-V4-OUT User defined

WLAN-V4-IN User defined

WLAN-V4-OUT User defined

broker Show the flow monitor broker

name Name a specific Flow Monitor

type Type of the Flow Monitor

| Output modifiers

<cr>

3850x-9111-stack#show flow monitor

Francesco Molino · ‎01-16-2018

Which ios license is running?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Nay-Sayer · ‎01-16-2018

> Which ios license is running?

3850x-9111-stack#sh license right-to-use
Slot# License name   Type     Count   Period left
----------------------------------------------------------
1      ipservices   permanent     N/A   Lifetime
1      apcount      adder         50    Lifetime

License Level on Reboot: ipservices

Slot# License name   Type     Count   Period left
----------------------------------------------------------
2      ipservices   permanent     N/A   Lifetime
2      apcount      adder         13    Lifetime

License Level on Reboot: ipservices

Francesco Molino · ‎01-16-2018

Here a record that works:

flow record output
match flow direction
match interface output
match ipv4 destination address
match ipv4 protocol
match ipv4 source address
match ipv4 tos
match transport destination-port
match transport source-port
collect counter bytes
collect counter packets
collect interface input
collect transport tcp flags

Can you run the command show flow exporter?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Nay-Sayer · ‎01-17-2018

3850x-9111-stack#sh flow exporter
Flow Exporter PRIME-01:
Description:              User defined
Export protocol:          NetFlow Version 9
Transport Configuration:
    Destination IP address: 192.168.120.140
    Source IP address:      10.100.2.1
    Source Interface:       Loopback0
    Transport Protocol:     UDP
    Destination Port:       9991
    Source Port:            49165
    DSCP:                   0x0
    TTL:                    255
    Output Features:        Used

Flow Exporter Solarwinds:
Description:              User defined
Export protocol:          NetFlow Version 9
Transport Configuration:
    Destination IP address: 192.168.145.16
    Source IP address:      10.100.10.1
    Source Interface:       Vlan410
    Transport Protocol:     UDP
    Destination Port:       2055
    Source Port:            63571
    DSCP:                   0x0
    TTL:                    255
    Output Features:        Used

3850x-9111-stack#

Nay-Sayer · ‎01-17-2018

Looks like my 3850 is now sending Netflow information to my Solarwinds Netflow collector. I will watch and keep you updated.

Thanks

Nay-Sayer · ‎01-17-2018

I tried to apply the flow monitor to the interface inbound and got the following error messages. Do I need to create a separate flow record for inbound traffic?

3850x-9111-stack(config-if)#ip flow monitor ATTP2P input
% Flow Monitor: Flow Monitor 'ATTP2P'
Unsupported match field "interface output" for ipv4 traffic in input direction
Unsupported collect field "interface input" for ipv4 traffic in input direction
3850x-9111-stack(config-if)#

Francesco Molino · ‎01-17-2018

Here a sample config for IN and OUT. You can't apply the OUT record inbound because the match criteria aren't same: (specially match interface)

flow record RECORD-IN
match flow direction
match interface input
match ipv4 destination address
match ipv4 protocol
match ipv4 source address
match ipv4 tos
match transport destination-port
match transport source-port
collect counter bytes
collect counter packets
collect interface output
collect transport tcp flags

flow record RECORD-OUT
match flow direction
match interface output
match ipv4 destination address
match ipv4 protocol
match ipv4 source address
match ipv4 tos
match transport destination-port
match transport source-port
collect counter bytes
collect counter packets
collect interface input
collect transport tcp flags

flow monitor MONITOR_IN
exporter EXPORTER
cache timeout inactive 10
cache timeout active 60
record RECORD-IN

flow monitor MONITOR_OUT
exporter EXPORTER
cache timeout inactive 10
cache timeout active 60
record RECORD-OUT

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Nay-Sayer · ‎01-17-2018

That worked, thanks again. Is there a resource available online that explains the ins and outs of Netflow with regard to the Catalyst line of switches?

Francesco Molino · ‎01-17-2018

For sure something should be available on Cisco website. I don't have any link on mind and I'm through my iPhone right now.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

zekebashi · ‎11-15-2019

Very useful!

Thanks, ~zK