Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1377
Views
0
Helpful
1
Replies

Can't get SPAN to work with NetFlow

acisco
Level 1
Level 1

‎09-21-2018 10:51 PM

Hi guys, having trouble generating NetFlow data using SPAN traffic. I have a 2960 switch and 1841 router. The router is running NetFlow. The switch is running SPAN with a session destination of f0/1, which the router is connected to.

 

The idea is to have NetFlow generate export packets based on this mirrored traffic and send it out through the same port to get to the Internet through another switch (although now that I think about it this is possibly the issue). The collector is in a different network. Everything is in VLAN 1. The SPAN source port is just connected to a regular Windows host to test with. However, the collector isn't getting anything from this. Have verified locally on the router with show ip cache flow and it's not displaying statistics it should e.g. no TCP/web if I use the host to go to a website.

 

I have posted parts of the relevant config (some of the commands I did manually off memory, forgot to bring home backup configs and I can't access them right now). I'm sure it's something simple that I'm missing. I have noticed that the packet count in the output of the switch SPAN destination port vs the input of the router ingress port is vastly different (using "sh int").

 

I have also noticed that the router connection doesn't appear in the switch's MAC address table although I assume this is to do with the port being a monitor port e.g. line protocol is naturally down. L1-3 connectivity has already been verified e.g. from 1841 f0/0 to collector or 1841 f0/0 to 2960 SVI). I have tried v5 and v9 of NetFlow and ip flow ingress vs egress and different SPAN destination commands e.g no ingress, replicate.

 

2960:

interface FastEthernet0/1
 switchport mode access
 no logging event link-status
 no snmp trap link-status
!
monitor session 1 source interface fastethernet0/2 both
monitor session 1 destination interface fastethernet0/1 ingress untagged vlan 1

 1841:

interface FastEthernet0/0
 description To 2960 f0/1
 ip address iphere 255.255.255.0
 ip flow ingress
 ip flow egress
 duplex auto
 speed auto
!
ip flow-export version 9
ip flow-export destination iphere 2055

 

Thanks for any assistance with this issue.

Labels:
0 Helpful
1 Reply 1

rasmus.elmholt
Level 7
Level 7

‎10-30-2018 06:11 AM - edited ‎10-31-2018 09:14 AM

Hi

I am not sure you will get this to work on second thoughts. The destination MAC address in all the mirrored packets will not match that of the router and will most likely be discarded.

0 Helpful
Customers Also Viewed These Support Documents