I want to use netflow on our l3 switches. But my configurations dont work.
What is my mistake?
Software Version: 15.0(1)SE3
interface vlan 250
ip flow monitor Monitor-FNF input
ip flow monitor Monitor-FNF output
flow record Record-FNF
description Flexible NetFlow with NBAR Flow Record
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
collect routing next-hop address ipv4
collect transport tcp flags
collect interface output
collect counter bytes
collect counter packets
flow exporter Export-FNF
destination [NetFlow collector IP address]
transport udp 9001
flow monitor Monitor-FNF
description FNF/NBAR Application Traffic Analysis
cache timeout active 60
cache timeout inactive 10
Silly question but do you have a network services module installed?
From the documentation: "Flexible NetFlow is supported only on the Catalyst 3750-X and 3560-X switch running the IP base or IP services feature set and equipped with the network services module. It is not supported on switches running the NPE or the LAN base image."
It actually also mentions: "NetFlow analysis is performed on traffic crossing the physical interfaces on the network services module."
no, there is no network services module installed.
I tried to configure netflow with classic syntax and it also dont work
ip flow-cache timeout active 5
ip flow-export source Vlan50
ip flow-export version 9
ip flow-export destination [ip] [port]
interface vlan 250
ip flow ingress
Is it possibly to configure netflow for vlan interfaces?
If not: How could I collect netflow data on Switches?
Most Cisco switches have either poor or no Netflow support. The newer 2900 series models and 3650/3850 are adding in some better support due to the type of ASICs they use but the preferred platform for Netflow is either a router, an ASA or a high-end switch such as a 6500 series.
As the earlier poster indicated, the 3750-X and 3560-X require the Service module to export Netflow records at all.
Ok, thank you
I thought if a command is possible to enter in the config - it is supported... :-/
So, general question: do you know another possibilities to monitore traffic on switches? (I cannot use mirror ports)
We typically monitor interface utilization as necessary (for instance certain server ports, uplinks between access and core/distribution layers, WAN links, etc.) on a switch using any general purpose SNMP management tool (CACTI open source, What's Up Gold, SolarWinds NPM, Cisco Prime Infrastructure etc.). ifInOctets and ifOutOctets are the most commonly used statistics.
Mostly we don't look at individual user ports across an enterprise because it's too much data for most organizations to use effectively.
Interface monitoring doesn't give you the level of visibility that Netflow does but there are usually places in the network where we can instrument Netflow and extract useful information from there.
If you would really like to see flow data you could mirror the switchport to a third party netflow probe. NTOP offers something for this and its open source. Check it out here: http://www.ntop.org/products/nprobe