Re: ISR 4431, 4-port NIM and Flexible Netflow on VLAN interface

theamberlion · ‎06-12-2018

Hello supportforums!
Got a Cisco ISR 4431 SEC-K9

ISR#show version
Cisco IOS XE Software, Version 03.16.04b.S - Extended Support Release
Cisco IOS Software, ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.5(3)S4b, RELEASE SOFTWARE (fc1)
System image file is "bootflash:isr4400-universalk9.03.16.04b.S.155-3.S4b-ext.SPA.bin"

with a NIM-ES2-4

module installed

All 4 interfaces of that module are configured in access mode in a VLAN 23, up and running.

I configured FNF on the router, those are configurations for flow records:

ISR#show flow record NETFLOW
flow record NETFLOW:
  Description:        User defined
  No. of users:       1
  Total field space:  55 bytes
  Fields:
    match ipv4 protocol
    match ipv4 source address
    match ipv4 destination address
    match transport source-port
    match transport destination-port
    match transport tcp source-port
    match transport tcp destination-port
    match transport udp source-port
    match transport udp destination-port
    match interface input
    match flow direction
    match application name
    collect interface output
    collect counter bytes
    collect counter packets
    collect connection initiator
    collect connection client ipv4 address
    collect connection client transport port
    collect connection server ipv4 address
    collect connection server transport port

ISR# show flow record NETFLOW_OUT
flow record NETFLOW_OUT:
  Description:        User defined
  No. of users:       1
  Total field space:  55 bytes
  Fields:
    match ipv4 protocol
    match ipv4 source address
    match ipv4 destination address
    match transport source-port
    match transport destination-port
    match transport tcp source-port
    match transport tcp destination-port
    match transport udp source-port
    match transport udp destination-port
    match interface output
    match flow direction
    match application name
    collect interface input
    collect counter bytes
    collect counter packets
    collect connection initiator
    collect connection client ipv4 address
    collect connection client transport port
    collect connection server ipv4 address
    collect connection server transport port

which are bound to flow monitors:

ISR#show run flow monitor NETFLOW
Current configuration:
!
flow monitor NETFLOW
 exporter PRTG
 cache timeout inactive 60
 cache timeout active 60
 cache timeout update 60
 record NETFLOW
!
ISR#show run flow monitor NETFLOW_OUT
Current configuration:
!
flow monitor NETFLOW_OUT
 exporter PRTG
 cache timeout inactive 60
 cache timeout active 60
 cache timeout update 60
 record NETFLOW_OUT
!

using the same exporter.

Now i have that VLAN 23 interface on which i apply flow monitors on both directions:

ISR#show run int vlan 23
Building configuration...

Current configuration : 196 bytes
!
interface Vlan23
 description -----
 ip address 172.16.23.102 255.255.255.0
 ip nat inside
 ip flow monitor NETFLOW input
 ip flow monitor NETFLOW_OUT output
 ip virtual-reassembly
end

THe problem is that there are no entries when i run:

ISR#show flow monitor NETFLOW_OUT cache format table 
  Cache type:                               Normal (Platform cache)
  Cache size:                               200000
  Current entries:                               0

  Flows added:                                   0
  Flows aged:                                    0

There are no cache entries to display.

I understand that if that were configured on physical interface, it would be working, as on our other ISR 4321 routers, even with one flow record and monitor, i just decided to go with separated records and monitors, just to check if it works for me.

The question: is it possible to configure both input and output netflow on VLAN interface, or a router worth 14000$ is not capable to do such a thing?

theamberlion · ‎06-13-2018

Any Cisco representative here?

So an old Cisco 871 with

Cisco IOS Software, C870 Software (C870-ADVSECURITYK9-M), Version 12.4(24)T8, RELEASE SOFTWARE (fc1)

can do such a thing, but a 4400 series ISR can not?

theamberlion · ‎06-19-2018

Sad story.

eperezor · ‎12-05-2019

In order to provide a response to this query for the record

Unfortunately there is not a lot of information about this limitation by researching on old codes, however on latest documents cisco has included this limitation:

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/fnetflow/configuration/xe-16-6/fnf-xe-16-6-book/fnf-fnetflow.html

Flexible NetFlow is not supported on Switch Virtual Interface (SVI)

theamberlion · ‎12-08-2019

What a shame.

Here is output from one of Cisco 871:

c800_R14#show run int vlan 1
Building configuration...

Current configuration : 402 bytes
!
interface Vlan1
 description LAN
 ip address 172.16.46.1 255.255.255.0
 ip flow monitor NETFLOW input
 ip flow monitor NETFLOW output
 ip nat inside
 ip virtual-reassembly
 rate-limit input access-group 199 2048000 64000 64000 conform-action transmit exceed-action drop
 rate-limit output access-group 199 2048000 64000 64000 conform-action transmit exceed-action drop
 ip tcp adjust-mss 1452
end

c800_R14#show version
Cisco IOS Software, C870 Software (C870-ADVSECURITYK9-M), Version 12.4(24)T8, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Sun 09-Sep-12 09:09 by prod_rel_team

ROM: System Bootstrap, Version 12.3(8r)YI4, RELEASE SOFTWARE

c800_R14 uptime is 2 weeks, 5 days, 20 hours, 24 minutes
System returned to ROM by power-on
System restarted at 13:16:43 EET Tue Nov 19 2019
System image file is "flash:c870-advsecurityk9-mz.124-24.T8.bin"

It's somewhat funny and sad at the same time that an old router can do it, and a new one can't

c800_R14#show flow monitor NETFLOW cache
  Cache type:                            Normal
  Cache size:                              4096
  Current entries:                          702
  High Watermark:                          2395

  Flows added:                          7766545
  Flows aged:                           7765843
    - Active timeout   (    60 secs)    7765800
    - Inactive timeout (    60 secs)         43
    - Event aged                              0
    - Watermark aged                          0
    - Emergency aged                          0

IPV4 SRC ADDR    IPV4 DST ADDR    TRNS SRC PORT  TRNS DST PORT  TCP SRC PORT  TCP DST PORT  UDP SRC PORT  UDP DST PORT  INTF OUTPUT           FLOW DIRN  IP PROT  intf input                 bytes        pkts
===============  ===============  =============  =============  ============  ============  ============  ============  ====================  =========  =======  ====================  ==========  ==========
52.109.124.22    172.16.46.19               443          49556           443         49556             0             0  Vl1                   Output           6  Fa4                           40           1
172.16.46.51     172.16.1.132             63060             53             0             0         63060            53  Null                  Input           17  Vl1                           66           1
172.16.1.132     172.16.46.51                53          63060             0             0            53         63060  Vl1                   Output          17  Fa4                           82           1
172.16.46.51     172.217.18.106           55041            443             0             0         55041           443  Fa4                   Input           17  Vl1                         6982           6
172.16.46.2      40.74.32.146             53604            443         53604           443             0             0  Fa4                   Input            6  Vl1                         2978           6
40.74.32.146     172.16.46.2                443          53604           443         53604             0             0  Vl1                   Output           6  Fa4                          669           4
172.16.1.20      172.16.46.247            46138             80         46138            80             0             0  Vl1                   Output           6  Fa4                          279           6
172.16.46.247    172.16.1.20                 80          46138            80         46138             0             0  Null                  Input            6  Vl1                         1872          18
172.16.46.51     172.217.22.99            49484            443         49484           443             0             0  Fa4                   Input            6  Vl1                          965           9
172.217.22.99    172.16.46.51               443          49484           443         49484             0             0  Vl1                   Output           6  Fa4                         5243           8
172.16.46.28     172.16.1.206             63386             53             0             0         63386            53  Null                  Input           17  Vl1                           66           1
172.16.1.206     172.16.46.28                53          63386             0             0            53         63386  Vl1                   Output          17  Fa4                           82           1
172.16.46.28     172.16.1.206             50606             53             0             0         50606            53  Null                  Input           17  Vl1                           66           1
172.16.1.206     172.16.46.28                53          50606             0             0            53         50606  Vl1                   Output          17  Fa4                           82           1
172.16.46.28     172.16.1.206             53029             53             0             0         53029            53  Null                  Input           17  Vl1                           66           1
172.16.1.206     172.16.46.28                53          53029             0             0            53         53029  Vl1                   Output          17  Fa4                          123           1
172.16.1.190     172.16.46.28                80          50447            80         50447             0             0  Vl1                   Output           6  Fa4                          425           6
23.111.104.36    172.16.46.24               443          51912           443         51912             0             0  Vl1                   Output           6  Fa4                         2062           7
172.16.46.24     88.212.236.148           51913            443         51913           443             0             0  Fa4                   Input            6  Vl1                         3574          50
88.212.236.148   172.16.46.24               443          51913           443         51913             0             0  Vl1                   Output           6  Fa4                       135940          97
172.16.46.24     95.213.182.98            51914            443         51914           443             0             0  Fa4                   Input            6  Vl1                         1607          10
95.213.182.98    172.16.46.24               443          51914           443         51914             0             0  Vl1                   Output           6  Fa4                         1682           8
172.16.46.26     172.16.1.190             61070             80         61070            80             0             0  Null                  Input            6  Vl1                         1363           6
172.16.1.190     172.16.46.26                80          61070            80         61070             0             0  Vl1                   Output           6  Fa4                          578           5