04-21-2016 10:08 AM
Hello,
We have a Cisco 3650 with IOS-XE v03.03.05SE configured as border router, and running IP Services.
Our problem is that netflow data for virtual interfaces (VLANs) are not exported with their respective ifindex.
All physical links are trunk and VLANs (on subinterfaces) are used for actual terminations.
Netflow (v9) is configured as follows (using Flexible Net Flow - FNF):
flow record CiscoXE1
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface input
collect transport tcp flags
collect interface output
collect counter bytes long
collect counter packets long
collect timestamp absolute first
collect timestamp absolute last
!
flow exporter ipv4exporter
destination 195.251.204.<removed>
source Loopback0
!
flow monitor ipv4monitor
exporter ipv4exporter
cache timeout active 15000
record CiscoXE1
!
vlan configuration 4,8,25,102,133,135
ip flow monitor ipv4monitor input
!
Here is some sample raw data received on the collector (last octet of ip addresses has been replaced with xxx):
Flow Record:
Flags = 0x06 FLOW, Unsampled
export sysid = 4
size = 64
first = 1461155049 [2016-04-20 15:24:09]
last = 1461155049 [2016-04-20 15:24:09]
msec_first = 154
msec_last = 154
src addr = 195.251.204.xxx
dst addr = 194.177.210.xxx
src port = 46462
dst port = 53
fwd status = 0
tcp flags = 0x00 ......
proto = 17 UDP
(src)tos = 0
(in)packets = 1
(in)bytes = 61
input = 27
output = 0
Flow Record:
Flags = 0x06 FLOW, Unsampled
export sysid = 4
size = 64
first = 1461155039 [2016-04-20 15:23:59]
last = 1461155063 [2016-04-20 15:24:23]
msec_first = 154
msec_last = 154
src addr = 195.251.203.xxx
dst addr = 183.3.202.xxx
src port = 22
dst port = 60979
fwd status = 0
tcp flags = 0x1b .AP.SF
proto = 6 TCP
(src)tos = 0
(in)packets = 22
(in)bytes = 3413
input = 3
output = 0
If I understand right, input/output fields in flow records should contain the ifindex of the interface. It seems that the physical interface ifindex is recorded rather than the vlan ifindex.
Is there something wrong with the above configuration?
For your information and as an example, here is the setup of the main (virtual) interface, VLAN 102 which is the transfer channel from/to the ISP:
! The physical interface (ifindex 27)
!
interface GigabitEthernet1/1/1
description === EDET LINE ===
switchport mode trunk
spanning-tree bpdufilter enable
!
! The virtual interface (ifindex 43)
!
interface Vlan102
ip address <removed> 255.255.255.254
ip access-group 100 in
ip access-group 101 out
no ip unreachables
no ip proxy-arp
ip verify unicast reverse-path 103
ipv6 address <removed>
ipv6 enable
!
Note: If I try to configure netflow in the "conventional" way, it's not possible:
(config)# interface vlan 102
(config-if)#ip flow monitor ipv4monitor input
% Flow Monitor: Flow Monitor 'ipv4monitor' flexible netflow not supported on vlan interfaces
It seems to be only possible to configure netflow in "vlan configuration" mode, as I have done.
So, how the vlan interface ifindex can be included in netflow export?
Any ideas or suggestions please?
Thanks in advance,
Nick
04-22-2016 03:44 AM
I have now modified configuration as follows:
flow record ipv4-xe-1
match ipv4 version
match ipv4 tos
match ipv4 ttl
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface input
collect transport tcp flags
collect interface output
collect counter bytes long
collect counter packets long
collect timestamp absolute first
collect timestamp absolute last
!
flow exporter ipv4exporter
destination 195.251.204.<removed>
source Loopback0
!
flow monitor ipv4monitor
exporter ipv4exporter
cache timeout active 15000
record ipv4-xe-1
!
vlan configuration 4,8,25,102,133,135
ip flow monitor ipv4monitor input
!
Now I see that seemingly most flows include an "input" field value of 33, which I understand corresponds to:
#show snmp mib ifmib ifindex | i 33
StackSub-St1-2: Ifindex = 33
FYI, the physical topology is:
Interface Status Protocol Description
Vl1 admin down down
Vl4 up up *** Wireless Link 1 - Data-Channel ***
Vl8 up up *** Wireless Link 2 - Data-Channel ***
Vl25 up up *** UPLINK TO INTERNAL NET (FW DEVICE) ***
Vl102 up up *** TO ISP ***
Vl133 up up *** L2VPN TO CAMPUS 2 ***
Vl135 up up *** L2VPN TO CAMPUS 3 ***
Gi0/0 down down
Gi1/0/1 up up ETHERCHANNEL TO INTERNAL NET - MEMBER 1
Gi1/0/2 up up ETHERCHANNEL TO INTERNAL NET - MEMBER 2
Gi1/0/3 up up ETHERCHANNEL TO INTERNAL NET - MEMBER 3
Gi1/0/4 up up ETHERCHANNEL TO INTERNAL NET - MEMBER 4
... down down
Gi1/0/11 up up *** WiFi UPLINK 1 ***
Gi1/0/12 up up *** WiFi UPLINK 2 ***
... down down
Gi1/1/1 up up *** ISP LINK ***
... down down
Po1 up up *** ETHERCHANNEL TO INTERNAL NET ***
Lo0 up up
But what interface does this "StackSub-St1-2: Ifindex = 33" correspond to?
And finally ...how can we include vlan ifindexes in flows?
All my experiments have been fruitless.
Please advise.
Thanks,
Nick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide