Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1088
Views
0
Helpful
1
Replies

Issues with Netflow on IOS-XE

Nikolaos Milas
Level 1
Level 1

‎04-21-2016 10:08 AM

Hello,

We have a Cisco 3650 with IOS-XE v03.03.05SE configured as border router, and running IP Services.

Our problem is that netflow data for virtual interfaces (VLANs) are not exported with their respective ifindex.

All physical links are trunk and VLANs (on subinterfaces) are used for actual terminations.

Netflow (v9) is configured as follows (using Flexible Net Flow - FNF):

    flow record CiscoXE1
      match ipv4 tos
      match ipv4 protocol
      match ipv4 source address
      match ipv4 destination address
      match transport source-port
      match transport destination-port
      match interface input
      collect transport tcp flags
      collect interface output
      collect counter bytes long
      collect counter packets long
      collect timestamp absolute first
      collect timestamp absolute last
    !
    flow exporter ipv4exporter
      destination 195.251.204.<removed>
      source Loopback0
    !
    flow monitor ipv4monitor
      exporter ipv4exporter
      cache timeout active 15000
      record CiscoXE1
    !
    vlan configuration 4,8,25,102,133,135
    ip flow monitor ipv4monitor input
    !

Here is some sample raw data received on the collector (last octet of ip addresses has been replaced with xxx):


    Flow Record:
       Flags        =              0x06 FLOW, Unsampled
       export sysid =                 4
       size         =                64
       first        =        1461155049 [2016-04-20 15:24:09]
       last         =        1461155049 [2016-04-20 15:24:09]
       msec_first   =               154
       msec_last    =               154
       src addr     =   195.251.204.xxx
       dst addr     =   194.177.210.xxx
       src port     =             46462
       dst port     =                53
       fwd status   =                 0
       tcp flags    =              0x00 ......
       proto        =                17 UDP
       (src)tos     =                 0
       (in)packets  =                 1
       (in)bytes    =                61
       input        =                27
       output       =                 0

    Flow Record:
       Flags        =              0x06 FLOW, Unsampled
       export sysid =                 4
       size         =                64
       first        =        1461155039 [2016-04-20 15:23:59]
       last         =        1461155063 [2016-04-20 15:24:23]
       msec_first   =               154
       msec_last    =               154
       src addr     =   195.251.203.xxx
       dst addr     =     183.3.202.xxx
       src port     =                22
       dst port     =             60979
       fwd status   =                 0
       tcp flags    =              0x1b .AP.SF
       proto        =                 6 TCP
       (src)tos     =                 0
       (in)packets  =                22
       (in)bytes    =              3413
       input        =                 3
       output       =                 0

If I understand right, input/output fields in flow records should contain the ifindex of the interface. It seems that the physical interface ifindex is recorded rather than the vlan ifindex.

Is there something wrong with the above configuration?

For your information and as an example, here is the setup of the main (virtual) interface, VLAN 102 which is the transfer channel from/to the ISP:

! The physical interface (ifindex 27)
!
interface GigabitEthernet1/1/1
 description === EDET LINE ===
 switchport mode trunk
 spanning-tree bpdufilter enable
!

! The virtual interface (ifindex 43)
!
interface Vlan102
 ip address <removed> 255.255.255.254
 ip access-group 100 in
 ip access-group 101 out
 no ip unreachables
 no ip proxy-arp
 ip verify unicast reverse-path 103
 ipv6 address <removed>
 ipv6 enable
!

Note: If I try to configure netflow in the "conventional" way, it's not possible:

    (config)# interface vlan 102
    (config-if)#ip flow monitor ipv4monitor input
    % Flow Monitor: Flow Monitor 'ipv4monitor' flexible netflow not supported on vlan interfaces

It seems to be only possible to configure netflow in "vlan configuration" mode, as I have done.

So, how the vlan interface ifindex can be included in netflow export?

Any ideas or suggestions please?

Thanks in advance,
Nick

Labels:
0 Helpful
1 Reply 1

Nikolaos Milas
Level 1
Level 1

‎04-22-2016 03:44 AM

I have now modified configuration as follows:

flow record ipv4-xe-1
 match ipv4 version
 match ipv4 tos
 match ipv4 ttl
 match ipv4 protocol
 match ipv4 source address
 match ipv4 destination address
 match transport source-port
 match transport destination-port
 match interface input
 collect transport tcp flags
 collect interface output
 collect counter bytes long
 collect counter packets long
 collect timestamp absolute first
 collect timestamp absolute last
!
flow exporter ipv4exporter
 destination 195.251.204.<removed>
 source Loopback0
!
flow monitor ipv4monitor
 exporter ipv4exporter
 cache timeout active 15000
 record ipv4-xe-1
!
vlan configuration 4,8,25,102,133,135
ip flow monitor ipv4monitor input
!

Now I see that seemingly most flows include an "input" field value of 33, which I understand corresponds to: 

#show snmp mib ifmib ifindex | i 33
StackSub-St1-2: Ifindex = 33

FYI, the physical topology is:

Interface                      Status         Protocol Description
Vl1                            admin down     down     
Vl4                            up             up       *** Wireless Link 1 - Data-Channel ***
Vl8                            up             up       *** Wireless Link 2 - Data-Channel ***
Vl25                           up             up       *** UPLINK TO INTERNAL NET (FW DEVICE) ***
Vl102                          up             up       *** TO ISP ***
Vl133                          up             up       *** L2VPN TO CAMPUS 2 ***
Vl135                          up             up       *** L2VPN TO CAMPUS 3 ***
Gi0/0                          down           down     
Gi1/0/1                        up             up       ETHERCHANNEL TO INTERNAL NET - MEMBER 1
Gi1/0/2                        up             up       ETHERCHANNEL TO INTERNAL NET - MEMBER 2
Gi1/0/3                        up             up       ETHERCHANNEL TO INTERNAL NET - MEMBER 3
Gi1/0/4                        up             up       ETHERCHANNEL TO INTERNAL NET - MEMBER 4
...                            down           down     
Gi1/0/11                       up             up       *** WiFi UPLINK 1 ***
Gi1/0/12                       up             up       *** WiFi UPLINK 2 ***
...                            down           down     
Gi1/1/1                        up             up       *** ISP LINK ***
...                            down           down     
Po1                            up             up       *** ETHERCHANNEL TO INTERNAL NET ***
Lo0                            up             up      

But what interface does this "StackSub-St1-2: Ifindex = 33" correspond to?

And finally ...how can we include vlan ifindexes in flows?

All my experiments have been fruitless.

Please advise.

Thanks,
Nick

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card