02-05-2014 03:44 AM
Hi,
I have a L3 6500 Switch where i wanna enable Netflow Exporter to see reports in Scrutinizer.
I did config below without success:
flow record FLOW-RECORD-1
match interface input
flow exporter Scrutinizer
description Exports to Scrutinizer
destination 10.100.8.176
source Loopback2
transport udp 2055
template data timeout 60
flow monitor netflow-original
description This flow monitor uses the NetFlow original record and exports to S
crutinizer
exporter Scrutinizer
cache timeout active 60
record platform-original ipv4 full
interface Loopback2
ip address 138.228.145.254 255.255.255.255
ip flow monitor netflow-original input
ip flow monitor netflow-original output
interface Vlan3
description BRQOC-LSR0-V# (Alice)
ip address 10.100.38.1 255.255.255.0 secondary
ip address 10.100.1.1 255.255.252.0
no ip redirects
ip wccp 61 redirect in
ip flow monitor netflow-original input
ip flow monitor netflow-original output
BRQOC-LSR0#sh flow exporter stat
Flow Exporter Scrutinizer:
Packet send statistics (last cleared 9w6d ago):
Successfully sent: 40611561 (54983985388 bytes)
Client send statistics:
Client: Flow Monitor netflow-original
Records added: 1428793161
- sent: 1428793152
Bytes added: 52865346957
- sent: 52865346624
Any help will be appreciated!
Regards,
Marcelo
02-06-2014 05:16 AM
Looks like flows are being sent. Can you run Wireshark on your Scrutinizer box and see if the netflow traffic is making it there ?
02-06-2014 06:52 AM
Perfect Chris! I ran Wireshark and the CFLOW protocol is in place. Maybe i have some problems with Scrutinizer config .. I will made a test pointing the flow to Whatsup Gold.
After that i will post the result!
Thank you very much!!
02-12-2014 08:57 AM
Chris,
As i have mention in previous message, i have CFLOW protocol in Wireshark, but Scrutinizer does not give me reports. I made contact with their Technical Support and they said Scrutinizer configuration is ok. Is that possible my 6509 is sending CFLOW without a correct config?
02-12-2014 09:31 AM
I still suspect something on the Scrutinizer server side. Is there a local firewall configured that would prevent the flows from going further than the interface ?
You could also try configuring the 6500 with traditional netflow config as shown on the left side in this example:
http://www.plixer.com/blog/wp-content/uploads/2010/04/Traditional-vs-Flexible-NetFlow1.jpg
This is a little bit simpler config and should give you the same information since you are only using netflow original records in your flexible netflow config?
Out of curiosity, what code level are you running on your 6500 ?
02-12-2014 11:20 AM
Chris,
I reviewed all my configuration and switch protocol from CFLOW v9 to CFLOW v5. Now it is working!
I want Netflow to have a better troubleshooting of my LAN so i applied it in all VLANs. But just for outside traffic. Do you think i should enable for incoming traffic too?
02-14-2014 04:21 PM
Generally I would apply it in single direction (ingress in my production network) on all L3 interfaces including SVIs.
So if it is P2P link then one device ingress mean other device egress traffic.
If you enable it in both directions, it will work, but due to double counting (send more flows for same traffic) depend on how you configure it throughout your network.
HTH
Rasika
**** Pls rate all useful responses ****
02-14-2014 05:20 PM
Perfect Rasika!
Thank you very much!
Sent from Cisco Technical Support iPhone App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide