No netflow export on management interface Gig0 of ISR 4431 Router

roland.altermatt · ‎01-13-2017

Hi

I try to configure netflow on our internet router. Below you see which configuration I try.
The target is, that the netflow data goes over the management interface to our PRTG server.

The management interface is in vrf Mgmt-intf. After the configuration I see the following error message in the log

Jan 13 13:56:15.523 MET: %FMANRP_NETFLOW-3-EXPORTERSRCIFINVALID: Management interface (GigabitEthernet0) cannot be used as source for an exporter
-Traceback= 1#00996a21ae914aca4b637c04ca379136 :7F97E6951000+BD5B6A8 :7F97E6951000+BD5BD7E :7F97E6951000+A71C5A9 :7F97E6951000+A71ACC2 :7F97E6951000+A750DAE :7F97E6951000+A750A87 :7F97E6951000+A748296 :7F97E6951000+A7517A9 :7F97E6951000+A76926E :7F97E6951000+A748AA4 :7F97E6951000+A78AD3D :7F97E6951000+A78D7DD :7F97E6951000+A6FDF11 :7F97E6951000+A78D86F :7F97E6951000+A6F7523 :7F97E6951000+A6F4E03

I cannot change the export interface to another one, all other interfaces have public Internet addresses and the PRTG is in a privat IP Subnet.

Anybody an idea what I can do?

We have the following routers ISR4431/K9 with Software Version :
Cisco IOS XE Software, Version 03.16.04b.S - Extended Support Release
Cisco IOS Software, ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.5(3)S4b, RELEASE SOFTWARE (fc1)

Configuration Netflow on our Internet Router:

flow exporter NF-EX
destination 10.0.231.143 vrf Mgmt-intf
source GigabitEthernet0
transport udp 2055
option interface-table
option vrf-table
option sampler-table
option application-table
option c3pl-class-table
option c3pl-policy-table
option application-attributes

flow monitor NF-MON
exporter NF-EX
cache timeout inactive 10
cache timeout active 60
record NF-RECORD

flow record NF-RECORD
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface input
collect interface output
collect flow direction
collect timestamp sys-uptime last
collect timestamp sys-uptime first
collect counter bytes long
collect counter packets long
collect flow sampler
collect transport tcp flags

inter gi0/0/2
ip flow monitor NF-MON input
ip flow monitor NF-MON output

Mark Malone · ‎01-13-2017

Hi

had this issue before , its not supported under any MGMT port in ios-xe releases, to source netflow from you will need to use a different interface

create loopback source from there

Flexible NetFlow export is not supported on the Ethernet management port, Gi0/0.

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3se/flexible_netflow/configuration_guide/b_fnf_3se_3850_cg/b_fnf_3se_3850_cg_chapter_010.html

roland.altermatt · ‎01-13-2017

Hi

Sorry I do not understand why it's solve my problem when I configure the loopback interface for the flow exporter. I mean the the loopback interface is in the same vrf like the management port. So at the end the traffic goes stil over the management port.

I try to use the the loopback port for the exporter. The failure message in the log disappear.

But when I look on the flow statistics I still get the following message:

    Client: Flow Monitor NF-MON
      Records added:           5345
        - failed to send:      5345
      Bytes added:             261905
        - failed to send:      261905

Mark Malone · ‎01-13-2017

Ok so what we did , changed the MGMT interface to a non used interface g0/0/5 and put it under the MGMT vrf , then we sourced from that for Netflow instead if using G0

Do you have no spare interfaces left at all to try that ? if not im not too sure what option you have left need to check a few things see if theres a way around that

interface GigabitEthernet0/0/5
description *****OOBM MGMT INT*****
ip vrf forwarding Mgmt-vrf
ip address x.x.x.x 255.255.254.0
negotiation auto
cdp enable
end

flow exporter LIVEACTION-FLOWEXPORTER-IPFIX
description DO NOT MODIFY. USED BY LIVEACTION.
destination x.x.x.x vrf Mgmt-vrf
source GigabitEthernet0/0/5
transport udp 2055
export-protocol ipfix
option interface-table
option vrf-table
option sampler-table
option application-table
option c3pl-class-table
option c3pl-policy-table

hutcha4113 · ‎01-02-2018

How were you able to add a free port to the MGMT VRF? When I try to do that, it does not work. I get VRF mgmt-intf not configured.

I have free ports - I just want to make sure that the port I use, does not participate in any of the other routing options, etc.

Mark Malone · ‎01-03-2018

what options does it give you when you try to add the vrf to the port using below , does it give vrf options

ip vrf forwarding ?

rmfalconer · ‎02-06-2018

I'm working on exporting netflow from a 4451. I've done the same flexible netflow config on bunch of 4351 units so the config should be fine.

I'm aware of the limitation on exporting through the mgmt vrf so I'm using a loopback source located in the global table. (no free interfaces to dedicate)

It looks like netflow info is being generated but I don't see it actually being exported. There are no hits on the firewall rule for netflow and no netflow traffic in firewall packet captures.

Is there anything else specific you know of about this particular platform?

flow record fr-ipv4
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface input
collect interface output
collect counter bytes long

flow exporter fe-ipv4
destination x.x.x.x
source Loopback0
transport udp 2055

flow monitor fm-ipv4
exporter fe-ipv4
cache timeout active 60
record fr-ipv4

int gigx/x/x

ip flow monitor fm-ipv4 input
ip flow monitor fm-ipv4 output

perkin · ‎05-03-2019

yes same here, even I tried to use lo1 and put it in Mgmt-intf, since my lo0 is using for routing peering

using 16.3 code

ISR4431#sh flow exporter NETFLOW_EXPORTER statistics
Flow Exporter NETFLOW_EXPORTER:
Packet send statistics (last cleared 7w6d ago):
Successfully sent: 0 (0 bytes)

Client send statistics:
Client: Flow Monitor FLOW-MONITOR-1
Records added: 0
Bytes added: 0

ISR4431#sh flow exporter NETFLOW_EXPORTER
Flow Exporter NETFLOW_EXPORTER:
Description: User defined
Export protocol: NetFlow Version 9
Transport Configuration:
Destination IP address: 10.x.x.x
VRF label: Mgmt-intf
Source IP address: 10.x.x.x
Source Interface: Loopback1
Transport Protocol: UDP
Destination Port: 5006
Source Port: 54371
DSCP: 0x0
TTL: 255
Output Features: Used

ISR4431##sh vrf
Name Default RD Protocols Interfaces
Mgmt-intf <not set> ipv4,ipv6 Gi0
Lo1
ISR4431#

tiwang · ‎11-02-2021

hi perkin - did you get a solution for this?

perkin · ‎11-02-2021

Hi Ti Wang

I haven't tried the latest code, but I remember that is more related with the H/W, end up I have no choice to setup the firewall policy to allow such control traffic running over my data plate.

perkin · ‎05-03-2019

gnc30 · ‎05-04-2019

Is there anything else specific you know of about this particular platform?

Indu Bhushan · ‎02-01-2022

Solution

I had same isse.

Netflow does not support with mgmt interface and mgmt vrf (default)

Workaround:

I have been configured mmvrf (name) and use the spare interface (data) for that vrf.

Also configured the vrf for adress family ipv4 and v6.

Rest you can follow everything same.

Thanks

Indu Bhushan

MrButton · ‎10-04-2022

Indu can you share your config for netflow. I have an edge internet L3 switch. I tried doing the export over the mgmt-vrf interface but no luck.