cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2963
Views
0
Helpful
9
Replies

Switch C3560-G Netflow giving dropped traffic only !!!!

Qays
Level 1
Level 1

Hi

I tried to configure Netflow on cisco switch WS-C3560G-24TS version 15.0(2)SE11 with ELK Stack (Elasticsearch, Logstash, Kibana) Netflow analyzer, but after I finished the configuration I didn't receive correct traffic the ELK receives NetFlow traffic from the switch but the traffic looks like fake traffic or dropped traffic but the real traffic didn't appear on the ELK

 

The Configuration:

 

flow exporter Netflow-exporter
destination 10.10.30.100
source Vlan30
transport udp 2055
template data timeout 60

flow record Netflow-recorder
match datalink dot1q vlan input
match datalink dot1q vlan output
match datalink mac source address input
match datalink mac source address output
match datalink mac destination address input
match datalink mac destination address output
match ipv4 version
match ipv4 tos
match ipv4 ttl
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match transport tcp flags
match interface input
collect interface output
collect counter bytes long
collect counter packets
collect timestamp sys-uptime first
collect timestamp sys-uptime last

flow monitor Netflow-monitor
record netflow-recorder
exporter netflow-exporter
cache timeout active 60

interface Vlan 20
ip flow monitor Netflow-monitor input


interface Vlan 30
ip flow monitor Netflow-monitor input

 

 


show flow monitor NetFlow-monitor cache


Cache type: Normal
Cache size: 4096
Current entries: 16
High Watermark: 607

Flows added: 9508
Flows aged: 9492
- Active timeout ( 60 secs) 280
- Inactive timeout ( 15 secs) 9212
- Event aged 0
- Watermark aged 0
- Emergency aged 0

DATALINK DOT1Q VLAN INPUT: 0
DATALINK DOT1Q VLAN OUTPUT: 0
DATALINK MAC SOURCE ADDRESS INPUT: 34E4.D768.4502
DATALINK MAC SOURCE ADDRESS OUTPUT: 0000.0000.0000
DATALINK MAC DESTINATION ADDRESS INPUT: 0024.6042.DA5C
DATALINK MAC DESTINATION ADDRESS OUTPUT: 0000.0000.0000
IPV4 SOURCE ADDRESS: 10.10.20.60
IPV4 DESTINATION ADDRESS: 10.10.110.7
TRNS SOURCE PORT: 58237
TRNS DESTINATION PORT: 161
TCP FLAGS: 0x00
INTERFACE INPUT: Vl20
IP VERSION: 4
IP TOS: 0x00
IP PROTOCOL: 17
IP TTL: 127
interface output: Null
counter bytes long: 431
counter packets: 5
timestamp first: 14:25:18.307
timestamp last: 14:25:50.545

 

I need help if there is something wrong, please 

 

Thanks

9 Replies 9

Hello,

 

try and add the line marked in bold to your exporter:

 

flow exporter Netflow-exporter
destination 10.10.30.100
source Vlan30
--> export-protocol netflow-v9
transport udp 2055
template data timeout 60

Hi Georg

 

I have added the command  export-protocol netflow-v9 but it didn't appear in the show running

 

Hello,

 

just to be sure: do you have either Cisco Express Forwarding or distributed Cisco Express Forwarding on the switch and the respective interfaces ?

yes, Georg

CEF enabled

balaji.bandi
Hall of Fame
Hall of Fame

Couple of things  to check

 

From the source vlan you mentioned, are you able to reach ELK Server ?

 

can you post below output :

 

#show flow exporter  ( this give you what version of netflow running) - example as below : when you mentioned 2055 it should be v9 only.

# show version

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hi  Balaji

 

yes the ELK can reach this VLAN and this is the output of 

 

 show flow exporter

Flow Exporter elasti-exporter:
Description: NETFLOW Export to elasti
Export protocol: NetFlow Version 9
Transport Configuration:
Destination IP address: 10.10.30.100
Source IP address: 10.10.30.1
Source Interface: Vlan30
Transport Protocol: UDP
Destination Port: 2055
Source Port: 62009
DSCP: 0x0
TTL: 255
Output Features: Not Used

High level i do not see any issue on the config side cisco side,

 

Does the ELK side netflow Listening for V9 ? by default ELK listen on v5 port 9995

 

check the Logstash config port => 2055

 

also worth running on Linux ( where ELK running, tcpdump see any packets coming from Cisco Device).

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

yes I configured the ELK as V9 and also yes tcpdump shows traffic coming from the switch, but as I mentioned in the beginning the switch sends the NetFlow for dropped packets only or sends fake traffic 

 

Since you only see some data, it is hard to say what is wrong. i suggest to make simple netflow config - before you go deep level match conditions. or post complete config for us to look

 

please refer some steps :

 

https://edennington.wordpress.com/2015/01/29/ipv4-and-ipv6-netflow-on-cat-6500-and-nexus-7k/

 

 

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Review Cisco Networking for a $25 gift card