NetFlow from VRF on 4451-X

hypnotoad · ‎03-03-2015

I have a 4451-X router running XE 3.13.

I want to get NetFlow data from interface G0/0/0 and sent it to my collector via the management VRF interface G0. Is this possible? If so, what is the configuration to make it work?

This is what I have so far:

flow record NetFlow
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
collect counter bytes
collect counter packets
!
!
flow exporter NetFlow-to-Orion
destination 10.y.y.90 vrf Mgmt-intf
source GigabitEthernet0
transport udp 2055
export-protocol netflow-v5

!
!
flow monitor NetFlow-Monitor
description Original Netflow captures
exporter NetFlow-to-Orion
cache timeout inactive 10
cache timeout active 5
record NetFlow

interface GigabitEthernet0/0/0
ip address xxx.xxx.xxx.xxx/30
ip flow monitor NetFlow-Monitor input
ip flow monitor NetFlow-Monitor output
media-type sfp
no negotiation auto
no lldp transmit

interface GigabitEthernet0
vrf forwarding Mgmt-intf
ip address 10.x.x.37 255.255.255.0
negotiation auto

What am I missing?

Thanks,

Patrick

Don Jacob · ‎04-10-2015

What netFlow tool do you have? Is the NetFlow tool seeing packets but not reporting anything?

If so, it can be because the flow records exported does not have the necessary information needed by the tool to process the NetFlow datagrams. Most NetFlow tools expect the below configuration:

flow record netfow
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface input
collect interface output
collect counter bytes
collect counter packets
collect flow direction

And in the flow exporter, reduce the active cache timeout to 1

If the server where the NetFlow tool is installed is not seeing packets, make sure that:

1. You have a route to the destination from the GigabitEthernet0

2. No firewalls on the server or ACLs are blocking packets from the switch to the NetFlow server

Thanks,

Don

Regards, Don Thomas Jacob http://www.solarwinds.com/netflow-traffic-analyzer.aspx Head Geek @ SolarWinds NOTE: Please rate and close questions if you found any of the answers helpful.

Don Jacob · ‎04-10-2015

And because I see Orion as the exporter name, take a look at this:

http://knowledgebase.solarwinds.com/kb/questions/802/Required+flow+template+fields

Regards, Don Thomas Jacob http://www.solarwinds.com/netflow-traffic-analyzer.aspx Head Geek @ SolarWinds NOTE: Please rate and close questions if you found any of the answers helpful.

jseely7150 · ‎07-24-2015

I was in much same situation, which is how I got to see your question

I found this in my log file:

%FMANRP_NETFLOW-3-EXPORTERSRCIFINVALID: Management interface (GigabitEthernet0) cannot be used as source for an exporter

So I changed the source... problem solved!

Ruslan Moldaliev · ‎08-01-2016

what if I put subinterface of the port-channel in VRF and can't see any of exported data?

I used records and predefined "netflow-original" I have exporters and monitors, applied to interfaces.
I see next output and assume my monitor/exporter are working:

zzz-R4451-zzz(config)#do sh flow monitor BGP-AS-INT cache 
 Cache type: Normal (Platform cache)
 Cache size: 200000
 Current entries: 4500
 High Watermark: 6353

 Flows added: 261064
 Flows aged: 256564
 - Inactive timeout ( 10 secs) 256564

IPV4 SRC ADDR IPV4 DST ADDR TRNS SRC PORT TRNS DST PORT INTF INPUT IP TOS IP PROT intf output flow dirn bytes pkts
=============== =============== ============= ============= ==================== ====== ======= ==================== ========= ========== ==========
157.55.235.159 x.x.x.x 40022 59845 Po1.571 0x00 17 Po1.9 Output 49 1
x.x.x.x 80.56.162.172 47447 41045 Po1.9 0x00 17 Po1.571 Input 134 1
x.x.x.x 8.8.8.8 25316 53 Po1.9 0x00 17 Po1.571 Input 78 1
x.x.x.x 216.58.209.78 64857 443 Po1.9 0x00 6 Po1.571 Input 2370 6
and so on...

but why I can't see my stuff on PI 2.2 neither manageengine neither just raw data by wireshark?