Solved: Thanks Martin. I will try

Peter Valdes · ‎08-10-2015

Hi,

Has anyone configured Netflow on Cisco C6880-X and registered to Solarwinds?

I'm running c6880x-adventerprisek9-mz.SPA.151-2.SY5 on the two box setup as VSS and would like to monitor traffic on the egress physical interface.

I need to know if this is possible.

Thanks

Peter

Martin Hruby · ‎08-10-2015

Hello Peter

Of course it's possible. I recently configured Flexible NetFlow on a pair of Catalyst 6880-X switches. The configuration is pretty standard, you configure a flow record and flow exporter and then assign both of them to a flow monitor which is then applied to an SVI or physical interface running in L3 mode (i.e. with an IP address). As far as I know it's not possible to run NetFlow on L2 interfaces on this platform. My configuration for your reference:

flow record FlowRecord
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface input
match interface output
collect counter bytes

flow exporter FlowExporter
destination 172.25.99.254 vrf MONITORING
source Loopback0
transport udp 2055

flow monitor FlowMonitor
exporter FlowExporter
cache timeout active 300
cache entries 500000
record FlowRecord

interface Vlan1711
ip flow monitor FlowMonitor output

In this configuration, 172.25.99.254 is my Solarwinds NetFlow collector which is reachable over vrf MONITORING and Loopback0 is the management IP address of the switch (also from point of view of Solarwinds NMS). The flow record configuration depends upon your requirements - which fields you want to uniquely match in a flow and what information you want to collect. I enable NetFlow on all SVI interfaces with the ip flow monitor FlowMonitor output command. You might as well use input direction but in this case a lot of flows will be reported with Null interface as outgoing even though it's transit traffic:

81.252.193.70    166.137.11.216            1025           2152 Vl3899                Null                       17        3010
193.253.110.133 81.252.193.70             3386           3386 Vl220                 Null                       17        4889
81.252.193.70    193.253.110.228           1031           2152 Vl3899                Null                       17       37701

Regarding the configuration of Solarwinds NTA you just need to make sure that your Catalyst 6880-X is properly discovered and all interfaces on which you enabled NetFlow are also present. The Solarwinds NetFlow service must be started from the Orion Service Manager. When Solarwinds NTA will start receiving NetFlow exports it will automatically add your Catalyst 6880-X to NetFlow -> NTA Summary page - no special configuration is required.

For more information have a look at: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/fnetflow/configuration/15-sy/fnf-15-sy-book.html

Best regards,
Martin

View solution in original post

Martin Hruby · ‎08-10-2015

Hello Peter

Of course it's possible. I recently configured Flexible NetFlow on a pair of Catalyst 6880-X switches. The configuration is pretty standard, you configure a flow record and flow exporter and then assign both of them to a flow monitor which is then applied to an SVI or physical interface running in L3 mode (i.e. with an IP address). As far as I know it's not possible to run NetFlow on L2 interfaces on this platform. My configuration for your reference:

flow record FlowRecord
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface input
match interface output
collect counter bytes

flow exporter FlowExporter
destination 172.25.99.254 vrf MONITORING
source Loopback0
transport udp 2055

flow monitor FlowMonitor
exporter FlowExporter
cache timeout active 300
cache entries 500000
record FlowRecord

interface Vlan1711
ip flow monitor FlowMonitor output

In this configuration, 172.25.99.254 is my Solarwinds NetFlow collector which is reachable over vrf MONITORING and Loopback0 is the management IP address of the switch (also from point of view of Solarwinds NMS). The flow record configuration depends upon your requirements - which fields you want to uniquely match in a flow and what information you want to collect. I enable NetFlow on all SVI interfaces with the ip flow monitor FlowMonitor output command. You might as well use input direction but in this case a lot of flows will be reported with Null interface as outgoing even though it's transit traffic:

81.252.193.70    166.137.11.216            1025           2152 Vl3899                Null                       17        3010
193.253.110.133 81.252.193.70             3386           3386 Vl220                 Null                       17        4889
81.252.193.70    193.253.110.228           1031           2152 Vl3899                Null                       17       37701

Regarding the configuration of Solarwinds NTA you just need to make sure that your Catalyst 6880-X is properly discovered and all interfaces on which you enabled NetFlow are also present. The Solarwinds NetFlow service must be started from the Orion Service Manager. When Solarwinds NTA will start receiving NetFlow exports it will automatically add your Catalyst 6880-X to NetFlow -> NTA Summary page - no special configuration is required.

For more information have a look at: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/fnetflow/configuration/15-sy/fnf-15-sy-book.html

Best regards,
Martin

Peter Valdes · ‎08-11-2015

Thanks Martin. I will try this out now and let you know of the results.

Regards,

Peter Valdes

millerjr1 · ‎02-12-2016

Hi Martin,

One thing you might want to note is that there is a bug whereby the CLI command "cache timeout active 300" under the flow monitor is not actually setting the cache timeout on the linecard (in hardware).

Depending on the traffic passing through the network this could cause the flow data to appear to spike as long lasting flows are not timed out fast enough.

The work around for this that we received from TAC, after having the ticket open for 6 months, was to set the cache timeouts globally using the following commands:

!
flow platform cache timeout inactive 60
flow platform cache timeout active 60
!

Further details on the bug can be found here:

https://tools.cisco.com/bugsearch/bug/CSCux22533

Regards,

Jonathan Miller