My C9500 switch can send NetFlow v9 to Flow collecter as I can see its data flow in SMC but not for the interface status.
I have 2 Palo Alto firewalls that are sending NetFlow to the FC as well but I can see their interface status in SMC.
Below is the configuration that I have done
flow record FLOWRECORD match flow direction match interface input match ipv4 destination address match ipv4 protocol match ipv4 source address match ipv4 tos match transport destination-port match transport source-port match interface input collect interface output collect transport tcp flags flow exporter StealthWatch description Send Netflow to StealthWatch destination 10.102.200.106 source Vlan1 transport udp 2055 flow monitor FLOWMONITOR exporter FLOWEXPORTER //sending to Cisco Prime exporter StealthWatch cache timeout inactive 15 cache timeout active 60 record FLOWRECORD vlan configuration 3,5,20,40,88,97-99,111,140,150,180,207,220-225,500,600-605 ip flow monitor FLOWMONITOR input
NetFlow status from the core swtich
Flow Exporter StealthWatch: Description: Send Netflow to StealthWatch Export protocol: NetFlow Version 9 Transport Configuration: Destination IP address: 10.102.200.106 Source IP address: 10.20.200.20 Source Interface: Vlan1 Transport Protocol: UDP Destination Port: 2055 Source Port: 54467 DSCP: 0x0 TTL: 255 Output Features: Used
As you can see below, there is no interface status displayed on the core switch
Anyway, in the property of the core switch. I can find the interfaces list of core swtich
for the interface status information to be displayed properly the SMC should be allowed to use SNMP to the switch.
The SNMP configuration is under Exporter SNMP configuration.
Thank you for your advice.
Actually, I already have done SNMP configuration in the Exporter SNMP configuration. As you can see the actually interfaces name of the switch instead of "ifindex"
Interfaces stats normally come up when netflow is generated by the interfaces. If you run a flow table for a specific interface and and it comes up as empty, and you are 100% sure there should be traffic displayed, best to run a packet capture and use this link to compare required fields: https://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/netflow/config-trouble-netflow-stealth.pdf.
If this doesn't work, I agree on contacting TAC.
Thanks for your suggesion
As I have done packet capture, it seems some required fields below are missing
The rest of requried fields I can find them in the NetFlow packet.
As a result, How should I do on the core switch to send the missing required field?
Did you enable SNMP polling from SMC to Flow Exporter?
Open Java client and go to "Exporter" and right-click on each exporter IP and select "Exporter SNMP configuration" then you can set the SNMP polling setting for each Exporter device. Once SMC collects exporter information via SNMP polling, you can see the correct information in your UI.
If you have still an issue, please open a support case. TAC team will help you.