Re: Interfaces status missing of C9500 core switch in SMC

jumperdub · ‎02-01-2020

Hi all,

My C9500 switch can send NetFlow v9 to Flow collecter as I can see its data flow in SMC but not for the interface status.

I have 2 Palo Alto firewalls that are sending NetFlow to the FC as well but I can see their interface status in SMC.

Below is the configuration that I have done

flow record FLOWRECORD
 match flow direction
 match interface input
 match ipv4 destination address
 match ipv4 protocol
 match ipv4 source address
 match ipv4 tos
 match transport destination-port
 match transport source-port
 match interface input
 collect interface output
 collect transport tcp flags

flow exporter StealthWatch
 description Send Netflow to StealthWatch
 destination 10.102.200.106
 source Vlan1
 transport udp 2055

flow monitor FLOWMONITOR
 exporter FLOWEXPORTER //sending to Cisco Prime 
 exporter StealthWatch
 cache timeout inactive 15
 cache timeout active 60
 record FLOWRECORD

vlan configuration 3,5,20,40,88,97-99,111,140,150,180,207,220-225,500,600-605
ip flow monitor FLOWMONITOR input

NetFlow status from the core swtich

Flow Exporter StealthWatch:
  Description:              Send Netflow to StealthWatch
  Export protocol:          NetFlow Version 9
  Transport Configuration:
    Destination IP address: 10.102.200.106
    Source IP address:      10.20.200.20
    Source Interface:       Vlan1
    Transport Protocol:     UDP
    Destination Port:       2055
    Source Port:            54467
    DSCP:                   0x0
    TTL:                    255
    Output Features:        Used

As you can see below, there is no interface status displayed on the core switch
interfaces status of the core switch in Java SMC

Anyway, in the property of the core switch. I can find the interfaces list of core swtich

hanjabbo · ‎02-01-2020

Hello,

for the interface status information to be displayed properly the SMC should be allowed to use SNMP to the switch.

The SNMP configuration is under Exporter SNMP configuration.

jumperdub · ‎02-01-2020

Hi hanjabbo,

Thank you for your advice.

Actually, I already have done SNMP configuration in the Exporter SNMP configuration. As you can see the actually interfaces name of the switch instead of "ifindex"

dcavalla · ‎02-03-2020

Interfaces stats normally come up when netflow is generated by the interfaces. If you run a flow table for a specific interface and and it comes up as empty, and you are 100% sure there should be traffic displayed, best to run a packet capture and use this link to compare required fields: https://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/netflow/config-trouble-netflow-stealth.pdf.

If this doesn't work, I agree on contacting TAC.

jumperdub · ‎02-03-2020

Hi,

Thanks for your suggesion

As I have done packet capture, it seems some required fields below are missing

NF_F_LAST_SWITCHED(21)
NF_F_FIRST_SWITCHED(22)

NF_F_IN_BYTES(1)
NF_F_IN_PKTS(2)

The rest of requried fields I can find them in the NetFlow packet.

Inspect NetFlow packet in Wireshark

As a result, How should I do on the core switch to send the missing required field?

dcavalla · ‎02-03-2020

I would suggest to follow this document: https://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/netflow/Cisco_NetFlow_Configuration.pdf.

You might have to undo and redo the configuration to be able to modify the template.

Hope this helps.

Thanks!

Dario

kyoshiik · ‎02-02-2020

Did you enable SNMP polling from SMC to Flow Exporter?

Open Java client and go to "Exporter" and right-click on each exporter IP and select "Exporter SNMP configuration" then you can set the SNMP polling setting for each Exporter device. Once SMC collects exporter information via SNMP polling, you can see the correct information in your UI.

If you have still an issue, please open a support case. TAC team will help you.