02-01-2020 08:11 AM
Hi all,
My C9500 switch can send NetFlow v9 to Flow collecter as I can see its data flow in SMC but not for the interface status.
I have 2 Palo Alto firewalls that are sending NetFlow to the FC as well but I can see their interface status in SMC.
Below is the configuration that I have done
flow record FLOWRECORD match flow direction match interface input match ipv4 destination address match ipv4 protocol match ipv4 source address match ipv4 tos match transport destination-port match transport source-port match interface input collect interface output collect transport tcp flags flow exporter StealthWatch description Send Netflow to StealthWatch destination 10.102.200.106 source Vlan1 transport udp 2055 flow monitor FLOWMONITOR exporter FLOWEXPORTER //sending to Cisco Prime exporter StealthWatch cache timeout inactive 15 cache timeout active 60 record FLOWRECORD vlan configuration 3,5,20,40,88,97-99,111,140,150,180,207,220-225,500,600-605 ip flow monitor FLOWMONITOR input
NetFlow status from the core swtich
Flow Exporter StealthWatch: Description: Send Netflow to StealthWatch Export protocol: NetFlow Version 9 Transport Configuration: Destination IP address: 10.102.200.106 Source IP address: 10.20.200.20 Source Interface: Vlan1 Transport Protocol: UDP Destination Port: 2055 Source Port: 54467 DSCP: 0x0 TTL: 255 Output Features: Used
As you can see below, there is no interface status displayed on the core switch
Anyway, in the property of the core switch. I can find the interfaces list of core swtich
02-01-2020 10:58 PM
Hello,
for the interface status information to be displayed properly the SMC should be allowed to use SNMP to the switch.
The SNMP configuration is under Exporter SNMP configuration.
02-01-2020 11:27 PM
Hi hanjabbo,
Thank you for your advice.
Actually, I already have done SNMP configuration in the Exporter SNMP configuration. As you can see the actually interfaces name of the switch instead of "ifindex"
02-03-2020 02:51 AM
Interfaces stats normally come up when netflow is generated by the interfaces. If you run a flow table for a specific interface and and it comes up as empty, and you are 100% sure there should be traffic displayed, best to run a packet capture and use this link to compare required fields: https://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/netflow/config-trouble-netflow-stealth.pdf.
If this doesn't work, I agree on contacting TAC.
02-03-2020 03:44 AM
Hi,
Thanks for your suggesion
As I have done packet capture, it seems some required fields below are missing
NF_F_LAST_SWITCHED(21)
NF_F_FIRST_SWITCHED(22)
NF_F_IN_BYTES(1)
NF_F_IN_PKTS(2)
The rest of requried fields I can find them in the NetFlow packet.
As a result, How should I do on the core switch to send the missing required field?
02-03-2020 08:23 AM
02-02-2020 07:56 PM
Did you enable SNMP polling from SMC to Flow Exporter?
Open Java client and go to "Exporter" and right-click on each exporter IP and select "Exporter SNMP configuration" then you can set the SNMP polling setting for each Exporter device. Once SMC collects exporter information via SNMP polling, you can see the correct information in your UI.
If you have still an issue, please open a support case. TAC team will help you.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide