Solved: Re: Stealthwatch SMC not reporting data in the dashboard for the exporters in the monitor menu

RAMAN AZIZIAN · ‎04-07-2021

Hello Everyone,

I have SMC 2210, FC 4210, FS 3210 in my network. Stealthwatch 7.3.1 is running on all the appliances.

Quick overview of problem:

I am not seeing any traffic being reported on interfaces that are being monitored on the switches (exporters) on the SMC dashboard.

However, I have configured a SPAN port on one of my switches, which being fed into the FS 3210. That interface does show traffic in the SMC.

Overview of the topology:

My network consist of multiple VLANs programmed across multiple switches (cat 9k) which are configured as L2, which have uplinks to a pair of L3 switches (9k) performing the routing. Fairly simple setup.

Each Switch has the netflow cofigured on them, which I have a sample of each config listed below.

I also have a SPAN port that I configured on the L3 switches which is connecting to the FS.

I can see traffic being exported to the FC, or at least I can see the flows on the switches when I issue cli commands for the netflow. However I don't see any of the interfaces from the exporters on the dashboard showing any traffic.

What is it missing from my configuration? I have searched the web and can't seem to find anything usefull.

Any help would greatly be appreciated and I will be glad to provide more info if needed.

Thanks for taking the time to help out.

flow record INPUT_REC

match ipv4 protocol

match ipv4 source interface

match ipv4 destination address

match transport destination-port

match interface input

collect counter packets long

!

flow record OUTPUT_REC

match ipv4 protocol

match ipv4 source interface

match ipv4 destination address

match transport destination-port

match interface input

collect counter packets long

!

flow exporter NF-EXP

destination x.x.x.x

source vlan 55

transport udp 2055

!

flow monitor INPUT-FC

exporter NF-EXP

cache timeout active 60

record INPUT_REC

!

flow monitor OUTPUT-FC

exporter NF-EXP

cache timeout active 60

record OUTPUT_REC

!

! The following is under each interface:

Interface gi 1/0/1-xx

ip flow monitor INPUT-FC input

ip flow monitor OUTPUT-FC output

bmcinnis · ‎04-08-2021

Raman,

You are missing timestamps in your flow config. Without start and stop timestamps the flow collector will drop the flows.

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/16-9/command_reference/b_169_9300_cr/flexible_netflow_commands.html#wp2649072553

Best,

Ben

View solution in original post

bmcinnis · ‎04-08-2021

Raman,

You are missing timestamps in your flow config. Without start and stop timestamps the flow collector will drop the flows.

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/16-9/command_reference/b_169_9300_cr/flexible_netflow_commands.html#wp2649072553

Best,

Ben

RAMAN AZIZIAN · ‎04-08-2021

hello Ben,

would you mind providing me a sample of the config? I am looking into the doc you provided, but I am not sure I'm seeing what you are referring to.

I do see the following and not sure if this is what you are referring to.

collect timestamp absolute first

collect timestamp absolute last

Thank you for taking the time to answer my question.

-raman

RAMAN AZIZIAN · ‎04-09-2021

Adding the following two commands did the job.

collect timestamp absolute first

collect timestamp absolute last

Also, this site helped tremendously to get the config per platform.

https://configurenetflow.info/