Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
874
Views
0
Helpful
3
Replies

9300 Switch - Netflow on SPAN Destination Port

Sijian.Bao
Level 1
Level 1

‎12-07-2022 09:56 PM

Hello All,

 

So the thing is like this. We've setup the netflow on our 9300 switch to send the flows to the analyzer years ago. Now we'd like to filter out some specific traffic like any traffic comming from or going to the host 1.1.1.1

 

It seems that 9300 is not supporting Performance Monitor for the moment, so I could not do it from Netflow side. Then I'm thinking if I can SPAN the traffic from the interface we've setup the Netflow already to another port with SPAN filter and Netflow the destination port. The SPAN filtering is working fine but it seems the Netflow is not sending any flows to our analyzer

 

Do you know if this is possible or is there any other way I can try with?

 

Thanks

Labels:
0 Helpful
3 Replies 3

balaji.bandi
Hall of Fame
Hall of Fame

‎12-08-2022 02:28 AM - edited ‎12-08-2022 02:30 AM

how is your config look like, i have not tested mixing span and netflow.

but SPAN should give fully mirrror traffic.

how about flexible netflow matching ipv4 destination

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Sijian.Bao
Level 1
Level 1
In response to balaji.bandi

‎12-13-2022 12:24 AM

Hello Balaji,

 

Here comes the configuration:

SPAN:

monitor session 2 source interface Gi1/0/3 rx
monitor session 2 destination interface Gi2/0/2
monitor session 2 filter ip access-group Zscaler


Netflow:

flow record Flow_Rec_In
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match ipv4 protocol
match interface input
match ipv4 tos
match flow direction
collect counter bytes long
collect counter packets long
collect transport tcp flags
collect timestamp absolute first
collect timestamp absolute last
flow record Flow_Rec_Out
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match ipv4 protocol
match interface output
match ipv4 tos
match flow direction
collect counter bytes long
collect counter packets long
collect transport tcp flags
collect timestamp absolute first
collect timestamp absolute last

flow exporter Flow_Exp_WUG
description Exporter to WUG
destination x.x.x.x
source Vlan110
transport udp 9999
template data timeout 900

flow monitor Flow_Mon_In
description Monitor to WUG
exporter Flow_Exp_WUG
cache timeout active 60
record Flow_Rec_In
flow monitor Flow_Mon_Out
description Monitor to WUG
exporter Flow_Exp_WUG
cache timeout active 60
record Flow_Rec_Out

interface GigabitEthernet2/0/2
ip flow monitor Flow_Mon_In input
ip flow monitor Flow_Mon_Out output

 

I just include both source/destination (in/out) for testing but no luck.

 

Thanks

0 Helpful

Sijian.Bao
Level 1
Level 1

‎12-08-2022 04:24 PM - edited ‎12-13-2022 12:24 AM

Edited

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card