Re: Can I run more than one Flow monitor simultaneously on one machine

Translator · ‎08-25-2022

I use Catalyst 9300 IOS-XE 17.3.4.

Would it be possible to simultaneously run multiple Flow monitors by this single machine? The configuration example is as follows.

Flow Record AAA: Supports traditional legacy Netflow
Flow Record BBB: Compatible with NBAR (AVC) where the application name is included in the match condition

Flow Exporter DNAC: Send flow information to DNA Center
Flow Exporter SW: Send flow information to Stealthwatch

Flow monitor XXX

　record BBB

　exporter SW

　exporter DNAC

Flow monitor YYY

　record AAA

　exporter SW

　exporter DNAC

interface gi1/0/1

ip flow monitor XXX input

interface gi1/0/2

ip flow monitor YYY input

Look forward to hearing from experts on Flexible NetFlow area.

DJW487 · ‎07-10-2024

I am late to the party here but...

My 9300 on 17.3.3 has this setup.

We have traditional netflow being sent to nProbe/ntopng. Then dnac/catalyst centre added its own AVC/nbar netflow monitors to the interface as well:

ip flow monitor nProbe_ingress input
ip flow monitor dnacmonitor input
ip flow monitor nProbe_egress output
ip flow monitor dnacmonitor output
ipv6 flow monitor dnacmonitor_v6 input
ipv6 flow monitor dnacmonitor_v6 output

And these are the record templates we are using now:

flow record FNF-input
description IPv4 NetFlow
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match ipv4 protocol
match interface input
match ipv4 tos
match flow direction
collect interface output
collect counter bytes long
collect counter packets long
collect transport tcp flags
collect timestamp absolute first
collect timestamp absolute last
flow record FNF-output
description IPv4 NetFlow
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match ipv4 protocol
match interface output
match ipv4 tos
match flow direction
collect interface input
collect counter bytes long
collect counter packets long
collect transport tcp flags
collect timestamp absolute first
collect timestamp absolute last
flow record dnacrecord
match ipv4 version
match ipv4 protocol
match application name
match connection client ipv4 address
match connection server ipv4 address
match connection server transport port
match flow observation point
collect timestamp absolute first
collect timestamp absolute last
collect flow direction
collect connection initiator
collect connection client counter packets long
collect connection client counter bytes network long
collect connection server counter packets long
collect connection server counter bytes network long
collect connection new-connections
collect datalink mac source address input
flow record dnacrecord_v6
match ipv6 version
match ipv6 protocol
match application name
match connection client ipv6 address
match connection server ipv6 address
match connection server transport port
match flow observation point
collect timestamp absolute first
collect timestamp absolute last
collect flow direction
collect connection initiator
collect connection client counter packets long
collect connection client counter bytes network long
collect connection server counter packets long
collect connection server counter bytes network long
collect connection new-connections
collect datalink mac source address input

DJW487 · ‎07-10-2024

However, my 9300 on 17.12.3 with the exact same record/export/monitor setup as the other one gives this error when trying to add both monitors to the interface:

% Flow Monitor: Failed to add monitor to interface: wdavc and non-wdavc monitors cannot exist on an interface for same traffic type and direction

DJW487 · ‎07-10-2024

Upon further investigation, it appears the dnac monitor is not doing anything on the interface in the first one. Checking the monitor cache and stats show it sitting at 0. So while both the dnac and my own monitors were applied, nothing was being sent to dnac

Can I run more than one Flow monitor simultaneously on one machine?