06-30-2020 07:22 AM - edited 07-01-2020 07:19 AM
Hello,
i'm trying to install Flexible Netflow on a cisco Catalyst 3850.
But, no package is exported and if I run the "show flow monitor ipv4_netflow_input statistics" command , there is no field "flow aged" with 'active timeout" and "Inactive timeout" :
Cache type: Normal (Platform cache)
Cache size: 10000 Current entries: 2096
Flows added: 2096
Flows aged: 0
Moreover, the packets not exported are well in the cache.
My configuration (cisco IOS 16.6) :
flow record goelastic_input
match ipv4 destination address
match ipv4 source address
match transport source-port
match transport destination-port
match ipv4 protocol
match ipv4 tos
match ipv4 ttl
match interface input
match flow direction
match datalink vlan input
collect counter bytes long
collect counter packets long
!
!
flow exporter exp_goelastic_input
destination X.X.X.X
source Loopback0
transport udp 2055
!
!
flow monitor ipv4_netflow_input
exporter exp_goelastic_input
cache timeout active 60
record goelastic_input
Thanks
06-30-2020 07:46 AM
Hi,
What is the license level on the switch?
HTH
07-01-2020 12:00 AM - edited 07-01-2020 12:12 AM
Hello !
The license level is "ipbase", is that ok for Netflow ?
Regards
06-30-2020 07:57 AM
Can you post show version, show cef information.
here is my working template config for reference :
flow record FLOW-BB
match ipv4 source address
match ipv4 destination address
match ipv4 tos
match ipv4 protocol
match transport source-port
match transport destination-port
match interface input
collect transport tcp flags
collect interface output
collect counter bytes long
collect counter packets long
collect timestamp sys-uptime first
collect timestamp sys-uptime last
flow monitor ipv4-netflow-bb
exporter ELK
statistics packet protocol
statistics packet size
record FLOW-BB
flow exporter ELK
destination x.x.x.x
source Loopback0
transport udp 2055
interface gi 1/1
ip flow monitor ipv4-netflow-bb input
ip flow monitor ipv4-netflow-bb output
07-01-2020 12:14 AM
Hello,
Show version command :
Cisco IOS XE Software, Version 16.06.05
Cisco IOS Software [Everest], Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version 16.6.5, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2018 by Cisco Systems, Inc.
Compiled Mon 10-Dec-18 11:34 by mcpre
Cisco IOS-XE software, Copyright (c) 2005-2018 by cisco Systems, Inc.
All rights reserved. Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0. The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0. For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.
ROM: IOS-XE ROMMON
BOOTLDR: CAT3K_CAA Boot Loader (CAT3K_CAA-HBOOT-M) Version 4.68, RELEASE SOFTWARE (P)
CISCO01 uptime is 1 week, 1 day, 21 hours, 29 minutes
Uptime for this control processor is 1 week, 1 day, 21 hours, 32 minutes
System returned to ROM by Power Failure or Unknown at 13:26:42 MET Thu Dec 19 2019
System restarted at 11:32:54 MET Mon Jun 22 2020
System image file is "flash:cat3k_caa-universalk9.16.06.05.SPA.bin"
Last reload reason: Power Failure or Unknown
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
Technology Package License Information:
-----------------------------------------------------------------
Technology-package Technology-package
Current Type Next reboot
------------------------------------------------------------------
ipbasek9 Permanent ipbasek9
cisco WS-C3850-24S (MIPS) processor (revision M0) with 853097K/6147K bytes of memory.
9 Virtual Ethernet interfaces
56 Gigabit Ethernet interfaces
8 Ten Gigabit Ethernet interfaces
2048K bytes of non-volatile configuration memory.
4194304K bytes of physical memory.
250456K bytes of Crash Files at crashinfo:.
252000K bytes of Crash Files at crashinfo-2:.
1609272K bytes of Flash at flash:.
1611414K bytes of Flash at flash-2:.
0K bytes of WebUI ODM Files at webui:.
Switch Ports Model SW Version SW Image Mode
------ ----- ----- ---------- ---------- ----
* 1 32 WS-C3850-24S 16.6.5 CAT3K_CAA-UNIVERSALK9 BUNDLE
2 32 WS-C3850-24S 16.6.5 CAT3K_CAA-UNIVERSALK9 BUNDLE
Configuration register is 0x102
what do you need about cef information ?
Thank you for your help
07-01-2020 01:24 AM - edited 07-01-2020 01:39 AM
I just tried to apply the flow monitors on the VLANs with "vlan configuration in-vlan", it works once, but not after. And it doesn't work by applying the monitors on the physical interfaces.
moreover, when I remove the flow monitors on the interfaces or vlan, my Elastic server receives netflow packets. But, no flow is aged:
Cache type: Normal (Platform cache)
Cache size: 10000
Current entries: 300
Flows added: 300
Flows aged: 0
Any idea ?
Big thank
07-01-2020 02:32 AM
is this L2 Interface then it will not work. it should be L3 interface.
07-01-2020 02:47 AM
Hello, thank you for your answer.
I don't understand what is wrong, "Layer 2, VLAN, and Layer 3 interfaces are supported." (https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/fnetflow/configuration/xe-3se/3850/fnf-full-flow.html)
And my switch have almost the same configuration as you.
Big thank
07-01-2020 03:00 AM
As you mentioned it was worked when you add configuration to SVI ?
Can you post both the interface configurtaiotn:
show run interface vlan X
show run interface gig x/x
show ip flow export
07-01-2020 04:15 AM
Not to SVI but VLAN,
show run interface vlan X :
Current configuration : 182 bytes
!
interface VlanXX
description *** Vlan Management ***
ip address XX.XX.XX.XXX XXX.XXX.XXX.X
ip helper-address XXX.XXX.XXX.X
ip helper-address XXX.XXX.XXX.X
no ip proxy-arp
end
show run interface gigabitEthernetX/X
Building configuration...
Current configuration : 181 bytes
!
interface GigabitEthernetX/X
description Link_To_XXXXXXXXXX
switchport mode trunk
switchport nonegotiate
channel-group 53 mode active
ip nbar protocol-discovery
end
show flow record :
flow record goelastic_input:
Description: User defined
No. of users: 1
Total field space: 38 bytes
Fields:
match datalink vlan input
match ipv4 tos
match ipv4 ttl
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface input
match flow direction
collect counter bytes long
collect counter packets long
Big thank
07-01-2020 10:26 AM
I do not see the configuration applied to interface?
is this port-channel Layer 2 or Layer 3? Can you post
show run interface port-channel 53
07-01-2020 11:40 PM - edited 07-01-2020 11:47 PM
yes i removed the flow monitors. I give one:
Cisco01#show run interface gigabitEthernet1/0/1 :
interface GigabitEthernet1/0/1
description TINSWCISCO02-ADM
switchport mode trunk
ip flow monitor ipv4_netflow_input input
storm-control broadcast level 5.00
storm-control action shutdown
storm-control action trap
channel-group 1 mode active
ip nbar protocol-discovery
ip dhcp snooping trust
end
Yes this port channel is Layer 2. Is that why it doesn't work?
show run interface port-channel 53 :
interface Port-channel53
description Link_To_CISCO02
switchport mode trunk
switchport nonegotiate
end
Big thank
07-02-2020 05:05 AM - edited 07-02-2020 05:06 AM
I think i found my problem. It's a bug :
Jul 2 11:19:03: %FMFP-3-OBJ_DWNLD_TO_DP_FAILED: Switch 2 R0/0: fman_fp_image: [FNF Object] type:IF_BIND name:ipv4_netflow_input-0-goelastic_in put-3564851318-0-1-40 fnf-id:2000125 real-id:125 info:ifh =40 mon-id:2000001 samp-id:0 dir:1 traffic:0 sub_traffic:0x0 efp_id:3 download to DP f ailed
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvi03188/?rfs=iqvred
Symptom:
The issue is observed on 3650 and 3850 on in CU environment running 16.6.2 with "match ipv4 version" removed from the FNF record. CU removed the config more that 20 times and the Exporter stopped working while observing the below error messages in the logs:
189768: Feb 16 2018 16:23:25.521 UTC: %FMFP-3-OBJ_DWNLD_TO_DP_FAILED: Switch 2 R0/0: fman_fp_image: [FNF Object] type:IF_BIND name:FNF-MONITOR-IN-0-FNF-RECORD-IN-1614463892-0-1-7 fnf-id:2000433 real-id:433 info:ifh =7 mon-id:2000022 samp-id:0 dir:1 traffic:0 sub_traffic:0x0 efp_id:3 download to DP failed
189769: Feb 16 2018 16:23:25.575 UTC: %FMFP-3-OBJ_DWNLD_TO_DP_FAILED: Switch 3 R0/0: fman_fp_image: [FNF Object] type:IF_BIND name:FNF-MONITOR-IN-0-FNF-RECORD-IN-1614463892-0-1-7 fnf-id:2000433 real-id:433 info:ifh =7 mon-id:2000022 samp-id:0 dir:1 traffic:0 sub_traffic:0x0 efp_id:3 download to DP failed
Conditions:
3650/3850 running 16.6.2 code and FNF configuration removed and re added multiple times.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide