Solved: Flexible netflow on Cat 9300/9500 on L3 vlan interface

carl_townshend · ‎07-26-2024

Hi All

I have a question about flexible netflow.

On our Catalyst 9500 switch we want to send netflow to our collector (whatsup gold)

If we want to collect info from a layer 3 vlan, which is the correct config?

vlan configuration 126
ip flow monitor WUG-NETFLOW-IN input
ip flow monitor WUG-NETFLOW-OUT output

or

interface vlan 126
ip flow monitor WUG-NETFLOW-IN input
ip flow monitor WUG-NETFLOW-OUT outpu

Enes Simnica · ‎07-26-2024

Hello @carl_townshend.

To collect NetFlow data from a Layer 3 VLAN interface on your Catalyst 9500 switch, you should configure the flow monitor on the interface itself, not within the VLAN configuration mode. Here is the correct configuration:

interface vlan 126

ip flow monitor WUG-NETFLOW-IN input

ip flow monitor WUG-NETFLOW-OUT output

So, the correct configuration is the second option

This configuration ensures that the NetFlow data is captured as it enters and leaves the Layer 3 VLAN interface and is sent to your collector (WhatsUp Gold). Make sure you have already defined the WUG-NETFLOW-IN and WUG-NETFLOW-OUT flow monitors and their associated flow records and exporters in the global configuration.

Also, here’s a quick example of how you might define these:

flow record WUG-RECORD

match ipv4 source address

match ipv4 destination address

collect interface input

collect counter bytes

collect counter packets

flow exporter WUG-EXPORTER

destination <collector-ip>

transport udp 2055

flow monitor WUG-NETFLOW-IN

record WUG-RECORD

exporter WUG-EXPORTER

flow monitor WUG-NETFLOW-OUT

record WUG-RECORD

exporter WUG-EXPORTER

I hope this information proves useful!

E.S

more Cisco?!

-Enes

View solution in original post

Enes Simnica · ‎07-26-2024

Hello @carl_townshend.

To collect NetFlow data from a Layer 3 VLAN interface on your Catalyst 9500 switch, you should configure the flow monitor on the interface itself, not within the VLAN configuration mode. Here is the correct configuration:

interface vlan 126

ip flow monitor WUG-NETFLOW-IN input

ip flow monitor WUG-NETFLOW-OUT output

So, the correct configuration is the second option

This configuration ensures that the NetFlow data is captured as it enters and leaves the Layer 3 VLAN interface and is sent to your collector (WhatsUp Gold). Make sure you have already defined the WUG-NETFLOW-IN and WUG-NETFLOW-OUT flow monitors and their associated flow records and exporters in the global configuration.

Also, here’s a quick example of how you might define these:

flow record WUG-RECORD

match ipv4 source address

match ipv4 destination address

collect interface input

collect counter bytes

collect counter packets

flow exporter WUG-EXPORTER

destination <collector-ip>

transport udp 2055

flow monitor WUG-NETFLOW-IN

record WUG-RECORD

exporter WUG-EXPORTER

flow monitor WUG-NETFLOW-OUT

record WUG-RECORD

exporter WUG-EXPORTER

I hope this information proves useful!

E.S

more Cisco?!

-Enes

carl_townshend · ‎07-26-2024

Hi Enes

Thanks for that, we already have the rest of it configured, its just the L3 vlan bit.

So when would we use the vlan configuration part?

Enes Simnica · ‎07-26-2024

hello @carl_townshend

ur welcome!

About the question: when to use the vlan config part:

The VLAN configuration part for NetFlow is used when you want to monitor traffic on a Layer 2 VLAN interface or a Layer 3 VLAN interface but at a specific level of granularity. Here's when and why you would use it:

When to Use VLAN Configuration for NetFlow

Layer 2 VLAN Interfaces:
- Traffic Visibility: If you want to monitor traffic within a VLAN at Layer 2 (without routing), you can apply the NetFlow monitor to the VLAN interface.
- Use Case: Useful in scenarios where you want to track intra-VLAN traffic or traffic between VLANs that are routed on another device.
Layer 3 VLAN Interfaces (SVI - Switched Virtual Interfaces):
- Routing Traffic: When you want to monitor traffic routed to or from a Layer 3 VLAN interface (SVI) on a switch.
- Granularity: Allows you to monitor traffic that is routed and processed by the switch, providing visibility into the traffic as it enters or exits the VLAN.

Also the summary for this situation I believe is this: VLAN Configuration: Use this when you need to monitor traffic on a Layer 2 VLAN or Layer 3 VLAN interface directly. and, Interface Configuration: Apply NetFlow to physical interfaces or routed VLAN interfaces for more granular control and detailed monitoring.

So I'm sure that understanding the traffic flow and what you want to monitor will help you decide whether to use VLAN configuration or interface-level configuration.

Hope this will help!

E.S

more Cisco?!

-Enes