cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8977
Views
5
Helpful
9
Replies

Flexible Netflow (v.9) question on 3850 ipservices doesn't seem to register

Preston Kilburn
Level 1
Level 1

Greetings all - I am trying to enable netflow on a new 3850-24 with ipservices.  I am leveraging LiveAction and have raised a ticket with them to help me through the issue, but more generally I'm confused about the lack of features I'm seeing. Per the 3850 guide here (http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3se/flexible_netflow/configuration_guide/b_fnf_3se_3850_cg/b_fnf_3se_3850_cg_chapter_010.html) it is stated that you will have the option of turning on inbound and outbound directions on 3850's with ipbase and ipservices.  

 

We are running ip services:

 

 Slot#  License name   Type     Count   Period left 
----------------------------------------------------------
 1      ipservices   permanent     N/A   Lifetime

 

However, we get the following error when trying to turn on flow inbound and outbound on the interfaces - whether they are svi (layer3) or interface (layer2)

-----------------Layer2: ----------------------------------------------

(config)#interface GigabitEthernet1/0/24
switch(config-if)#ip flow monitor LIVEACTION-FLOWMONITOR input
switch(config-if)#ip flow monitor LIVEACTION-FLOWMONITOR output
% Flow Monitor: Flow Monitor 'LIVEACTION-FLOWMONITOR' 
Unsupported match field "interface input" for ipv4 traffic in output direction
Unsupported collect field "interface output" for ipv4 traffic in output direction

---------------- Layer3 ---------------------------------------------

switch(config)#interface Vlan190
switch(config-if)#ip flow monitor LIVEACTION-FLOWMONITOR input
% Flow Monitor: Flow Monitor 'LIVEACTION-FLOWMONITOR' flexible netflow not supported on vlan interfaces
switch(config-if)#ip flow monitor LIVEACTION-FLOWMONITOR output
% Flow Monitor: Flow Monitor 'LIVEACTION-FLOWMONITOR' flexible netflow not supported on vlan interfaces

------------------------------------ untruncated output ------------------------------

switch(config-flow-record)#collect counter bytes
% Incomplete command.

switch(config-flow-record)#collect counter packets
% Incomplete command.

switch(config-flow-record)#collect flow sampler
                                                    ^
% Invalid input detected at '^' marker.

switch(config-flow-record)#collect interface output
switch(config-flow-record)#collect ipv4 destination mask
                                                ^
% Invalid input detected at '^' marker.

switch(config-flow-record)#collect ipv4 dscp
                                                ^
% Invalid input detected at '^' marker.

switch(config-flow-record)#collect ipv4 id
                                                ^
% Invalid input detected at '^' marker.

switch(config-flow-record)#collect ipv4 source mask
                                                ^
% Invalid input detected at '^' marker.

switch(config-flow-record)#collect ipv4 source prefix
                                                ^
% Invalid input detected at '^' marker.

switch(config-flow-record)#collect routing destination as
                                               ^
% Invalid input detected at '^' marker.

switch(config-flow-record)#collect routing next-hop address ipv4
                                               ^
% Invalid input detected at '^' marker.

switch(config-flow-record)#collect routing source as
                                               ^
% Invalid input detected at '^' marker.

switch(config-flow-record)#collect timestamp sys-uptime first
                                                         ^
% Invalid input detected at '^' marker.

switch(config-flow-record)#collect timestamp sys-uptime last
                                                         ^
% Invalid input detected at '^' marker.

switch(config-flow-record)#collect transport tcp flags
switch(config-flow-record)#exit
switch(config)#flow monitor LIVEACTION-FLOWMONITOR
switch(config-flow-monitor)#$ DO NOT MODIFY. USED BY LIVEACTION. 
switch(config-flow-monitor)#exporter LIVEACTION-FLOWEXPORTER
switch(config-flow-monitor)#cache timeout inactive 10
switch(config-flow-monitor)#cache timeout active 60
switch(config-flow-monitor)#record LIVEACTION-FLOWRECORD
switch(config-flow-monitor)#exit
switch(config)#interface Vlan197
switch(config-if)#ip flow monitor LIVEACTION-FLOWMONITOR input
% Flow Monitor: Flow Monitor 'LIVEACTION-FLOWMONITOR' flexible netflow not supported on vlan interfaces
switch(config-if)#ip flow monitor LIVEACTION-FLOWMONITOR output
% Flow Monitor: Flow Monitor 'LIVEACTION-FLOWMONITOR' flexible netflow not supported on vlan interfaces
switch(config-if)#exit
switch(config)#interface Vlan190
switch(config-if)#ip flow monitor LIVEACTION-FLOWMONITOR input
% Flow Monitor: Flow Monitor 'LIVEACTION-FLOWMONITOR' flexible netflow not supported on vlan interfaces
switch(config-if)#ip flow monitor LIVEACTION-FLOWMONITOR output
% Flow Monitor: Flow Monitor 'LIVEACTION-FLOWMONITOR' flexible netflow not supported on vlan interfaces

 

-------------------- config it's trying to apply----------------------------

 

 

 

 

 

 

config t
ip cef
snmp-server ifindex persist
flow exporter LIVEACTION-FLOWEXPORTER
description DO NOT MODIFY. USED BY LIVEACTION.
destination <removed private IP address to liveaction server>
source Loopback0
transport udp 2055
template data timeout 600
option interface-table
exit
flow record LIVEACTION-FLOWRECORD
description DO NOT MODIFY. USED BY LIVEACTION.
match flow direction
match interface input
match ipv4 destination address
match ipv4 protocol
match ipv4 source address
match ipv4 tos
match transport destination-port
match transport source-port
collect counter bytes
collect counter packets
collect flow sampler
collect interface output
collect ipv4 destination mask
collect ipv4 dscp
collect ipv4 id
collect ipv4 source mask
collect ipv4 source prefix
collect routing destination as
collect routing next-hop address ipv4
collect routing source as
collect timestamp sys-uptime first
collect timestamp sys-uptime last
collect transport tcp flags
exit
flow monitor LIVEACTION-FLOWMONITOR
description DO NOT MODIFY. USED BY LIVEACTION.
exporter LIVEACTION-FLOWEXPORTER
cache timeout inactive 10
cache timeout active 60
record LIVEACTION-FLOWRECORD
exit
interface Vlan197
ip flow monitor LIVEACTION-FLOWMONITOR input
ip flow monitor LIVEACTION-FLOWMONITOR output
exit
interface Vlan190
ip flow monitor LIVEACTION-FLOWMONITOR input
ip flow monitor LIVEACTION-FLOWMONITOR output
exit
interface GigabitEthernet1/0/13
ip flow monitor LIVEACTION-FLOWMONITOR input
ip flow monitor LIVEACTION-FLOWMONITOR output
exit
interface GigabitEthernet1/0/18
ip flow monitor LIVEACTION-FLOWMONITOR input
ip flow monitor LIVEACTION-FLOWMONITOR output
exit
interface GigabitEthernet1/0/4
ip flow monitor LIVEACTION-FLOWMONITOR input
ip flow monitor LIVEACTION-FLOWMONITOR output
exit
interface GigabitEthernet1/0/3
ip flow monitor LIVEACTION-FLOWMONITOR input
ip flow monitor LIVEACTION-FLOWMONITOR output
exit
interface GigabitEthernet1/0/6
ip flow monitor LIVEACTION-FLOWMONITOR input
ip flow monitor LIVEACTION-FLOWMONITOR output
exit
interface GigabitEthernet1/0/5
ip flow monitor LIVEACTION-FLOWMONITOR input
ip flow monitor LIVEACTION-FLOWMONITOR output
exit
interface GigabitEthernet1/0/23
ip flow monitor LIVEACTION-FLOWMONITOR input
ip flow monitor LIVEACTION-FLOWMONITOR output
exit
interface GigabitEthernet1/0/24
ip flow monitor LIVEACTION-FLOWMONITOR input
ip flow monitor LIVEACTION-FLOWMONITOR output

 

9 Replies 9

Hi

 

I think you already solved this (as the original issue was raised 6 months ago), but I will add my two cents for those who still face issues with FNF and 3850 platform.

 

I have spent few days trying to get the most use from Cisco Catalyst 3850 and its FNF support. As it seems, this platform has a number of limitations.

 

First of all, you can't rely on LiveAction templates with it. By default LiveAction has only one FNF template that it is trying to apply in Inbound and Outbound direction. However, Cat 3850 is not capable to Match flows using Ingress interface in Egress direction, and can't Match flows using Egress interface in Ingress direction. That is, you must have TWO FNF collectors configured (and two monitors). One monitor will be used for Input, other for Output.

It will look like this

flow record CUSTOM-FNF-RECORD-IN
 match flow direction
 match interface input
 match ipv4 destination address
 match ipv4 protocol
 match ipv4 source address
 match ipv4 tos
 match transport destination-port
 match transport source-port
 collect counter bytes
 collect counter packets
 collect interface output
 collect transport tcp flags

flow record CUSTOM-FNF-RECORD-OUT
 match flow direction
 match interface output
 match ipv4 destination address
 match ipv4 protocol
 match ipv4 source address
 match ipv4 tos
 match transport destination-port
 match transport source-port
 collect counter bytes
 collect counter packets
 collect interface input
 collect transport tcp flags

flow monitor CUSTOM-FNF-MONITOR-IN
 description DO NOT MODIFY. USED BY LIVEACTION.
 exporter CUSTOM-FNF-EXPORTER
 cache timeout inactive 10
 cache timeout active 60
 record CUSTOM-FNF-RECORD-IN

flow monitor CUSTOM-FNF-MONITOR-OUT
 description DO NOT MODIFY. USED BY LIVEACTION.
 exporter CUSTOM-FNF-EXPORTER
 cache timeout inactive 10
 cache timeout active 60
 record CUSTOM-FNF-RECORD-OUT

vlan configuration 180
 ip flow monitor CUSTOM-FNF-MONITOR-IN input
 ip flow monitor CUSTOM-FNF-MONITOR-OUT output

 

As you noticed, it doesn't support the same range of collect fields as routers do.

However, even though we tell Cat 3850 to collect information about input and output interface (collect statement), it doesn't do so. It only collects information about interfaces that is specified in match command and puts Null0 for the other one.

This bothers me, as I can't fully use LiveAction because of it.

In fact, I would say LiveAction is not fully compatible with this platform. You can manually configure FNF on Cat3850, but you can't do this from within LiveAction and because it doesn't show information about both ingress/egress interfaces, you can't use LiveAction to visualize flows either.

 

I find it frustrating. Anyway, I am going to contact LA team and ask them to adjust configuration templates to match Cat 3850 requirements.

 

Tim

Hi Tim,

Did you ever make any progress with FNF on the 3850's and leveraging LiveAction?  I'm trying to do the same thing.

-Brian

Hi Brian

I have raised few feature requests with them, however it doesn't seem to progress very quickly:

 

1) LP-436 - Be able to push 3850 layer 2 access port netflow config via LiveAction

We added this request to our backlog. I don’t yet have a target date for this feature. 

We’ve just finished adding QoS config to the 3850, to be released in 5.1. Thought this might be of interest. 

2) LP-437 - Be able to run netflow report on the 3850 layer 2 access port without having to use the flex search string

We’re in the process of transitioning to a new platform with web UI. The plan is to remove some of these L2 limitations. All I can say at this point is that we’re looking into this but I don’t yet have a target date. 

 

 

I am still on LA 4.4, so... it might be worth upgrading to 5.x now to check if any of those have been resolved

 

Tim

LA 5.0.1 doesn't appear to be any different.

I'm also seeing similar restrictions on 4510 and 4500-X.

I'm deploying version 6.0.1.  This is still an issue.  I have a lot of 3850 and 4500-X switches so this is disappointing.

--Patrick

Patrick, this is not LA limitation, really... It's rather Catalyst 3850 limitation, and you'll see it performing differently from NetFlow perspective because it is hardware platform - it's goal to switch packets very quickly, so it can't support the full range of ISR's features.

You have probably noticed another limitation of Cat 3850. DSCP reported by this platform via NetFlow corresponds to the Ingress DSCP, even if you capture on Egress (and change Ingress DSCP using ingress service-policy) it will still show original Ingress DSCP. Again, it's purely platform's limitation.

I understand the limitations of the 3850 and 4500-X platform regarding FNF.  My issue is with LiveAction.  I make use of SVIs on the switches and LiveAction wants to apply FNF to the SVI which is not supported.  FNF needs to be applied with the 'vlan configure xxxx' command.  I can do this manually but cannot add the interfaces to the LiveAction managed switch without it trying to push an invalid config.  It errors and all I can do is cancel and not have the interface.  LiveAction needs to detect the SVI and apply the configuration differently.  I opened a support ticket with LiveAction and basically they said 'yup, that doesn't work' and closed the ticket.

Well, yeah.. in that case it's LA. Not sure why they can't improve the app? It's not a massive problem for them to do some extra coding.

Hi Guys - there are 3850/3650 templates in the solution. You would need to select the type from the drop down when using "Flow" "Configure Flow" to enable netflow collection.
Review Cisco Networking for a $25 gift card