Flow monitor configuration failure on Cat 3850 with 'match application name' in flow record for NBAR

rohpandi · ‎08-21-2018

Hi all,

I have 3850 which I want to configure with netflow with NBAR (application identification). But it is failing with following error. If I remove 'match application name' from the flow record entry, then I am able to apply the monitor correctly. Can someone please guide me here on how to fix it?

Switch(config)#interface gigabitEthernet 1/0/47
Switch(config-if)#ip flow monitor Monitor-FNF input
% Flow Monitor: Failed to add monitor to interface: invalid set of fields in monitor record for wired interface
Switch(config-if)#

Other details as below:

Switch#show version
Cisco IOS Software [Denali], Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version 16.3.6, RELEASE SOFTWARE (fc3)

ROM: IOS-XE ROMMON
BOOTLDR: CAT3K_CAA Boot Loader (CAT3K_CAA-HBOOT-M) Version 3.58, RELEASE SOFTWARE (P)

...
Technology Package License Information:

-----------------------------------------------------------------
Technology-package Technology-package
Current Type Next reboot
------------------------------------------------------------------
ipbasek9 Permanent ipservicesk9

cisco WS-C3850-48U (MIPS) processor (revision AC0) with 864936K/6147K bytes of memory.
Processor board ID XXXXXXXXXX
3 Virtual Ethernet interfaces
52 Gigabit Ethernet interfaces
4 Ten Gigabit Ethernet interfaces
2048K bytes of non-volatile configuration memory.
4194304K bytes of physical memory.
252000K bytes of Crash Files at crashinfo:.
1611414K bytes of Flash at flash:.
0K bytes of at webui:.

Model Number : WS-C3850-48U

Switch Ports Model SW Version SW Image Mode
------ ----- ----- ---------- ---------- ----
* 1 56 WS-C3850-48U 16.3.6 CAT3K_CAA-UNIVERSALK9 INSTALL

Configuration register is 0x102

Switch#

snippet from sh run:

flow record Record-FNF
description Flexible NetFlow with NBAR Flow Record
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface input
match flow direction
match application name
collect transport tcp flags
collect interface output
!

flow exporter Export-FNF
description NBAR2
destination <IP>
transport udp <port>
export-protocol ipfix
option interface-table
option application-table
option application-attributes
!

flow monitor Monitor-FNF
description FNF NBAR2 Application Traffic Analysis
exporter Export-FNF
cache timeout active 60
record Record-FNF
!

interface GigabitEthernet1/0/47
switchport access vlan 3
device-tracking attach-policy IPDT_MAX_10
ip nbar protocol-discovery
!

Reza Sharifi · ‎08-21-2018

Hi,

Have a look at this link:

https://community.cisco.com/t5/network-management/netflow-configuration-on-ios-xe/td-p/3189757

HTH

rohpandi · ‎08-21-2018

Hi Reza,

Thanks for the link but the problem I am facing is different that what is mentioned here. My issue is only when 'match application name' is part of flow record, the 'ip flow monitor' command is failing on the interface saying 'invalid set of fields in monitor record for wired interface'. And as a result I am not able to get NBAR application info in netflow. But If I remove the application name field, it works fine.

thanks,

Rohan.

edong0321 · ‎07-24-2019

I have this problem too.

bjamesdowning · ‎11-07-2018

I'm having the same issue on a Cat 9300 running Everest 16.6.4a. Did you ever find a solution?

rohpandi · ‎11-11-2018

Hi,

Nope, I did not get to spend much time on it to analyze further. For us the requirement was to get netflow application data to mgmt platform and we used CSR1kv for that.

thanks,

Rohan.

bjamesdowning · ‎11-13-2018

I was able to apply this policy successfully on a Cat9300, should be similar to the 3850. Hopefully this helps.

flow record AVC-NETFLOW-RECORD

match ipv4 version

match ipv4 protocol

match application name

match connection client ipv4 address

match connection server ipv4 address

match connection server transport port

match flow observation point

collect flow direction

collect connection initiator

collect connection client counter packets long

collect connection client counter bytes network long

collect connection server counter packets long

collect connection server counter bytes network long

collect timestamp absolute first

collect timestamp absolute last

collect connection new-connections

!

flow exporter AVC-NETFLOW-EXPORT

destination 10.x.x.x

source Vlan1

transport udp 2055

option application-table timeout 60

option application-attributes timeout 300

!

flow monitor AVC-NETFLOW-MONITOR

exporter AVC-NETFLOW-EXPORT

cache timeout active 15000

record AVC-NETFLOW-RECORD

Here’s the source documentation:

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/16-6/configuration_guide/sys_mgmt/b_166_sys_mgmt_9300_cg/b_166_sys_mgmt_9300_cg_chapter_0100.html#task_lq1_hwl_j1b

jsteffensen · ‎04-06-2021

Yepp - The Template can be configured on WS-C3850-48P - sowftare 16.9.4

But Stealthwatch has some problems interpreting the template - so some investigation is still needed... Working on it.