Help to Configure Netflow on L2 Switch (3850 3.6.4)

Shlomy Maron · ‎08-04-2016

Hi,

I'd like to configure Netflow on L2 Switch - Catalyst 3850 running version 3.6.4.

the flow exporter, and flow monitor are the easiest to configure.

yet I'd like to ask how should I configure the Flow Recorder.

I've tried to use the following :

flow record RECORD
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match transport icmp ipv4 type
match transport icmp ipv4 code
match flow direction

what happend is that the Netflow collector received only information of the IP of the Switch - which means I've received netflow information of the syslog, snmp, etc of the Switch IP.

what should I configure in order to see the traffic of the users that are connected to this L2 Switch ?

Mark Malone · ‎08-04-2016

Hi

you need to match the data link and counter bytes for L2 traffic in the record

match datalink

collect counter bytes long

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3se/flexible_netflow/configuration_guide/b_fnf_3se_3850_cg.pdf

Shlomy Maron · ‎08-04-2016

Hi Mark,

Thanks for the information and quick respond !

I've done the follows:

flow record RECORD
match datalink vlan input
match flow direction
collect counter bytes long

!
flow exporter EXPORTER
destination 10.57.63.90
source Vlan42

!

flow monitor MONITOR
exporter EXPORTER
record RECORD

!

vlan configuration 20

ip flow monitor MONITOR input

!

would that send the information of the traffic of the users connected to vlan 20 ?

am I missing something ?

Mark Malone · ‎08-04-2016

Hi

I have flexible netflow running but for routing with iwan so I haven't set it for layer 2 but when I checked that doc I posted and another it says you must have the datalink in at the very least to collect layer 2 information from the switch , what you have above looks ok but maybe set the transport port number under the exporter or maybe it already uses 2055 by default -- transport udp 2055

You will know pretty quick if its working or not

DOC

You are familiar with the Flexible NetFlow key fields as they are defined in the following commands

in the Cisco IOS Flexible NetFlow Command Reference :

◦match datalink—Datalink (layer2) fields

◦match flow—Flow identifying fields

◦match interface—Interface fields

◦match ipv4—IPv4 fields

◦match ipv6—IPv6 fields

◦match transport—Transport layer fields

◦match wireless—Wireless fields

◦match flow cts—CTS fields

Configuring Layer 2 NetFlow

You can define Layer 2 keys in Flexible NetFlow records that you can use to capture flows in Layer 2 interfaces.

SUMMARY STEPS

1. configure terminal

2. flow record name

3. match datalink {dot1q |ethertype | mac | vlan}

4. end

5. show flow record [name ]

6. copy running-config startup-config

DETAILED STEPS

	Command or Action	Purpose
Step 1	configure terminal Example: Switch# `configure terminal`	Enters the global configuration mode.
Step 2	flow record name Example: Switch(config)# `flow record L2_record` Switch(config-flow-record)#	Enters flow record configuration mode.
Step 3	match datalink {dot1q \|ethertype \| mac \| vlan} Example: Switch(config-flow-record)# `match datalink ethertype`	Specifies the Layer 2 attribute as a key.
Step 4	end Example: Switch(config-flow-record)# `end`	Returns to privileged EXEC mode.
Step 5	show flow record [name ] Example: Switch# `show flow record`	(Optional) Displays information about NetFlow on an interface.
Step 6	copy running-config startup-config Example: Switch# `copy running-config startup-config`	(Optional) Saves your entries in the configuration file.

Shlomy Maron · ‎08-04-2016

Mark,

Again thanks for the information.

I'm sorry if I sound dumb or lazy...but I truly don't follow....why do I need my Netflow collector to have the ethertype ?

Edit:

Unsupported match field "ethertype" for ipv4 traffic in output direction

Mark Malone · ‎08-04-2016

Hi

does it not allow you to just enter without the ethertype in place I think that's optional , can you not just match datalink and leave out the ether bit ?

Shlomy Maron · ‎08-04-2016

it's impossible to do match datalink alone

you have to choose -

(config-flow-record)#match datalink ?
dot1q dot1q field
ethertype The Ethertype of the packet
mac MAC fields
vlan The VLAN the packet is on

Mark Malone · ‎08-04-2016

can you not use match datalink with vlan input or mac instead of ethertype ?

Grant-Security/Network Analyst · ‎02-12-2019

What is the purpose of the vlan configuration X command? Can someone point me to the documentation? I assume this allows you to get input from all these vlans to the flow monitor?

!

vlan configuration 20

ip flow monitor MONITOR input

!