08-04-2016 05:26 AM - edited 03-08-2019 06:52 AM
Hi,
I'd like to configure Netflow on L2 Switch - Catalyst 3850 running version 3.6.4.
the flow exporter, and flow monitor are the easiest to configure.
yet I'd like to ask how should I configure the Flow Recorder.
I've tried to use the following :
flow record RECORD
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match transport icmp ipv4 type
match transport icmp ipv4 code
match flow direction
what happend is that the Netflow collector received only information of the IP of the Switch - which means I've received netflow information of the syslog, snmp, etc of the Switch IP.
what should I configure in order to see the traffic of the users that are connected to this L2 Switch ?
08-04-2016 05:37 AM
Hi
you need to match the data link and counter bytes for L2 traffic in the record
match datalink
collect counter bytes long
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3se/flexible_netflow/configuration_guide/b_fnf_3se_3850_cg.pdf
08-04-2016 05:45 AM
Hi Mark,
Thanks for the information and quick respond !
I've done the follows:
flow record RECORD
match datalink vlan input
match flow direction
collect counter bytes long
!
flow exporter EXPORTER
destination 10.57.63.90
source Vlan42
!
flow monitor MONITOR
exporter EXPORTER
record RECORD
!
vlan configuration 20
ip flow monitor MONITOR input
!
would that send the information of the traffic of the users connected to vlan 20 ?
am I missing something ?
08-04-2016 05:56 AM
Hi
I have flexible netflow running but for routing with iwan so I haven't set it for layer 2 but when I checked that doc I posted and another it says you must have the datalink in at the very least to collect layer 2 information from the switch , what you have above looks ok but maybe set the transport port number under the exporter or maybe it already uses 2055 by default -- transport udp 2055
You will know pretty quick if its working or not
DOC
You are familiar with the Flexible NetFlow key fields as they are defined in the following commands
in the Cisco IOS Flexible NetFlow Command Reference :
◦match datalink—Datalink (layer2) fields
◦match flow—Flow identifying fields
◦match interface—Interface fields
◦match ipv4—IPv4 fields
◦match ipv6—IPv6 fields
◦match transport—Transport layer fields
◦match wireless—Wireless fields
◦match flow cts—CTS fields
You can define Layer 2 keys in Flexible NetFlow records that you can use to capture flows in Layer 2 interfaces.
SUMMARY STEPS
2. flow record name
3. match datalink {dot1q |ethertype | mac | vlan}
5. show flow record [name ]
6. copy running-config startup-config
DETAILED STEPS
08-04-2016 06:01 AM
Mark,
Again thanks for the information.
I'm sorry if I sound dumb or lazy...but I truly don't follow....why do I need my Netflow collector to have the ethertype ?
Edit:
Unsupported match field "ethertype" for ipv4 traffic in output direction
08-04-2016 06:10 AM
Hi
does it not allow you to just enter without the ethertype in place I think that's optional , can you not just match datalink and leave out the ether bit ?
08-04-2016 06:42 AM
it's impossible to do match datalink alone
you have to choose -
(config-flow-record)#match datalink ?
dot1q dot1q field
ethertype The Ethertype of the packet
mac MAC fields
vlan The VLAN the packet is on
08-04-2016 06:52 AM
can you not use match datalink with vlan input or mac instead of ethertype ?
02-12-2019 11:06 AM
What is the purpose of the vlan configuration X command? Can someone point me to the documentation? I assume this allows you to get input from all these vlans to the flow monitor?
!
vlan configuration 20
ip flow monitor MONITOR input
!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: