Showing results for 
Search instead for 
Did you mean: 
Cisco Employee

Help to Configure Netflow on L2 Switch (3850 3.6.4)


I'd like to configure Netflow on L2 Switch - Catalyst 3850 running version 3.6.4.

the flow exporter, and flow monitor are the easiest to configure.

yet I'd like to ask how should I configure the Flow Recorder.

I've tried to use the following :

flow record RECORD
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match transport icmp ipv4 type
match transport icmp ipv4 code
match flow direction

what happend is that the Netflow collector received only information of the IP of the Switch - which means I've received netflow information of the syslog, snmp, etc of the Switch IP.

what should I configure in order to see the traffic of the users that are connected to this L2 Switch ?

Everyone's tags (1)
VIP Mentor



you need to match the data link and counter bytes for L2 traffic in the record

match datalink  

collect counter bytes long

Cisco Employee

Hi Mark,

Hi Mark,

Thanks for the information and quick respond !

I've done the follows:

flow record RECORD
match datalink vlan input
match flow direction
collect counter bytes long

flow exporter EXPORTER
source Vlan42


flow monitor MONITOR
exporter EXPORTER
record RECORD


vlan configuration 20

ip flow monitor MONITOR input


would that send the information of the traffic of the users connected to vlan 20 ?

am I missing something ?

VIP Mentor



I have flexible netflow running but for routing with iwan so I haven't set it for layer 2 but when I checked that doc I posted and another it says you must have the datalink in at the very least to collect layer 2 information from the switch , what you have above looks ok but maybe set the transport port number under the exporter or maybe it already uses 2055 by default -- transport udp 2055

You will know pretty quick if its working or not


You are familiar with the Flexible NetFlow key fields as they are defined in the following commands

in the Cisco IOS Flexible NetFlow Command Reference :

match datalinkDatalink (layer2) fields

match flowFlow identifying fields

match interfaceInterface fields

match ipv4IPv4 fields

match ipv6IPv6 fields

match transportTransport layer fields

match wirelessWireless fields

match flow ctsCTS fields

Configuring Layer 2 NetFlow

You can define Layer 2 keys in Flexible NetFlow records that you can use to capture flows in Layer 2 interfaces.


1.    configure terminal

2.    flow record name

3.    match datalink {dot1q |ethertype | mac | vlan}

4.    end

5.    show flow record [name ]

6.    copy running-config startup-config


      Command or Action Purpose
    Step 1 configure terminal

    Switch# configure terminal

    Enters the global configuration mode.

    Step 2 flow record name

    Switch(config)# flow record L2_record
    Enters flow record configuration mode.


    Step 3 match datalink {dot1q |ethertype | mac | vlan}

    Switch(config-flow-record)# match datalink ethertype

    Specifies the Layer 2 attribute as a key.


    Step 4 end

    Switch(config-flow-record)#  end

    Returns to privileged EXEC mode.


    Step 5 show flow record [name ]

    Switch# show flow record

    (Optional) Displays information about NetFlow on an interface.


    Step 6 copy running-config startup-config

    Switch# copy running-config 

    (Optional) Saves your entries in the configuration file.


    Cisco Employee



    Again thanks for the information.

    I'm sorry if I sound dumb or lazy...but I truly don't follow....why do I need my Netflow collector to have the ethertype ?


    Unsupported match field "ethertype" for ipv4 traffic in output direction

    VIP Mentor



    does it not allow you to just enter without the ethertype in place I think that's optional , can you not just match datalink and leave out the ether bit ?

    Cisco Employee

    it's impossible to do match

    it's impossible to do match datalink alone

    you have to choose - 

    (config-flow-record)#match datalink ?
    dot1q dot1q field
    ethertype The Ethertype of the packet
    mac MAC fields
    vlan The VLAN the packet is on

    VIP Mentor

    can you not use match

    can you not use match datalink with vlan input or mac instead of ethertype ?


    Re: Hi Mark,

    What is the purpose of the vlan configuration X command?  Can someone point me to the documentation?  I assume this allows you to get input from all these vlans to the flow monitor?



    vlan configuration 20

    ip flow monitor MONITOR input


    CreatePlease to create content
    Content for Community-Ad
    July's Community Spotlight Awards