05-03-2017 09:04 AM - edited 03-08-2019 10:25 AM
Good Morning,
Normally I’m trying to figure things on my own but this one is driving me crazy for the last 2 weeks. We are trying to implement NetFLow on our 6506 Sup2T for the Outside interface so we can monitor traffic in Cisco Prime. Unfortunately the Interface won't take "Ip Flow" command and the only "IP" commands are:
Someone told me that if I only have L2 then i would have to use MLS commands but my interface won’t take MLS.
If you guys could help me figure out why i can't implement IP FLOW on this switch before my hair becomes gray. Thx
Here is some info:
IOS: s2t54-adventerprisek9-mz.SPA.154-1.SY.bin
NetFlow config:
EXPORT:
flow exporter Qexport
destination Prime server IP
source gigx/x
transport udp 9991
template data timeout 60
RECORD:
flow record Qrecord
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface input
match flow sampler
collect routing source as
collect routing destination as
collect routing next-hop address ipv4
collect ipv4 source mask
collect ipv4 destination mask
collect transport tcp flags
collect counter bytes
collect counter packets
collect timestamp sys-uptime first
collect timestamp sys-uptime last
MONITOR:
flow monitor HQmonitor
record Qrecord
exporter Qexport
cache timeout active 60
cache timeout inactive 15
INTERFACE:
Interface XX/XX
ip flow monitor Qmonitor input
ip flow monitor Qmonitor output
Interface that we want to apply IP FLOW:
interface GigabitEthernetX/X
description UPLINK #1 TO EXT ROUTER
switchport
switchport mode access
switchport access vlan 7
hold-queue 150 out
Let me know if you guys need extra info. Thx in advance
05-03-2017 09:21 AM
Hi
I have netflow running on all my 65s with sup2ts
Someone told me that if I only have L2 then i would have to use MLS commands but my interface won’t take MLS.
This is wrong , for start sup2ts don't support mls qos
first i would check are the flows in the switch itself to be sent like below example
#sh flow exporter statistics
Flow Exporter NetQos:
Packet send statistics (last cleared 1y2w ago):
Successfully sent: 80793498 (100534107402 bytes)
No destination address: 24 (30196 bytes)
Client send statistics:
Client: Option options interface-table
Records added: 11450416
- sent: 11450144
- failed to send: 272
Bytes added: 1145041600
- sent: 1145014400
- failed to send: 27200
Client: Option options exporter-statistics
Records added: 32905
- sent: 32904
- failed to send: 1
Bytes added: 921340
- sent: 921312
- failed to send: 28
The issue I see with your config is your monitor is called HQmonitor but your input output flows are called Qmonitor which doesn't exist , these need to match try that see if it starts sending flows
MONITOR:
flow monitor HQmonitor
record Qrecord
exporter Qexport
cache timeout active 60
cache timeout inactive 15
INTERFACE:
Interface XX/XX
ip flow monitor Qmonitor input
ip flow monitor Qmonitor output
Interface that we want to apply IP FLOW:
also add ...statistics packet protocol under the flwo monitor and add a source interface under the exporter like a loopback or vlan source
05-03-2017 09:39 AM
HQmonitor is just my misstypo,monitor and export are the same name. Problem is that i used MLS and it won't take that config, basicly there is no MLS coomand under the interface configuration.
Here is the MLS command that i wanted to use:
mls flow ip full
mls nde sender version 5
ip route-cache flow
ip flow-export version 5
ip flow-export source xxx.xxx.xxx.xxx ( vlan or interface)
ip flow-export destination xxx.xxx.xxx.xxx
but non of these command can't be applied to INTERFACE. I did reserach online but without any solutions.
05-03-2017 10:11 AM
Sup2t supervisors do not support MLS only sup720 supervisors do , you can't use those commands with that supervisor, different architecture
05-03-2017 10:20 AM
gotcha. SO what do you think on "IP FLOW" commands not being abble to apply to interface. Basiclly IP FLOW doesn't exist on the interface which we want to apply.
This is driving me crazy.
05-03-2017 10:41 AM
Most newer versions of ios only support flex netflow or v9 , v5 netflow is being removed
You now setup as you had in your original post with monitor and exporter and you assign ip flow monitor to the ip interface in and out to collect the flows, does the same thing as original ip flow did but now you can be more granular or less in what you collect
05-03-2017 12:30 PM
I just checked several of my 65s running sup2ts to be sure and all are running v9 netflow and when I try to enable v5 the syntax is not there anymore , all the newer ios-xe switches are like this too now 36s 38s , you can still enable v5 on 3560 or 37s etc the older platforms
#conf t
Enter configuration commands, one per line. End with CNTL/Z.
(config)#ip flow ?
% Unrecognized command
(config)#ip flow
% Incomplete command.
(config)#ip flow ?
% Unrecognized command
(config)#ip flow?
% Unrecognized command
(config)#ip flow-?
% Unrecognized command
(config)#int vlan 1
(config-if)#ip flow ?
monitor Apply a Flow Monitor
(config-if)#ip flow ^Z
% Incomplete command.
#sh ver | i s2
Cisco IOS Software, s2t54 Software (s2t54-ADVIPSERVICESK9_NPE-M), Version 15.0(1)SY5, RELEASE SOFTWARE (fc4)
System image file is "bootdisk:s2t54-advipservicesk9_npe-mz.SPA.150-1.SY5.bin"
05-04-2017 06:27 AM
I can try to enable v9 on my 6509. Do you hapen to have proper syntax to enable v9. I been looking on google but with any luck. Any help appreciated. THx
05-04-2017 06:32 AM
heres one off one of my 65s running sup2t that's tested and working, you can open up the flows more if you want to add in more , ive left out the source and destination as yours will be different
flow record FLOW-RECORD
description record to monitor network traffic
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface input
match interface output
collect routing source as
collect routing destination as
collect routing next-hop address ipv4
collect transport tcp flags
collect counter bytes
collect counter packets
collect timestamp sys-uptime first
collect timestamp sys-uptime last
!
!
flow exporter prime
description export Netflow traffic to HQ
destination .........
source ............
template data timeout 300
option interface-table timeout 1000
option exporter-stats timeout 1000
!
!
flow monitor capturetraffic
description Used for ipv4 traffic analysis (Mapped To FLOW-RECORD)
record FLOW-RECORD
exporter prime
statistics packet protocol
Then any ip interface vlan or just standard ip interface you want to collect off add these to it
ip flow monitor capturetraffic input
ip flow monitor capturetraffic output
05-04-2017 06:36 AM
i will test it right now and let you know. Thx for the help..
05-04-2017 10:31 AM
Everything was good but still I can't apply
ip flow monitor capturetraffic input
ip flow monitor capturetraffic output
My interface just don't like them. I can type "IP" but FLOW is not recognized command. I'm slowly giving up. When i type IP under interface these are the commands i can put in are:
Access-group
Admission
Arp
Dhcp
Header-compression
Igmp
Rsvp
Rtp
Verify
Any help appreciated
05-04-2017 11:05 AM
Hi wheres the ip address option ? is that a layer 3 port your trying to apply it to ?
for ip flow to be allowed on the port it must be a layer 3 port , have an ip address on it , they look like options from a layer 2 port
check are the commands available under a vlan interface that's up/up and has an ip address on it , please post the the options again it shows
can you also provide the current software version your on and check that ip cef is enabled , it should be on by default anyway
https://www.plixer.com/blog/flexible-netflow/how-to-configure-cisco-6500-sup2t-netflow/
05-04-2017 12:12 PM
You were right. That 7/1 was a L2 interface so I have applied that IP FLOW on the VLAN interface and it took these commnads without any problems. Now i have another problem. I cant see that device under DATA STORE which should come automaticly. I can see some statistics but still not showing anything on prime.
Flow Exporter HQprime:
Packet send statistics (last cleared 00:22:09 ago):
Successfully sent: 5377 (6399043 bytes)
Client send statistics:
Client: Option options interface-table
Records added: 463
- sent: 463
Bytes added: 46300
- sent: 46300
Client: Option options exporter-statistics
Records added: 2
- sent: 2
Bytes added: 56
- sent: 56
Client: Flow Monitor HQcapturetraffic
Records added: 129054
- sent: 129049
Bytes added: 6065538
- sent: 6065303
Sorry, I'm new to prime. My life was so easy with SolarWinds :(
05-05-2017 02:41 AM
Ok so I use Prime but not for netflow I use it for device management inventory and reporting so im not sure how much help I can be with the prime bit as we send netflows to other 3rd party apps like live action and netqos
your flows are being sent from the device though so the issue is on the prime side
theres a network management section here where there are guys on it that know Prime inside out it may get a better response in that section for Prime issues if you post the issue there
one thing I know is prime uses udp 991 for transport flows , make sure that's configured under the exporter .....transport udp 9991
05-05-2017 06:21 AM
Thx Mark for all your help. I have verified that 9991 is the correct port and I can communicate with that switch over SNMP so I don't think is a switch problem. I will hit up those guys.
Thx again,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide