Solved: Re: Netflow 9 not working.

RAMEEZ RAHIM · ‎03-22-2013

We have installed "FRULink 10G SM Module" in our 3560X switch and have configured Netflow 9.

But we are not getting the flows to the netflow server, except 1 or 2 multicast packets.

IOS:c3560e-universalk9-mz.150-1.SE3.bin (IP SERVICES)

Configuration:

flow record fl-record

match ipv4 source address

match ipv4 destination address

match transport source-port

match transport destination-port

collect counter bytes

collect counter packets

collect timestamp sys-uptime first

collect timestamp sys-uptime last

!

flow exporter fl-export

description netflow_export

destination 10.10.10.10

source Vlan5

transport udp 9996

!

flow monitor fl-mon

record fl-record

exporter fl-export

cache timeout inactive 60

cache timeout active 60

cache timeout update 6

!

Just got the below flow from the show flow monitor fl-mon cache outout

IPV4 SOURCE ADDRESS: 169.254.186.35

IPV4 DESTINATION ADDRESS: 169.254.255.255

TRNS SOURCE PORT: 138

TRNS DESTINATION PORT: 138

counter bytes: 257

counter packets: 1

timestamp first: 10:35:49.639

timestamp last: 10:35:49.639

Don Jacob · ‎03-22-2013

Flexible NetFlow is supported on the Catalyst 3750-X switch if it is running the IP base or IP Base Services feature set and equipped with the network services module. So, ensure you have the required feature set license.

If you do, add the below commands to your existing flow-record configuration and check.

match ipv4 protocol

match ipv4 tos

match interface input

collect interface output

If this too does not work, check if your flow monitoring tool is expecting any more relevant fields to be exported in the flows.

Regards,
Don Thomas Jacob
http://www.solarwinds.com/netflow-traffic-analyzer.aspx

NOTE: Please rate posts and close questions if you have found the answer helpful

Regards, Don Thomas Jacob http://www.solarwinds.com/netflow-traffic-analyzer.aspx Head Geek @ SolarWinds NOTE: Please rate and close questions if you found any of the answers helpful.

View solution in original post

Don Jacob · ‎03-25-2013

I dont think it is possible. You can enable Flexible NetFlow only on the uplink ports of the "network services module". I guess that means, Layer 2 interfaces are not covered. But you can capture Layer 2 switched traffic by applying the monitor to the interface using the command: "ip flow monitor monitor_name layer2-switched input".

Regards,
Don Thomas Jacob
http://www.solarwinds.com/netflow-traffic-analyzer.aspx

NOTE: Please rate posts and close questions if you have found the answers helpful.

Regards, Don Thomas Jacob http://www.solarwinds.com/netflow-traffic-analyzer.aspx Head Geek @ SolarWinds NOTE: Please rate and close questions if you found any of the answers helpful.

View solution in original post

Abzal · ‎03-22-2013

Hi,

You may need to check if you are able to ping 10.10.10.10 device. And if VLAN 5 is UP/UP and access port is properly configured. Trunk allows VLAN 5. And port UDP 9996 is opened and filtered by a firewall.

Sent from Cisco Technical Support iPhone App

Best regards,
Abzal

RAMEEZ RAHIM · ‎03-22-2013

I do see the flows of few Multicast and NFT can list all interfaces of Switch.

Routing is perfectly fine.

The problem is not with the export - but in creating the flows.

show flow monitor fl-mon cache - doesn't show me any flows cached.

So, need to confirm whether netflow 9 can capture traffic of a L2 interface.

We tried the following config on the interface.

ip flow monitor fl-mon layer2-switched input

ip flow monitor fl-mon layer2-switched output

ip flow monitor fl-mon input

ip flow monitor fl-mon output

Don Jacob · ‎03-22-2013

Flexible NetFlow is supported on the Catalyst 3750-X switch if it is running the IP base or IP Base Services feature set and equipped with the network services module. So, ensure you have the required feature set license.

If you do, add the below commands to your existing flow-record configuration and check.

match ipv4 protocol

match ipv4 tos

match interface input

collect interface output

If this too does not work, check if your flow monitoring tool is expecting any more relevant fields to be exported in the flows.

Regards,
Don Thomas Jacob
http://www.solarwinds.com/netflow-traffic-analyzer.aspx

NOTE: Please rate posts and close questions if you have found the answer helpful

Regards, Don Thomas Jacob http://www.solarwinds.com/netflow-traffic-analyzer.aspx Head Geek @ SolarWinds NOTE: Please rate and close questions if you found any of the answers helpful.

RAMEEZ RAHIM · ‎03-25-2013

Will i be able to capture the traffic from L2 interface.

Don Jacob · ‎03-25-2013

I dont think it is possible. You can enable Flexible NetFlow only on the uplink ports of the "network services module". I guess that means, Layer 2 interfaces are not covered. But you can capture Layer 2 switched traffic by applying the monitor to the interface using the command: "ip flow monitor monitor_name layer2-switched input".

Regards,
Don Thomas Jacob
http://www.solarwinds.com/netflow-traffic-analyzer.aspx

NOTE: Please rate posts and close questions if you have found the answers helpful.

Regards, Don Thomas Jacob http://www.solarwinds.com/netflow-traffic-analyzer.aspx Head Geek @ SolarWinds NOTE: Please rate and close questions if you found any of the answers helpful.