Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
381
Views
1
Helpful
10
Replies

NetFlow configuraion C9500 with VRF

Ramprasad2
Level 1
Level 1

‎06-25-2025 12:24 AM

Dear Team,

 

I have Cisco C9500 switch.and i have configured VRF in the switch and netlfow and syslog server.

 

but server and syslog server side not received any logs and flow. but i am able to ping syslog and sever ip.

i configured below but not getting any logs. and my inffra use udp port is 9995

if you have any document for this please share 

Labels:
0 Helpful
10 Replies 10

Jens Albrecht
Level 4
Level 4

‎06-25-2025 01:55 AM

Hello @Ramprasad2,

looking at the config you posted before there appear to be some commands missing:

! 1.) Make sure that the VRF is included in the flow record
!
flow record <RECORD_NAME>
 match routing vrf input
!
! 2.) Set the source interface with VRF
!
flow exporter <EXPORTER_NAME>
 source <source-interface> vrf <VRF_NAME>
!
! 3.) Apply monitor to interface in VRF
!
interface <interface-in-vrf>
 ip flow monitor <MONITOR_NAME> input
!


The config for int vlan 1 was missing on your previous post so that I included the last point just for sake of completeness to make the netflow config VRF-aware.

HTH!

0 Helpful

M02@rt37
VIP
VIP

‎06-25-2025 02:53 AM

Hello @Ramprasad2 

Please check if you source that flow with its VRF dedicated.

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful

Ramprasad2
Level 1
Level 1

‎06-25-2025 03:59 AM

i have configured below commands but still issue [ not getting any logs ]

i have check ( ping and traceroute ] working and firewall pass the traffic 

!
flow record NFARecordinput
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match ipv4 protocol
match interface input
match ipv4 tos
match flow direction
match routing vrf input
collect interface output
collect counter bytes long
collect counter packets long
collect transport tcp flags
collect timestamp absolute first
collect timestamp absolute last
!
!
flow record NFARecordoutput
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match ipv4 protocol
match interface output
match ipv4 tos
match flow direction
match routing vrf input
collect interface input
collect counter bytes long
collect counter packets long
collect transport tcp flags
collect timestamp absolute first
collect timestamp absolute last
!
!
flow exporter NFAExporter
destination 172.16.100.48 vrf CORP
source Vlan1
transport udp 9995
template data timeout 60
option application-table timeout 60
!
!
flow monitor NFAMonitorinput
exporter NFAExporter
cache timeout active 60
record NFARecordinput
!
!
flow monitor NFAMonitoroutput
exporter NFAExporter
cache timeout active 60
record NFARecordoutput
!


!
interface Vlan1
vrf forwarding CORP
ip flow monitor NFAMonitorinput input
ip flow monitor NFAMonitoroutput output
ip address 10.200.15.1 255.255.255.0
no ip route-cache
!
Current configuration : 218 bytes
!
interface TwentyFiveGigE1/0/2
description CONT-TO-HYD-GMR-CORE-SW (Ten 2/0/1)
switchport mode trunk
ip flow monitor NFAMonitorinput input
ip flow monitor NFAMonitoroutput output
channel-group 1 mode active
!

 

 

HYD-GMR-DIST-SW#show flow interface
Interface Vlan1
FNF: monitor: NFAMonitorinput
direction: Input
traffic(ip): on
FNF: monitor: NFAMonitoroutput
direction: Output
traffic(ip): on
Interface TwentyFiveGigE1/0/1
FNF: monitor: NFAMonitorinput
direction: Input
traffic(ip): on
FNF: monitor: NFAMonitoroutput
direction: Output
traffic(ip): on
Interface TwentyFiveGigE1/0/2
FNF: monitor: NFAMonitorinput
direction: Input
traffic(ip): on
FNF: monitor: NFAMonitoroutput
direction: Output
traffic(ip): on
Interface TwentyFiveGigE1/0/3
FNF: monitor: NFAMonitorinput
direction: Input
traffic(ip): on
FNF: monitor: NFAMonitoroutput
direction: Output
traffic(ip): on
Interface TwentyFiveGigE2/0/1
FNF: monitor: NFAMonitorinput
direction: Input
traffic(ip): on
FNF: monitor: NFAMonitoroutput
direction: Output
traffic(ip): on
Interface TwentyFiveGigE2/0/2
FNF: monitor: NFAMonitorinput
direction: Input
traffic(ip): on
FNF: monitor: NFAMonitoroutput
direction: Output
traffic(ip): on
Interface TwentyFiveGigE2/0/3
FNF: monitor: NFAMonitorinput
direction: Input
traffic(ip): on
FNF: monitor: NFAMonitoroutput
direction: Output
traffic(ip): on

HYD-GMR-DIST-SW#
HYD-GMR-DIST-SW#
HYD-GMR-DIST-SW#
HYD-GMR-DIST-SW#
HYD-GMR-DIST-SW#sh
HYD-GMR-DIST-SW#show run
HYD-GMR-DIST-SW#show running-config in
HYD-GMR-DIST-SW#show running-config interface TwentyFiveGigE1/0/2
Building configuration...

 

show flow exporter statistics

Flow Exporter NFAExporter:
Packet send statistics (last cleared 00:48:01 ago):
Successfully sent: 120210 (171879344 bytes)

Client send statistics:
Client: Option options application-name
Records added: 72768
- sent: 72768
Bytes added: 6039744
- sent: 6039744

Client: Flow Monitor NFAMonitorinput
Records added: 1216200
- sent: 1216200
Bytes added: 80492002
- sent: 80492002

Client: Flow Monitor NFAMonitoroutput
Records added: 1279425
- sent: 1279425
Bytes added: 84674638
- sent: 84674638


show flow exporter statistics

Flow Exporter NFAExporter:
Packet send statistics (last cleared 00:48:05 ago):
Successfully sent: 120758 (172659036 bytes)

Client send statistics:
Client: Option options application-name
Records added: 74284
- sent: 74284
Bytes added: 6165572
- sent: 6165572

Client: Flow Monitor NFAMonitorinput
Records added: 1220837
- sent: 1220837
Bytes added: 80798764
- sent: 80798764

Client: Flow Monitor NFAMonitoroutput
Records added: 1284456
- sent: 1284456
Bytes added: 85007720
- sent: 85007720

 

 

MHM Cisco World
VIP
VIP
In response to Ramprasad2

‎06-25-2025 04:20 AM

flow exporter NFAExporter

vrf  CORP <<- Add this abd check

MHM

0 Helpful

Ramprasad2
Level 1
Level 1
In response to MHM Cisco World

‎06-25-2025 04:35 AM

@MHM Cisco World pleas explain in details 

 

0 Helpful

MHM Cisco World
VIP
VIP
In response to Ramprasad2

‎06-25-2025 05:37 AM

flow exporter NFAExporter
destination 172.16.100.48 vrf CORP
source Vlan1
transport udp 9995
template data timeout 60
option application-table timeout 60

For netflow export it need to be vrf ware' 

So source use packet must use interface in same of vrf use to reach server 

And we need to add 

Vrf ""xxxx""

To make netflow use vrf to reach server not global table

MHM

0 Helpful

MHM Cisco World
VIP
VIP
In response to Ramprasad2

‎06-25-2025 01:33 PM

can you share also 
show ip flow export 

MHM

0 Helpful

Ramprasad2
Level 1
Level 1

‎06-25-2025 06:08 AM

i run the command in flow exporter NFAExporter
vrf CORP but command not run

and my switch ios is 17.12.4

 

0 Helpful

Ramprasad2
Level 1
Level 1
In response to Ramprasad2

‎06-25-2025 10:23 PM

CORE-SW#show ip flow export ?
% Unrecognized command
CORE-SW#show ip flow export
^
% Invalid input detected at '^' marker.


CORE-SW#show flow exporter
Flow Exporter NFAExporter:
Description: User defined
Export protocol: NetFlow Version 9
Transport Configuration:
Destination type: IP
Destination IP address: 172.16.100.48
VRF label: CORP
Source IP address: 10.200.15.80
Source Interface: Vlan1
Transport Protocol: UDP
Destination Port: 9995
Source Port: 49772
DSCP: 0x0
TTL: 255
Output Features: Used
Export template data timeout: 60
Options Configuration:
application-table (timeout 60 seconds) (active)


CORE-SW#

0 Helpful

MHM Cisco World
VIP
VIP
In response to Ramprasad2

‎06-26-2025 12:53 AM

debug flow export 
debug flow monitor 
show ip route vrf CORP

share above please

MHM

 

0 Helpful
Customers Also Viewed These Support Documents