Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1357
Views
0
Helpful
6
Replies

Netflow on 2960x switch

Go to solution
mrochac
Level 1
Level 1

‎10-16-2019 12:08 PM

Good day all - please see what i used to attempt to gather netflow from a switch; my question here is - why do i see traffic from all my other branches from this one location?

 

flow record record1
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
collect counter bytes long
collect counter packets long
collect timestamp sys-uptime first
collect timestamp sys-uptime last
!
!
flow exporter export1
destination 172.24.5.25
transport udp 2055
template data timeout 60
!
!
flow monitor monitor1
exporter export1
cache timeout inactive 120
cache timeout active 300
record record1

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jaderson Pessoa
VIP Alumni
VIP Alumni
In response to mrochac

‎10-17-2019 07:58 AM

Yes, man if your vlan 1 is used in all branches and they are connected on this SWL3, you will see the traffic from them. Below an exemple of netflow configuration.

flow record Netflow-In
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface input
match flow direction
collect interface output
collect counter bytes long
collect counter packets long
!
flow record Netflow-Out
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface output
match flow direction
collect interface input
collect counter bytes long
collect counter packets long
!
flow exporter export1
description ### Export to SolarWinds:Flow-Analizer ###
destination 3.3.3.3
source Vlan10
transport udp 2055
!

!Exemple using VRF
!flow exporter export1
! description ### Export to SolarWinds:Flow-Analizer ###
! destination 1.1.1.1 vrf VRFNAME
! source 202 (check vlan id)
! transport udp 2055
!

flow monitor Netflow-Monitor-In
description ### Export to SolarWinds:Flow-Analizer ###
exporter export1
cache timeout inactive 10
cache timeout active 60
record Netflow-In
!
!
flow monitor Netflow-Monitor-Out
description ### Export to SolarWinds:Flow-Analizer ###
exporter export1
cache timeout inactive 10
cache timeout active 60
record Netflow-Out
!
!

! Check vlans that want monitor
vlan configuration 100,101,200-205
ip flow monitor Netflow-Monitor-In input
ip flow monitor Netflow-Monitor-Out output



Jaderson Pessoa
*** Rate All Helpful Responses ***

View solution in original post

0 Helpful

Go to solution
Jaderson Pessoa
VIP Alumni
VIP Alumni
In response to mrochac

‎10-17-2019 09:38 AM

Great, good lucky.
Jaderson Pessoa
*** Rate All Helpful Responses ***

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Jaderson Pessoa
VIP Alumni
VIP Alumni

‎10-16-2019 12:53 PM

Hello,

This switch connect your other branches?

I suggest to apply it on interface/vlan that you need see traffic.
Jaderson Pessoa
*** Rate All Helpful Responses ***
0 Helpful

Go to solution
mrochac
Level 1
Level 1
In response to Jaderson Pessoa

‎10-16-2019 02:26 PM

yes an no -  its a weird design, all branches connect to MPLS service provider (CE) using access port, so in theory yes. I was under the impression this would not work since it's a layer 3 service but i guess not. not as great as running on router but every bit counts.

 

MR.

0 Helpful

Go to solution
mrochac
Level 1
Level 1
In response to Jaderson Pessoa

‎10-17-2019 06:03 AM

Hi there here is the conifg; applied to vlan 1 - still seeing traffic from multiple locations, normal?

interface Vlan1
description old-data
ip flow monitor monitor1 sampler SampleTest input
ip address 192.168.3.9 255.255.255.0
no ip redirects
end

0 Helpful

Go to solution
Jaderson Pessoa
VIP Alumni
VIP Alumni
In response to mrochac

‎10-17-2019 07:58 AM

Yes, man if your vlan 1 is used in all branches and they are connected on this SWL3, you will see the traffic from them. Below an exemple of netflow configuration.

flow record Netflow-In
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface input
match flow direction
collect interface output
collect counter bytes long
collect counter packets long
!
flow record Netflow-Out
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface output
match flow direction
collect interface input
collect counter bytes long
collect counter packets long
!
flow exporter export1
description ### Export to SolarWinds:Flow-Analizer ###
destination 3.3.3.3
source Vlan10
transport udp 2055
!

!Exemple using VRF
!flow exporter export1
! description ### Export to SolarWinds:Flow-Analizer ###
! destination 1.1.1.1 vrf VRFNAME
! source 202 (check vlan id)
! transport udp 2055
!

flow monitor Netflow-Monitor-In
description ### Export to SolarWinds:Flow-Analizer ###
exporter export1
cache timeout inactive 10
cache timeout active 60
record Netflow-In
!
!
flow monitor Netflow-Monitor-Out
description ### Export to SolarWinds:Flow-Analizer ###
exporter export1
cache timeout inactive 10
cache timeout active 60
record Netflow-Out
!
!

! Check vlans that want monitor
vlan configuration 100,101,200-205
ip flow monitor Netflow-Monitor-In input
ip flow monitor Netflow-Monitor-Out output



Jaderson Pessoa
*** Rate All Helpful Responses ***
0 Helpful

Go to solution
mrochac
Level 1
Level 1
In response to Jaderson Pessoa

‎10-17-2019 08:40 AM

Thanks for the info Jaderson - its working fine now, after some research i notice that some of the other locations were also using the same UDP port (go figure....always over look easy!) i made changes and added some of your suggestions.

 

thanks.

0 Helpful

Go to solution
Jaderson Pessoa
VIP Alumni
VIP Alumni
In response to mrochac

‎10-17-2019 09:38 AM

Great, good lucky.
Jaderson Pessoa
*** Rate All Helpful Responses ***
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card