cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4130
Views
0
Helpful
8
Replies

Netflow traffic for L2 switchports

tobiasdreyer
Level 1
Level 1

Hello,

 

I want to configure sampled netflow on a L2 3560G Switch and need your help.

 

My config looks like this:

flow exporter EXPORTER-1
 destination 10.10.10.1
 source Vlan1
!
!
flow record FLOW-IPv4-L2-RECORD
 match ipv4 tos
 match ipv4 protocol
 match ipv4 source address
 match ipv4 destination address
 match transport source-port
 match transport destination-port
 match interface input
 collect transport tcp flags
 collect interface output
 collect counter bytes
 collect counter packets
!
!
flow monitor FLOW-MONITOR-1
 record FLOW-IPv4-L2-RECORD
 exporter EXPORTER-1
 cache timeout active 60
! 
interface vlan 1
ip address 10.10.10.2 255.255.255.0
!
interface GigabitEthernet0/5
 switchport access vlan 2
 switchport mode access
 ip flow monitor FLOW-MONITOR-1 input
 ip flow monitor FLOW-MONITOR-1 output
 load-interval 30
 no cdp enable

 

But there is no data send to the Destination:

show flow exporter EXPORTER-1 statistics
Flow Exporter EXPORTER-1:
  Packet send statistics (last cleared 00:22:41 ago):
    Successfully sent:         0                     (0 bytes)

  Client send statistics:
    Client: Flow Monitor FLOW-MONITOR-1
      Records added:           0

      Bytes added:             0

 

There is no data in the flow monitor cache:

show flow monitor FLOW-MONITOR-1 cache
  Cache type:                               Normal
  Cache size:                                 4096
  Current entries:                               0
  High Watermark:                                0

  Flows added:                                   0
  Flows aged:                                    0
    - Active timeout      (    60 secs)          0
    - Inactive timeout    (    15 secs)          0
    - Event aged                                 0
    - Watermark aged                             0
    - Emergency aged                             0

There are no cache entries to display.

 

Do you have any idea whats wrong here?

IOS Version is 15.0(2)SE6

 

Best regards,

Tobias

8 Replies 8

Mark Malone
VIP Alumni
VIP Alumni

Hi

yes you have the flow applied to the layer 2 port it needs to be applied to the vlan interface , if you looking to collect specific stats off netflow on layer 2 port you need to set it up to collect mac stats

 

Look at this for collecting mac flows in flex netflow

https://www.plixer.com/blog/netflow/getting-mac-addresses-from-netflow-v9/

Hi Mark,

 

thank you for your reply. I want to export data that passes the switch and not data, that is send to or from the switch. So I think the link discribes that what I want.

 

I updated the flow record but without any improvement.

flow record FLOW-IPv4-L2-RECORD
 match datalink mac source address input
 match ipv4 source address
 match ipv4 source mask
 collect datalink mac destination address input
 collect ipv4 id
 collect ipv4 source prefix
 collect ipv4 destination address
 collect ipv4 destination mask
 collect transport source-port
 collect transport destination-port
 collect transport tcp source-port
 collect transport tcp destination-port
 collect transport udp source-port
 collect transport udp destination-port
 collect interface input
 collect interface output
 collect counter bytes
 collect counter packets
 collect timestamp sys-uptime first
 collect timestamp sys-uptime last

 

Do you have any additional idea?

 

Best regards,

Tobias

Did you put the flows under the vlan interface , its an IP command must be on L3 interface or wont collect

please repost full netflow config as it is now and the show flow exporter EXPORTER-1 statistics

Hi Mark,

 

I just want to export netflow data that is going through one L2 interface and not through the whole switch. How can I specify this, if I apply the flows to the SVI?

 

In your link from above the flow Monitor is also applied to the relevant Interfaces.

 

But I gave it a try without any change.

 

flow exporter EXPORTER-1
 destination 10.10.10.1
 source Vlan1
!
!
flow record FLOW-IPv4-L2-RECORD
 match datalink mac source address input
 match ipv4 source address
 match ipv4 source mask
 collect datalink mac destination address input
 collect ipv4 id
 collect ipv4 source prefix
 collect ipv4 destination address
 collect ipv4 destination mask
 collect transport source-port
 collect transport destination-port
 collect transport tcp source-port
 collect transport tcp destination-port
 collect transport udp source-port
 collect transport udp destination-port
 collect interface input
 collect interface output
 collect counter bytes
 collect counter packets
 collect timestamp sys-uptime first
 collect timestamp sys-uptime last
!
!
flow monitor FLOW-MONITOR-1
 record FLOW-IPv4-L2-RECORD
 exporter EXPORTER-1
 cache timeout active 60
!
interface GigabitEthernet0/5
 switchport access vlan 2
 switchport mode access
 ip flow monitor FLOW-MONITOR-1 input
 ip flow monitor FLOW-MONITOR-1 output  

interface vlan1
 ip flow monitor FLOW-MONITOR-1 input
 ip flow monitor FLOW-MONITOR-1 output
 ip address 10.10.10.2 255.255.255.0

 

show flow monitor FLOW-MONITOR-1 cache
  Cache type:                               Normal
  Cache size:                                 4096
  Current entries:                               0
  High Watermark:                                0

  Flows added:                                   0
  Flows aged:                                    0
    - Active timeout      (    60 secs)          0
    - Inactive timeout    (    15 secs)          0
    - Event aged                                 0
    - Watermark aged                             0
    - Emergency aged                             0

There are no cache entries to display.

 

show flow exporter EXPORTER-1 statistics
Flow Exporter EXPORTER-1:
  Packet send statistics (last cleared 01:45:45 ago):
    Successfully sent:         0                     (0 bytes)

  Client send statistics:
    Client: Flow Monitor FLOW-MONITOR-1
      Records added:           0
      Bytes added:             0

 

Best regards,

Tobias

Hi
I think thats a restriction on flexible netflow i dont think you can isolate 1 layer 2 port , even a doc im reading says it below extract
Thats the best youll get below , your missing transport udp 2055 may be why its not flowing yet , id remove it from the L2 port aswell the ip flow as its not doing anything

Details:

You won’t see your layer 2 traffic showing which switchport it arrived and left on. These are layer 2 ports, and its not possible to configure Netflow on them. To see the layer 3 switched traffic, you need to enable Netflow on the VLAN interface. Traffic arriving to the switchports belonging to that VLAN will be seen on that VLAN interface once Layer 3 Netflow has been enabled. Sometimes you might see the management interface on the switch show up as well.

 

Hi Mark,

 

I used udp-9995 which seems to be the default and therefore not showing up in the config.

 

Thanks for the extract. This sounds like that what I want is not supported.

 

Best regards,

Tobias

Yes i dont think what your trying to do NetFlow will provide unfortunately

heres a working one form my switches anyway if you still want to use the feature , its purely for L3 collection though

flow record FLOW-RECORD
description record to monitor network traffic
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface input
match interface output
collect routing source as
collect routing destination as
collect routing next-hop address ipv4
collect transport tcp flags
collect counter bytes
collect counter packets
collect timestamp sys-uptime first
collect timestamp sys-uptime last
!
!
flow exporter NetQos
description export Netflow traffic to HQ
destination x.x.x.x
source VlanXXXX
template data timeout 300
option interface-table timeout 1000
option exporter-stats timeout 1000
!
!
flow monitor xilinx_nq
description Used for ipv4 traffic analysis (Mapped To FLOW-RECORD)
exporter NetQos
statistics packet protocol
record FLOW-RECORD
!

interface VlanXXXXX
description Transit Vlan Between L3 9Ks DMZ - VSS Cluster
ip address X.X.X.X X.X.X.X
ip authentication mode eigrp 1 md5
ip authentication key-chain eigrp 1 XXXXXX
ip flow monitor xilinx_nq input
ip flow monitor xilinx_nq output



XXXXXX#sh flow EXporter STatistics
Flow Exporter NetQos:
Packet send statistics (last cleared 32w1d ago):
Successfully sent: 117740051 (141390235757 bytes)
No destination address: 29 (37034 bytes)

mouhbaaziz
Level 1
Level 1

Hello tobiasdreyer ,

 

I think you should use SPAN instead of Netflow to collect data from L2 Port.

 

BR,

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: