02-29-2024 06:24 AM
Hey everyone,
I am having issues with my Netflow creating records and exporting it to our Analyzer. Connections have been verified and i did a PCAP on the server itself and it is receiving cflow protocol packets. I am running a C9200-48p on IOS 17.03.05 with DNA Essentials. My configuration is as follows:
flow record e-1
match ipv4 source address
match ipv4 destination address
match ipv4 protocol
match transport source-port
match transport destination-port
match interface input
collect interface output
collect counter bytes long
collect counter packets long
collect timestamp absolute first
collect timestamp absolute last
collect application name
!
!
flow exporter e-1
description transports record to E-1
destination *.*.*.*
source Vlan200
ttl 30
transport udp 9996
template data timeout 45
option application-table timeout 60
match counter packets long gt 32
!
!
flow monitor e-1
exporter e-1
cache timeout active 60
record netflow ipv4 app-stats-input
!
!
flow monitor e-2
exporter e-1
cache timeout inactive 10
cache timeout active 60
record netflow ipv4 app-stats-output
!
flow file-export default
!
____________________________________________
XB_ALLIN1#show flow exporter stat
Flow Exporter e-1:
Packet send statistics (last cleared 2d18h ago):
Successfully sent: 5580 (66960 bytes)
Client send statistics:
Client: Option options application-name
Records added: 0
Bytes added: 0
Client: Flow Monitor e-1
Records added: 0
Bytes added: 44940
- sent: 44940
Client: Flow Monitor e-2
Records added: 0
Bytes added: 22020
- sent: 22020
Any Tips? I have checked the NTP sync and a few other things. I have opened a ticket with our Netflow analyzers support team as well. Do i just need to drink more coffee and open my eyes?
Thanks,
02-29-2024 06:35 AM - edited 02-29-2024 06:37 AM
Hello @Bryson F ,
I apologize for the dumb question :
have you appled the flow monitor e-1 or flow monitor e-2 on any data interface ?
2) is SVI interface Vlan 200 up/up ?
Hope to help
Giuseppe
02-29-2024 07:05 AM
Hey @Giuseppe Larosa ,
I have applied it to interfaces g1/0/1-32. Vlan 200 is up/up as well. Vlan 200 is the ip used on the switch for EIGRP association with the other locations. Would that cause issues?
02-29-2024 07:08 AM
Another thing that may be useful the interfaces are using commands like:
interface GigabitEthernet1/0/32
description OPAC
switchport access vlan 136
switchport mode access
ip flow monitor e-1 input
ip flow monitor e-2 output
end
02-29-2024 09:04 AM - edited 02-29-2024 09:19 AM
Hello @Bryson F ,
your configuration looks like fine taking in account your other post about data interface config.
SVI Vlan 200 used for EIGRP should not be an issue.
Edit :
>> IOS 17.03.05 with DNA Essentials
either there is an issue with the licenses or you need to change SDM template ( if this still applies to Cat 9x00 family)
Edit2 : I have checked on feature navigator Cat 9200 with IOS XE 17.3.5 and DNA Essentials and it reports Flexible Netflow as supported
Edit 3:
configuration guide
the config example is verry close to your config with a source SVI interface
the only note is:
>> DNA Addon license is required for full Flexible NetFlow, otherwise Sampled NetFlow is only available.
And also: to check what is doing
show flow monitor <flow monitor name> statistics
Hope to help
Giuseppe
02-29-2024 09:25 AM
Thanks for checking on that @Giuseppe Larosa . I doubted the error was the configuration side of things. I just wanted to drop my concerns into the community thread to try and help verify that with some knowledgeable people. I have started sorting through the configuration files on the appliance to see if for some reason the sending port 53123 UDP was explicitly denied or just not configured. I do believe that may be the case since a pcap from the appliance's server showed it receiving CFLOW data packets from that switche's Vlan200 IP.
03-04-2024 06:12 AM - edited 03-04-2024 06:13 AM
Hello @Giuseppe Larosa ,
That is my main concern in this scenario:
XB_ALLIN1#show flow mon e-1 stat
Cache type: Normal (Platform cache)
Cache size: 10000
Current entries: 0
Flows added: 0
Flows aged: 0
XB_ALLIN1#show flow mon e-2 stat
Cache type: Normal (Platform cache)
Cache size: 10000
Flows added: 0
Flows aged: 0
Current entries: 0XB_ALLIN1#show flow record netflow ipv4 app-stats-input
flow record netflow ipv4 app-stats-input:
Description: Application statistics - input
No. of users: 1
Total field space: 73 bytes
Fields:
match ipv4 version
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface input
match application name
collect datalink dot1q vlan input
collect datalink mac source address input
collect datalink mac destination address input
collect transport tcp flags
collect interface output
collect counter bytes long
collect counter packets long
collect timestamp absolute first
collect timestamp absolute last
_________________________
It doesn't appear to be catching any flows and that has been my primary concern here. So would this be solved with the DNA addon? Should i configure it for sampled.
03-04-2024 07:15 AM
Hello @Bryson F ,
from your last post we see that no flows are recorded locally on the flow monitors.
Yes, I do agree that you should try to if adding a flow sampler can make the switch to collect something.
As an alternative , you can try to see for the DNA addon license.
Hope to help
Giuseppe
02-29-2024 07:39 AM
Would it be helpful to look at my Cisco Express Forwarding commands? Or show you the output of "show ip interface x/x/x"?
02-29-2024 08:10 AM
Hello,
A couple of things.
1. You created a record called e-1 but you don't reference it in the monitor. Was this intentional?
2. The flow is sources from your VLAN 200. Does your appliance that receives the flow have a route back to the VLAN 200 interface?
-David
02-29-2024 08:26 AM
Hey @David Ruess ,
1. This was intentional yes. Their support team asked me to change the record to a default template so i chose app-stats-in/output.
2.Correct our appliance has full visibility to the switch via SNMP and VTY ACL's configured for access. It connects through vlan 200 to check if the switch is up.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide