Using NetFlow on layer 2 interfaces on Nexus 5672

michaelbs · ‎04-29-2019

Hi,

we are using Cisco Nexus 5672 switches as our core switches and would like to use NetFlow to export flows. However, all ports on the switches are layer 2 switchports and NX-OS 7.0 does not even show the needed commands for attaching a flow monitor (ip flow monitor my_monitor input) when being in interface configuraton mode. When changing the switchport to a layer 3 port, the commands are available however.

We have another switch running Cisco IOS-XE which allows me to export NetFlow data even for layer 2 interfaces. Is it indeed not possible to perform this with NX-OS?

It would at least align with the documentation which states:

Ingress layer 2 NetFlow is supported on the following types of interfaces:
Layer 2 switch interface/port channel
FEX interface
Ingress layer 3 NetFlow is supported on the following types of interfaces:
Layer 3 interface/port channel
Layer 3 sub-interface/port channel sub-interface
SVI

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5600/sw/system_management/7x/b_5600_System_Mgmt_Config_7x/b_6k_System_Mgmt_Config_7x_chapter_010011.html

Is it correct that generating layer 3 flows with NetFlow on layer 2 interfaces is not supported in NX-OS?

Thanks

Michael

Mark Malone · ‎04-29-2019

Hi
For the layer 2 flow , the actual flow monitor should still go under a layer 3 interface like the vlan interface ,but then the flex netflow has the layer 2 match settings to collect for it . does that not work that way ? i only use netflow on campus side so i haven't tested on the NX-OS but reading docs looks like similar setup

flow record LAYER-2-FIELDS-1
match ipv4 source address
match ipv4 destination address
match datalink dot1q vlan output
match datalink mac source address input
match datalink mac source address output
match datalink mac destination address input
match flow direction

flow monitor FLOW-MONITOR-4
record LAYER-2-FIELDS-1
exit
!
ip cef
!
interface GigabitEthernet0/0/1
ip address 172.16.6.2 255.255.255.0
ip flow monitor FLOW-MONITOR-1 input

michaelbs · ‎04-29-2019

Hi Mark,

I acually don't have any layer 3 interfaces and would like to use NetFlow on a layer 2 interface - but not collect only layer 2 information but also layer 3.

If I attach my NetFlow monitor which has layer 3 matches configured to a layer 2 interface using "layer2-switched flow monitor my_monitor input" I receive the error "ERROR: Protocol for record and monitor do not match". So I guess on layer 2 interfaces we only can use NetFlow for layer fields and not layer 3 as possible in IOS or IOS-XE for example :(

Thanks

Michael

Mark Malone · ‎04-29-2019

So I guess on layer 2 interfaces we only can use NetFlow for layer fields and not layer 3 as possible in IOS or IOS-XE for example

But that sounds right thinking about it, because how would you catch a layer 3 flow based off cef when its applied to a layer 2 interface not routing but switching traffic in hardware at layer 2 , i dont see how it would even pick up the flow at layer 3 on a layer 2 interface , but again i only use this on campus side so i could well wrong im just trying to think how it would work that way

my understanding of netflow is its a layer 3 feature that has expanded to capture layer 2 traffic but i always thought it must be applied somewhere at layer 3 to work as its IP based by default even though it can understand layer 2 traffic when matched with MAC source and destination , this MAC ability only came around in last few years in v9 , don't remember it being in v5