Netflow Configuration Issues on Cisco 3750X

1cyberking · July 10, 2019, 12:46pm

I have attempted to configure netflow v9, but I am not able to generate any flows within my 3750X switches. Should I add more configuration to my netflow module to get the flows to be read on my solarwinds NTA server? Or should I switch to netflow v5 to accomplish this task?

Here is my configuration & I am using IOS 15.2(4):

flow record Record
 match datalink source-vlan-id
 match datalink dot1q priority
 match datalink mac source-address
 match datalink mac destination-address
 match ipv4 version
 match ipv4 tos
 match ipv4 ttl
 match ipv4 protocol
 match ipv4 source address
 match ipv4 destination address
 match transport source-port
 match transport destination-port
 match interface input physical snmp
 collect interface output snmp
 collect counter flows
 collect counter bytes
 collect counter packets
 collect timestamp sys-uptime first
 collect timestamp sys-uptime last
!
!
flow exporter Export
 destination < Solarwinds Server IP >
 source < Site VLAN >
 transport udp 2055
 option interface-table timeout 60
!
!
flow monitor Monitor
 exporter Export
 cache timeout active 60
 statistics packet protocol
 record Record
!
!
sampler NTA_Sampler
 description NTA_Flows
 mode random 1 out-of 32
!
interface GigabitEthernet1/1/2 < Netflow Module >
 description **** NTA export ****
 ip flow monitor Monitor layer2-switched input

sh flow interface
Interface GigabitEthernet1/1/2
  FNF:  checking sub traffic.
  FNF:  monitor:         Monitor
        direction:        Input
        traffic(ip):      layer2-switched

Sh flow exporter statistics
Flow Exporter Export:
  Packet send statistics (last cleared 01:31:20 ago):
    Successfully sent:         1820                  (2328144 bytes)

  Client send statistics:
    Client: Option options interface-table
      Records added:           21021
        - sent:                21021
      Bytes added:             2102100
        - sent:                2102100

    Client: Flow Monitor Monitor
      Records added:           0
      Bytes added:             0

sh flow exporter templates
Flow Exporter Export:
  Client: Option options interface-table
  Exporter Format: NetFlow Version 9
  Template ID    : 256
  Source ID      : 1
  Record Size    : 104
  Template layout
  _____________________________________________________________________
  |                 Field                   |  Type | Offset |  Size  |
  ---------------------------------------------------------------------
  | v9-scope system                         |     1 |     0  |     4  |
  | interface input snmp                    |    10 |     4  |     4  |
  | interface name short                    |    82 |     8  |    32  |
  | interface name long                     |    83 |    40  |    64  |
  ---------------------------------------------------------------------

  Client: Flow Monitor Monitor
  Exporter Format: NetFlow Version 9
  Template ID    : 257
  Source ID      : 1
  Record Size    : 59
  Template layout
  _____________________________________________________________________
  |                 Field                   |  Type | Offset |  Size  |
  ---------------------------------------------------------------------
  | ipv4 source address                     |     8 |     0  |     4  |
  | ipv4 destination address                |    12 |     4  |     4  |
  | interface input physical snmp           |   252 |     8  |     4  |
  | datalink source-vlan-id                 |    58 |    12  |     2  |
  | datalink mac source-address             |    56 |    14  |     6  |
  | datalink mac destination-address        |    80 |    20  |     6  |
  | transport source-port                   |     7 |    26  |     2  |
  | transport destination-port              |    11 |    28  |     2  |
  | datalink dot1q priority                 |   244 |    30  |     1  |
  | ip version                              |    60 |    31  |     1  |
  | ip tos                                  |     5 |    32  |     1  |
  | ip protocol                             |     4 |    33  |     1  |
  | ip ttl                                  |   192 |    34  |     1  |
  | interface output snmp                   |    14 |    35  |     4  |
  | counter flows                           |     3 |    39  |     4  |
  | counter bytes                           |     1 |    43  |     4  |
  | counter packets                         |     2 |    47  |     4  |
  | timestamp sys-uptime first              |    22 |    51  |     4  |
  | timestamp sys-uptime last               |    21 |    55  |     4  |
  ---------------------------------------------------------------------

  Client: Flow Monitor Monitor
  Exporter Format: NetFlow Version 9
  Template ID    : 0
  Source ID      : 0
  Record Size    : 60
  Template layout
  _____________________________________________________________________
  |                 Field                   |  Type | Offset |  Size  |
  ---------------------------------------------------------------------
  | datalink source-vlan-id                 |    58 |     0  |     2  |
  | datalink dot1q priority                 |   244 |     2  |     1  |
  ---------------------------------------------------------------------

Sh ip flow cache
IP packet size distribution (0 total packets):
   1-32   64   96  128  160  192  224  256  288  320  352  384  416  448  480
   .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000

    512  544  576 1024 1536 2048 2560 3072 3584 4096 4608
   .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000

IP Flow Switching Cache, 0 bytes
  0 active, 0 inactive, 0 added
  0 ager polls, 0 flow alloc failures
  Active flows timeout in 1 minutes
  Inactive flows timeout in 15 seconds
  last clearing of statistics never
Protocol         Total    Flows   Packets Bytes  Packets Active(Sec) Idle(Sec)
--------         Flows     /Sec     /Flow  /Pkt     /Sec     /Flow     /Flow

SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP  Pkts

sh ip flow export < Not sure why main cache is v1 instead of v9? >
Flow export v1 is disabled for main cache
  Version 1 flow records
  0 flows exported in 0 udp datagrams
  0 flows failed due to lack of export packet
  0 export packets were sent up to process level

ReneMolenaar · July 16, 2019, 10:43am

Hi Cory,

I tried your config and it’s working here. Try this command:

SW1-LAB#show flow exporter statistics 
Flow Exporter Export:
  Packet send statistics (last cleared 00:39:05 ago):
    Successfully sent:         0                     (0 bytes)
    Enqueued to process level: 117                   (138918 bytes)
    No destination address:    3                     (3562 bytes)

  Client send statistics:
    Client: Option options interface-table
      Records added:           1280
        - sent:                1248
        - failed to send:      32
      Bytes added:             128000
        - sent:                124800
        - failed to send:      3200

    Client: Flow Monitor Monitor
      Records added:           0
      Bytes added:             0

This tells us the switch is exporting these flows. If you are unsure whether they arrive at the server or not, change the destination IP address to some Linux box and try tcpdump:

root@graylog:/home/ubuntu# tcpdump -n udp -vvv -w output1.pcap dst port 2055
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
Got 0
12 packets captured
12 packets received by filter
0 packets dropped by kernel

This proves that the switch exports the flows.

This is an old command. Maybe it still works on some routers but I don’t think it works on any recent switch.

Rene