Cisco Catalyst NetFlow – Troubleshooting NetFlow v9 on Cisco Catalyst 3560

ciscocisco-catalystcisco-iosnetflow

my team and I just don't seem to get NetFlow on a Catalyst 3560 switch to work.
let me show you the config:

 flow exporter NETFLOW-EXPORTER
 destination 10.10.10.12
 source Vlan100
 transport udp 2055
!
!
flow record NETFLOW-RECORD
 match ipv4 tos
 match ipv4 protocol
 match ipv4 source address
 match ipv4 destination address
 match transport source-port
 match transport destination-port
 match interface input
 collect interface output
 collect counter bytes long
 collect counter packets long
!
!
flow monitor NETFLOW-MONITOR
 record NETFLOW
 exporter NETFLOW
 statistics packet protocol
 statistics packet size
 cache timeout active 60

interface range GigabitEthernet 0/1-52
 ip flow ingress
 ip flow egress
 ip flow monitor NETFLOW-MONITOR input
 ip flow monitor NETFLOW-MONITOR output

As you can see, we are at a point where we added pretty much everything. The exporter still does not seem to send anything to the destination:

Flow Exporter NETFLOW-EXPORTER:
Description:              User defined
Export protocol:          NetFlow Version 9
Transport Configuration:
    Destination IP address: 10.10.10.12
    Source IP address:      10.10.100.254
    Source Interface:       Vlan100
    Transport Protocol:     UDP
    Destination Port:       2055
    Source Port:            61154
    DSCP:                   0x0
    TTL:                    255
    Output Features:        Not Used

The destination: 10.10.10.12 is running a PRTG instance where this switch is configured. SNMP information seem to work just fine, it's just NetFlow that wont show anything. The config on the PRTG should be fine (IP and port are a match)

Any Ideas?

Thanks in advance 🙂

Best Answer

Your Flow Monitor doesn't match your Flow Record or Flow Exporter. You have record NETFLOW and exporter NETFLOW. Try something like this:

flow monitor NETFLOW-MONITOR
 record NETFLOW-RECORD
 exporter NETFLOW-EXPORTER
 statistics packet protocol
 statistics packet size
 cache timeout active 60

You also don't need the old NetFlow commands on the interface, so you can remove:

 ip flow ingress
 ip flow egress

This is the way I have seen it work successfully, albeit only used on layer-3 interfaces, and only in one direction or the other:

flow record NETFLOW-RECORD
 match ipv4 tos
 match ipv4 protocol
 match ipv4 source address
 match ipv4 destination address
 match transport source-port
 match transport destination-port
 collect interface input
 collect interface output
 collect counter bytes
 collect counter packets
!
flow exporter NETFLOW-EXPORTER
 destination 10.10.10.12
 transport udp 2055
 source Vlan100
!
flow monitor NETFLOW-MONITOR
 record NETFLOW-RECORD
 exporter NETFLOW-EXPORTER
 cache timeout inactive 15
 cache timeout active 60
!

You can try it in both directions on a layer-2 interface, but I think your problem is the incorrect Flow Record and Flow Exporter in the Flow Monitor.

interface range GigabitEthernet 0/1-52
 ip flow monitor NETFLOW-MONITOR input
 ip flow monitor NETFLOW-MONITOR output
!

Edit:

This is from Configuring Flexible NetFlow:

NetFlow is supported only on the network services module. Only one flow monitor per interface and per direction is supported by the network services module.

As I understand it, you need IOS 15.x, and at least the IP Base license with the Network Services Module for Flexible NetFlow.

You are trying to apply it to non-module ports, G0/1-48, which doesn't work, anyway. It should only work on G0/49-52, but I'm not sure you can use it on the 3560 at all. I saw a note generated from Cisco TAC saying that this only works on a 3750X:

The netflow module is only available in the 3750x's. You're out of luck.

Sent from Cisco Technical Support Android App

Related Solutions

How to Disable Flow-Control on Cisco ISR 4431 Router GigabitEthernet

I will start by saying that you should not be disabling auto-negotiation with Gigabit connections. This is what the standard has to say (from 802.3-2012 Section Three, which you can reference here):

37.1.4.4 User Configuration with Auto-Negotiation

Rather than disabling Auto-Negotiation, the following behavior is suggested in order to improve interoperability with other Auto-Negotiation devices. When a device is configured for one specific mode of operation (e.g. 1000BASE-X Full Duplex), it is recommended to continue using Auto-Negotiation but only advertise the specifically selected ability or abilities. This can be done by the Management agent only setting the bits in the advertisement registers that correspond to the selected abilities.

This means you should never use speed 1000 on Gigabit links. You could instead speed auto 1000, but your expressed need has a better solution.

The real problem is the following command on interface Gigabit0/0/0:

  no negotiation auto

Remove the speed 1000, the duplex full, and the no negotiation auto commands from the interface and instead use negotiation forced so your interface looks like so:

 interface GigabitEthernet0/0/0
  description WAN Metro Ethernet Circuit
  ! ...
  negotiation forced

From Cisco documentation, the forced keyword has the following effect (and I believe also adheres to the standard's recommendation):

Disables flow control and configures the Gigabit Ethernet interface in 1000/full-duplex mode.

This should meet your requirement of 1000/full with no flow control.

In re-reading your question, I realized you noted you did not seem to have the force command available.

In your case, I will still recommend removing the no negotiation auto command and have your interface look like so:

 interface GigabitEthernet0/0/0
  description WAN Metro Ethernet Circuit
  ! ...
  speed auto 1000
  duplex full

NetFlow – Cisco Catalyst 2960X Not Sending Data to PRTG

The Catalyst 2960-X supports what is called netflow lite, not full netflow, and for that, it needs at least the LANBASE license. See "Prerequisites" on https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-2_2_e/fnf/configuration_guide/b_fnf_1522e_2960x_cg/b_fnf_32se_3850_cg_chapter_010.html (publically available Cisco Doc).

See the outputs of show version or show license to check the license on the given 2960-X. We have seen cases where a Lan Lite switch would accept commands for unsupported features without returning an error - and the feature would just not work.

That being said, I don't see where the error in the config might be - we have

a) a flow record
b) a flow exporter 
c) a flow monitor making use of a) and b)  
d) a flow sampler  
e) and finally an interface config making use of c) and d).

... and that's what the config guide suggest. I suspect the problem is on the netflow analyzer side.

Please verify that PRTG actually supports netflow lite. My current understanding from what I can find at paessler.com is that netflow lite is not directly supported, and that eventually, you might need to convert netflow lite to classic netflow with some kind of itermediate service (such as http://www.ntop.org/products/netflow/nprobe/netflow-lite-plugin/)

Using one of the tools at https://www.paessler.com/tools/netflowtester might help with the analysis.

One more thing:

Instead of naming at least three related config items "toPRTG", I suggest using a config style as outlined below. It helps to track what is what, and to keep track of all the needed config bits. In short, it helps to understand the config concept. We use similar config styles in larger multi-tenant QoS configurations (that we maintain manually), so we can keep track of the per-tenant class-maps and policy maps, the ACLs to go with it etc. In general, we put a Prefix in there describing what kind of config item it is, the customer's name and the name itself. This then might look like this: PM_QUE_CUST01_WANPOLICY01 or CM_QOS_CUST04_REALTIME-TRAFFIC.

So here's what I suggest for a netflow config:

flow record NFREC_MYRECORD1
 match ...
 collect ...  
!
!
flow exporter NFEXP_MYEXPORT1
 destination 172.18.145.xxx
 transport udp 9995
!
!
flow monitor NFMON_MYMONITOR1
 exporter NFEXP_MYEXPORT1
 cache timeout active 15000
 record NFREC_MYRECORD1
!
!
sampler NFSMP_MYSAMPLER1
 mode ...
!
!
interface GigabitEthernety/0/yy
 ...
 ip flow monitor NFMON_MYMONITOR1 sampler NFSMP_MYSAMPLER1 input
 ...

Best Answer

Related Solutions

How to Disable Flow-Control on Cisco ISR 4431 Router GigabitEthernet

NetFlow – Cisco Catalyst 2960X Not Sending Data to PRTG

Related Topic