How to extract ios firmware from catalyst 3560 v2

3750 does have some internally priority on what it prefers to punt when congested, but it's not configurable.

So you should rely on common best practices, that is on all your network edges you should have iACL (infrastructure ACL). In iACL you'd allow UDP highports, ICMP to infrastructure network addresses and drop rest. This way ping and traceroute work, but infrastructure cannot be attacked.
iACL should be complemented by policing the allowed traffic to small acceptable rates.

This way when external party is attacking addresses on your 3750, it'll be dropped by network border in the edge.

iACL usually is 100% static so it's low maintenance, as it'll only include infrastructure addresses (loopback, core links).

This will still leave wide open cases where your router is facing customer LAN directly, like when LAN is 192.0.2.0/24 and 3750 has 192.0.2.1 then usually 192.0.2.1 would not be covered by iACL and can be attacked.
Solution for those devices is either to invest on device with proper CoPP capabilities or maintain dynamic iACL always adding the router's customer facing address there.

If you only face customers via link-networks (/30 or /31) solution is much cleaner, you just omit advertising the link-network and add static /32 route for the CPE side, this way external to this router parties cannot attack the router, as they won't have route.
Alternative solution to same issue is to use non-continuous ACL entry in iACL, if your CPE link-network is 198.51.100.0/24 in iACL you could do 'deny ip any 198.51.100.0 0.0.0.254' then all the even addresses would be allowed and odd addresses denied, so if CPE is even and 3750 is odd, all current and future links are protected without updating iACL.

Your Flow Monitor doesn't match your Flow Record or Flow Exporter. You have record NETFLOW and exporter NETFLOW. Try something like this:

flow monitor NETFLOW-MONITOR
 record NETFLOW-RECORD
 exporter NETFLOW-EXPORTER
 statistics packet protocol
 statistics packet size
 cache timeout active 60

You also don't need the old NetFlow commands on the interface, so you can remove:

 ip flow ingress
 ip flow egress

This is the way I have seen it work successfully, albeit only used on layer-3 interfaces, and only in one direction or the other:

flow record NETFLOW-RECORD
 match ipv4 tos
 match ipv4 protocol
 match ipv4 source address
 match ipv4 destination address
 match transport source-port
 match transport destination-port
 collect interface input
 collect interface output
 collect counter bytes
 collect counter packets
!
flow exporter NETFLOW-EXPORTER
 destination 10.10.10.12
 transport udp 2055
 source Vlan100
!
flow monitor NETFLOW-MONITOR
 record NETFLOW-RECORD
 exporter NETFLOW-EXPORTER
 cache timeout inactive 15
 cache timeout active 60
!

You can try it in both directions on a layer-2 interface, but I think your problem is the incorrect Flow Record and Flow Exporter in the Flow Monitor.

interface range GigabitEthernet 0/1-52
 ip flow monitor NETFLOW-MONITOR input
 ip flow monitor NETFLOW-MONITOR output
!

Edit:

This is from Configuring Flexible NetFlow:

NetFlow is supported only on the network services module. Only one flow monitor per interface and per direction is supported by the network services module.

As I understand it, you need IOS 15.x, and at least the IP Base license with the Network Services Module for Flexible NetFlow.

You are trying to apply it to non-module ports, G0/1-48, which doesn't work, anyway. It should only work on G0/49-52, but I'm not sure you can use it on the 3560 at all. I saw a note generated from Cisco TAC saying that this only works on a 3750X:

The netflow module is only available in the 3750x's. You're out of luck.

Sent from Cisco Technical Support Android App