NetFlow configuration on Catalyst 4500-X

cisco-catalystnetflow

I have a problem with config NetFlow on 4500-X switch.

This is NetFlow config

flow record NFArecord
 match ipv4 tos
 match ipv4 protocol
 match ipv4 source address
 match ipv4 destination address
 match transport source-port
 match transport destination-port
 match interface input netflow
 match interface output netflow
 collect counter bytes
 collect counter packets
 collect timestamp sys-uptime first
 collect timestamp sys-uptime last
!
!
flow exporter ELK
 destination 172.17.214.33
 transport udp 9966
!
!
flow monitor NFAmonitor
 exporter ELK
 cache timeout inactive 30
 cache entries 10000
 record NFArecord
!

I want to collect records for inter vlan traffic.

Try to do this:

interface Port-channel2 
//this is port-channel to SW3750, want to collect ingress traffic on in interface
 description Trunk to 6floor
 switchport
 switchport mode trunk
 end

Core-4500x(config-if)#ip flow monitor NFAmonitor in
% Flow Monitor: Flow Monitor 'NFAmonitor' - Incompatible traffic type: Record has Undetermined, monitor applied with IPv4

Ok, try to apply ip flow to vlan 60 and have same result:

Core-4500x(config-vlan-config)#ip flow monitor NFAmonitor input 
% Flow Monitor: Flow Monitor 'NFAmonitor' - Incompatible traffic type: Record has Undetermined, monitor applied with IPv4

Core-4500x(config-vlan-config)#ip flow monitor NFAmonitor layer2-switched input 
% Flow Monitor: Flow Monitor 'NFAmonitor' - Incompatible traffic type: Record has Undetermined, monitor applied with IPv4

What's wrong? What should I do for NetFlow working?

Best Answer

From your error it seems that some of flow records cannot be used for Layer-3 flow capture.

Try this configuration. It will be applied on bridge level.

flow record FLOW-RECORD-IPV4
 match ipv4 protocol
 match ipv4 source address
 match ipv4 destination address
 match transport source-port
 match transport destination-port
 match interface input
 collect interface output
 collect counter bytes long
 collect counter packets long

flow exporter FLOW-EXPORTER-X.X.X.X
 description FLOW-EXPORTER X.X.X.X
 destination X.X.X.X
 source VlanX
 transport udp 2055

flow monitor FLOW-MONITOR-IN
 description MONITOR INGRESS FLOWS
 record FLOW-RECORD-IPV4
 exporter FLOW-EXPORTER-X.X.X.X
 cache timeout inactive 60

vlan configuration 10,20,30,40,50,60
ip flow monitor FLOW-MONITOR-IN input

Also you could apply it on interface level:

interface GigabitEthernet1/3/1
 ip flow monitor FLOW-MONITOR-IN input

Related Solutions

Catalyst 4500 – Unexpected Behavior with Object-Groups in ACLs

At long last, an answer. I recently encountered another situation where I had to create access-lists that would benefit from object-group references. After trying several different things to work around the problem, I finally threw in the towel and contacted Cisco technical support (which I'm always loath to do).

After an initial careless and blatantly wrong attempt to answer my question, the Cisco technician came back with the following:

Matthew,

I have reached out to the development team and object group configuration with the 4500 platform does not work as desired given the fact that the feature is not fully supported until code version 15.2(3)E2 which will be released around August 2015.

It is possible for the ACL to be configured because they have the same IOS XE base as other devices that support the feature at this time.

So, there you go - and it only took Cisco 6 days to come up with this answer (a record).

Cisco Catalyst NetFlow – Troubleshooting NetFlow v9 on Cisco Catalyst 3560

Your Flow Monitor doesn't match your Flow Record or Flow Exporter. You have record NETFLOW and exporter NETFLOW. Try something like this:

flow monitor NETFLOW-MONITOR
 record NETFLOW-RECORD
 exporter NETFLOW-EXPORTER
 statistics packet protocol
 statistics packet size
 cache timeout active 60

You also don't need the old NetFlow commands on the interface, so you can remove:

 ip flow ingress
 ip flow egress

This is the way I have seen it work successfully, albeit only used on layer-3 interfaces, and only in one direction or the other:

flow record NETFLOW-RECORD
 match ipv4 tos
 match ipv4 protocol
 match ipv4 source address
 match ipv4 destination address
 match transport source-port
 match transport destination-port
 collect interface input
 collect interface output
 collect counter bytes
 collect counter packets
!
flow exporter NETFLOW-EXPORTER
 destination 10.10.10.12
 transport udp 2055
 source Vlan100
!
flow monitor NETFLOW-MONITOR
 record NETFLOW-RECORD
 exporter NETFLOW-EXPORTER
 cache timeout inactive 15
 cache timeout active 60
!

You can try it in both directions on a layer-2 interface, but I think your problem is the incorrect Flow Record and Flow Exporter in the Flow Monitor.

interface range GigabitEthernet 0/1-52
 ip flow monitor NETFLOW-MONITOR input
 ip flow monitor NETFLOW-MONITOR output
!

Edit:

This is from Configuring Flexible NetFlow:

NetFlow is supported only on the network services module. Only one flow monitor per interface and per direction is supported by the network services module.

As I understand it, you need IOS 15.x, and at least the IP Base license with the Network Services Module for Flexible NetFlow.

You are trying to apply it to non-module ports, G0/1-48, which doesn't work, anyway. It should only work on G0/49-52, but I'm not sure you can use it on the 3560 at all. I saw a note generated from Cisco TAC saying that this only works on a 3750X:

The netflow module is only available in the 3750x's. You're out of luck.

Sent from Cisco Technical Support Android App

Best Answer

Related Solutions

Catalyst 4500 – Unexpected Behavior with Object-Groups in ACLs

Cisco Catalyst NetFlow – Troubleshooting NetFlow v9 on Cisco Catalyst 3560

Related Topic