This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Has ANYONE got Flexible Netflow working on 4500 with Sup7 that is understandable by Solarwinds Netflow

Hi have been trying to work with Cisco over the past 4 weeks to get Flexible Netflow to work properly with Orion/NTA with zero success. This is a 4507R+E with dual Sup 7's

I have the works TAC support person, but that's beside the point. I've spoken with SW and didn't get the warm and fuzzies on their answers either.

It appears to me I will not be able to monitor layre "virtual" interfaces on the 4507, which is unacceptable and if the case I will raise a stink with Cisco one I get it working.

So my questions are:

Does it even work? This hardware, Flexible Network and NTA 3.7?

The commands take and it just seems like NTA doesn't accept them, I'm guessing they are missing something like TOS, but this is not the same as regular Netflow.

I have been testing many permitations, but I either get the traffic in NTA showing that it is coming from all interfaces, or it doesn't see any at all.

 Here's the config I am testing with today:

flow record ipv4
! match ipv4 tos
 match ipv4 protocol
 match ipv4 source address
 match ipv4 destination address
 match transport source-port
 match transport destination-port
collect interface input
!
!
flow exporter NetFlow-to-Orion
 destination 10.10.10.1
 source vlan254
 transport udp 2055
export-protocol netflow-v5
!
!
flow monitor NetFlow-Monitor
 description Original Netflow captures
 record ipv4
 exporter NetFlow-to-Orion

vlan configuration 254
ip flow monitor NetFlow-Monitor input

 

Any help would be great

 

Bob

  • Can you do a traditional NetFlow v5 config on the 7E, or does it require the Flexible NetFlow syntax? It looks like you're only connecting standard v5 fields anyway.

  • No it only supports Flexible Netflow, and this is the direction Cisco is heading.

  • Thanks--please update the thread with what you find out. We are considering the purchase of some 4500s with 7Es and it would be nice to know if I need to replace NTA with something else as well.

  • UPDATE:

     

    Cisco got back to me verifying in their lab that the 4507 is indeed sending flows but the Solarwinds Netflow is no accepting/displaying them.

    Cisco is basically stating that because the device is sending this is a Solarwinds issue. I had a case opened in the past with Solarwinds and they state that the flow must adhere to the RFC otherwise it is discarded. Cisco is saying they are compliant, so here I (The Customer) sitting in the middle with zero data from our core switch.

    I'm guessing the issue is the TOS information as Cisco is not setup to send this, and SW says it should be in the flow.

    As a customer I'm dissappointed in both parties; considering SW is suppose to be a Cisco partner/developer, they should yield and build the product to support what Cisco is sending.

     

    I am opening yet another case with SW to see if maybe in a year or two I can help others in my situation by getting this in a future product release.

     

    Bob James

  • This is the primary reason (In the places I have worked) that managment always wants to source software / hardware from the same vendor.  No blame game.

    Please keep us updated on the issue, we have a bunch of 4507's ourselves, but haven't needed flow data from them yet.

  • Can you configure the 7E to send the TOS information? Table 32-3 in this doc makes it sound like it's supported:

    www.cisco.com/.../fnf.html

  • We are currently working with Cisco on getting to the bottom of this. If you would like to open a support ticket and submit a packet capture, that would be helpful.

    In general, it looks like the problem has more to do with the ingress and egress interface ID fields. See this KB on the fields required by NTA to consume the flow (if a field is missing, we drop the flow).

    http://knowledgebase.solarwinds.com/kb/questions/802/Required+flow+template+fields

    I hope to provide a better and detailed answer tomorrow.

    Mav

  • Mav, no offence but I'm on my second Solarwinds ticket now, I have been working with Cisco for over a month on this so I am not too inclined to be helpful. I would suggest taking this up with Cisco's Netflow team and working through it; if you wish I can provide you my TAC case and you can escalate with their Engineers.

    Basically, they are seeing the flows get to Netflow (They downloaded yoru free copy for testing) but nothing displayed. Their response; it's your (Solarwinds) issue because the packets are arriving.

     

    Bob James

  • No offense taken StealthNet, I'm sorry it has taken so long for your issue to bubble up. It looks like their templates were not including the ingress/egress interface ID, which is a must have for us. We drop packets that do not include all the fields in my above post. 

    The ToS field is not required. I'm not sure where that information came from.

    Cisco provided this template that they verified in their lab. I am still working to get it fully up and working in our lab, but feel free to test it out and let me know if you get results.

     
    Template:
     flow record ipv4
     match ipv4 protocol
     match ipv4 source address
     match ipv4 destination address
     match transport source-port
     match transport destination-port
     match interface input
     collect interface output
     collect counter bytes
     collect counter packets
     
     

  • Funny, Cisco called and emailed me as soon as I got this email too. Here is the configuration I have, and I am now seeing flows; a lot more testing is still required but I have pretty graphs:

    flow record ipv4
    ! match ipv4 tos
     match ipv4 protocol
     match ipv4 source address
     match ipv4 destination address
     match transport source-port
     match transport destination-port
      match interface input
     collect interface output
     collect counter bytes
     collect counter packets

     

    flow exporter NetFlow-to-Orion
     destination 10.10.10.10
     source vlan254
     transport udp 2055
    export-protocol netflow-v5
     

    flow monitor NetFlow-Monitor
     description Original Netflow captures
     record ipv4
     exporter NetFlow-to-Orion
    cache timeout inact 10
    cache timeout act 5

    vlan configuration 666
    ip flow monitor NetFlow-Monitor input

     

     

    I sure hope this helps someone else.....

     

    Bob James