I have done this on my HP systems, and even on the Nexus. But for the Catalyst 9200 series I cannot figure out how to do this.
jreves I met up with adatole at VMWorld and he said if anybody knew, it would be you!
Here are some examples for a Catalyst 6500 and 7600 that might be a good a starting point.
Enable NetFlow on Catalyst 6500 and 7600 series
Neomatrix1217, unfortunately those commands do not work on the Catalyst 9200 series switches (I am using 9200L) . For starters, the "ip flow ingress" command isn't supported on these switches and it looks like only "flexible netflow" is what's supported. As a result, I tried following these guides:
Success Center
How to Configure NetFlow for Cisco Routers and Switches Running IOS - YouTube
Here are the details of the switches:
Cisco IOS XE Software, Version 16.11.01
Cisco IOS Software [Gibraltar], Catalyst L3 Switch Software (CAT9K_LITE_IOSXE), Version 16.11.1, RELEASE SOFTWARE (fc3)
Model Number : C9200L-24P-4G
Here is the current NetFlow configuration:
flow record SolarwindsNetflow
match ipv4 source address
match ipv4 destination address
match ipv4 protocol
match transport source-port
match transport destination-port
match ipv4 tos
match interface input
collect interface output
collect counter bytes long
collect counter packets long
flow exporter SolarwindsNetflow
destination *destination* vrf Mgmt-vrf
source GigabitEthernet0/0
transport udp 2055
template data timeout 60
flow monitor SolarwindsNetflow
exporter SolarwindsNetflow
cache timeout inactive 10
cache timeout active 5
record SolarwindsNetflow
interface GigabitEthernet1/0/1
description Fortinet-A port 3
switchport access vlan *vlan*
switchport mode access
ip flow monitor SolarwindsNetflow input
interface GigabitEthernet1/0/2
description Fortinet-A port 2
With the above setup, I see data being exported successfully, however nothing shows up in NTA:
flx-edge#show flow exporter statistics
Flow Exporter SolarwindsNetflow:
Packet send statistics (last cleared 00:53:47 ago):
Successfully sent: 5897 (8422214 bytes)
Client send statistics:
Client: Flow Monitor SolarwindsNetflow
Records added: 203952
- sent: 203952
Bytes added: 8422214
- sent: 8422214
I don't know what's missing but I have also seen this:
----------------------------------------------
IOS-XE Netflow Config to NTA?
Here's my ASR Netflow config, which works with NTA. Note, netflow from management vrf on ASR seems to work, whereas it does not work on 4300 ISR routers.
-----------------------------------------------
This makes me wonder if there is also a vrf issue on the 9200 Catalyst devices.
OK then you can use wireshark and see if the data is getting to Orion.
Success Center - WireShark
Here is a post from Cisco on it:
Network Management Configuration Guide, Cisco IOS XE Gibraltar 16.10.x (Catalyst 9200 Switches) - Configuring Flexible N…
Note the "Prerequisites" which say you must configure a source interface and such. I'd recommend making sure you can ping the Solarwinds server using whatever source interface and VRF you do it from also! Personally I wouldn't use the Management VRF for this, but instead a loopback, but if routing is set up right and you can ping sourcing that interface it should work. Actually, I take that back, another restriction says "Flexible NetFlow export is not supported on the Ethernet management port, GigabitEthernet 0/0.", so don't use it!!
Also note the restrictions, such as "Flexible Netflow (TNF) is supported only on Cisco TrustSec (CTS) interfaces", never heard this one before, but... Maybe you need to configure CTS on the interface? There are other restrictions that hint this isn't the case, ie: they say "on non-CTS interfaces" which implies you can use non-CTS interfaces...
Definitely read through all the restrictions and such!!
Thanks for mentioning that the Management VRF won't work as the source so I went ahead and created a loopback interface.
interface Loopback1
ip address *IP*
Then I changed the exporter config to the following:
destination *IP* vrf Mgmt-vrf
source Loopback1
With that, I still got nothing. I think part of the problem is that anything that's internal has to be navigated through the VRF interface so nothing can be reached without it: This is a perimeter switch so the VRF is in place as a security feature.
ip route vrf Mgmt-vrf 0.0.0.0 0.0.0.0 *gateway IP*
so even though I set destination IP with the vrf Mgmt-vrf, I think the Loopback IP not being sourced from vrf is the issue.
I don't see the packets hitting the NTA server with WireShark. Any ideas on what to do here?
You could add the loopback to the management VRF, pay attention to what it says when you do that though, it will probably blow away the IP address configuration on the loopback when you do it. You'll also have to set up routing for the loopback for the Mgmt-vrf...
Remember that when working with VRF's everything >has< to agree. ie: if your destination IP is on the Mgmt-vrf, your source interface should be on it too. That is unless you set up some sort of route leaking between VRF's which it doesn't sound like you want to do...
My sincere apologies on wasting your time on this. I came to the realization that both stacks of Catalyst switches we have (we only have 2 stacks) are only working as layer 2 switches with no routing configured. One stack set is for perimeter/edge connected to a a set of Fortigate firewalls and the other set is utilized for DMZ, once again with only layer 2 capabilities. As a result of this, it will make more sense to utilize Netflow on the Fortigate firewalls as they provide the routing.
I thank you for your help regardless. I ended up learning a good bit about VRF and with this knowledge I was able to successfully configure Nexus 9k switches for NetFlow. Sure, NX-OS is a totally different beast but VRF still comes into play there as well.
