Unable to capture NetFlow on Cisco 3750x switch

A few years back I had SolarWinds Real-Time NetFlow Analyzer working with my Cisco 3750x switch. Recently we had some suspicious traffic so I installed a new version of the software on a Win 10 machine. I can connect through the software to my switch, I can see all of the interfaces but none of them show NetFlow enabled. When I click on the interface I want to monitor then click "Start Flow Capture" I get a 'NetFlow is not detected on the selected interface'.

How do I get this port configured correctly to capture NetFlow data?

Additional Facts:

IOS version 15.0(2)SE6

Config:

int gig <port to be monitored>
ip flow ingress
ip flow egress

ip flow-export source <port to be monitored>
ip flow-export version 5
ip flow-export destination <IP of my Win 10 machine> 2055

Per this thread- https://thwack.solarwinds.com/thread/20498

I tried to run the ip nbar protocol-discovery and the ip route-cache flow on the port to be monitored. Neither of those commands were accepted on that port.

Any help is appreciated.

Parents
  • rschroeder, I'm trying to analyze/capture netflow from the gigabit ports on my 3750x. That don't support flexible netflow. I've had non-flexible netflow working on my gigabit ports at some point in the past.

    Does the netflow analyzer only work with flexible netflow (one has to apply "ip flow monitor <name of flow monitor> input" on the specific interface they want monitored) now? The only netflow commands I can apply directly to the interfaces I want analyze are "ip flow ingress" and "ip flow egress".

  • NTA supports both version 5 and 9, but I recommend using version 9 with NBAR2 everywhere you can.  Some legacy devices aren't compatible with NBAR2, others can only do Netflow v5.  Find which ones have that limitation and compensate for them, and request budget to replace them with newer models that support Netflow v9 and NBAR2.

    I apply flow commands to every physical interface on my Cisco 4510 chasses now that the V8 model supports the commands, and it opens up another layer of granularity for traffic on a per-port basis.   In that particular environment, it's only possible to use the "ip flow monitor <name> input" command.  Initially I thought this was a limitation because there was no matching "output" command for the port.  It turns out that, while having both commands on the port seem intuitive and convenient, I'm really only interested in traffic coming "from" the device directly attached to the port.  Any traffic going "to" that device from another device is captured on the port(s) allowing the traffic into the switch from the other device.

    Regarding your 3750x, getting its Netflow going again most likely will require a review of the required commands and a fine-toothed comb going through the details.  Although you had it working previously, since it's not working now, you may benefit from thinking about what's changed that caused it to stop.

    • Was there an IOS update or downgrade that resulted in different capabilities, or that needs different commands applied to get Netflow going again?
    • Did a destination address change for the Netflow?  If you updated/changed a Solarwinds Poller, it could still be polling the 3750x, but the 3750x might not be sending Netflow to the correct destination address.

    If you have NCM, I'd recommend comparing a running-configuration from the 3750x at the time it was properly sending Netflow to today's running-config.  Maybe you'll see a change or a typo.  Or perhaps you'll find something that SHOULD have changed, but hasn't, to support a different destination address for a Solarwinds poller.

    I looked for a 3750x in my network that was running the right code and license level to use Netflow and I find I've retired them all.

    But here's a snip from one of my 4510's running Netflow on all interfaces that can be compared to your output:

    flow record NTArec

    match ipv4 tos

    match ipv4 protocol

    match ipv4 source address

    match ipv4 destination address

    match transport source-port

    match transport destination-port

    match interface input

    collect interface output

    collect counter bytes

    collect counter packets

    collect application name

    flow exporter NTAexp

    destination <x.x.x.x> (your Solarwinds APE running NTA)

    source <enter the interface on the switch that will be recognized as the source of the traffic.  Always use the same Interface that is being polled by Solarwinds--usually an SVI or a loopback>

    transport udp 2055

    template data timeout 60

    option application-table timeout 60

    flow monitor NTAmon

    description NetFlow nbar

    exporter NTAexp

    cache timeout inactive 30

    cache timeout active 10

    record NTArec

    ip flow monitor NTAmon input (this command goes on every physical port)

    vlan configuration (list all VLAN ID's here, comma-separated)

      ip flow monitor NTAmon input

    You may have to tweak this a bit for your 3750x's, but it should get you very close to running again.

    Swift packets!

    Rick Schroeder

  • This is the config I had/have on the switch, updated with the interface I want to monitor and the source ip of the new Netflow Analyzer. I have a feeling I'm getting tripped up on the ip flow-export source line, documentation did not make this clear. Right now I have it set as the interface I want monitored.

    flow record <record name>

    match ipv4 tos

    match ipv4 protocol

    match ipv4 source address

    match ipv4 destination address

    match transport source-port

    match transport destination-port

    collect counter bytes

    collect counter packets

    flow exporter <exporter name>

    destination <netflow analyzer IP>

    transport udp 2055

    flow monitor <monitor name>

    description Original Netflow captures

    record ipv4

    exporter <exporter name>

    interface <interface to be monitored>

    ip flow ingress

    ip flow egress

    ip flow-export source <interface still not clear exactly this is for>

    ip flow-export version 5

    ip flow-export destination <netflow analyzer address> 2055

    ip flow-top-talkers

    top 10

    sort-by bytes

  • pastedImage_0.png

    The "ip flow-export source" line tells the 3750x what IP address it should include as the "from" or "sender", when sending to your Solarwinds NTA poller.   For example, if you only have one IP address on the switch, and it's loopback0, then you'd say "ip flow-export source loopback0" on this line.

    If your 3750x has multiple IP addresses, always use the interface with the IP address that's being monitored by Network Traffic Analyzer for the "ip flow-export source".  It helps Solarwinds NPM and NTA keep everything aligned nicely when you use the same monitoring address that NPM knows about, for the source interface in NTA.

    If you don't do this, you'll be monitoring your switch in NPM with one IP address, and the switch will be sending Netflow information to NTA from an interface with a different IP address than the one NPM already is monitoring.  This will create an alert, and you'll be recommended to either add the new Netflow-associated IP address as an entirely new node (wasting license count and server resources), or you can simply change the "ip flow-export source" line to reference the Interface with an IP address that NPM monitors.

  • rschroeder, that makes more sense than what I read. When I ran the ip flow-export source command I couldn't put in an address specifically, I had to put in an interface, so I used the interface I ssh into the switch on. That didn't work unfortunately, when I open up netflow analyzer I still get no flow type next to any of the interfaces.

    I've also been working on getting the netflow configurator working. When I try to connect to my device using my read only SNMP community string, the software says I need a read/write community string to continue. I created a read/write SNMP community string, tried that in the software, it says cannot connect to device. Not sure what the issue is there either.

Reply
  • rschroeder, that makes more sense than what I read. When I ran the ip flow-export source command I couldn't put in an address specifically, I had to put in an interface, so I used the interface I ssh into the switch on. That didn't work unfortunately, when I open up netflow analyzer I still get no flow type next to any of the interfaces.

    I've also been working on getting the netflow configurator working. When I try to connect to my device using my read only SNMP community string, the software says I need a read/write community string to continue. I created a read/write SNMP community string, tried that in the software, it says cannot connect to device. Not sure what the issue is there either.

Children
No Data