cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 7

How do I configure NetFlow on a Cisco Catalyst 9200?

I have done this on my HP systems, and even on the Nexus. But for the Catalyst 9200 series I cannot figure out how to do this.

jreves​ I met up with adatole​ at VMWorld and he said if anybody knew, it would be you!

0 Kudos
7 Replies
Highlighted
Level 15

Re: How do I configure NetFlow on a Cisco Catalyst 9200?

Here are some examples for a Catalyst 6500 and 7600 that might be a good a starting point.

Enable NetFlow on Catalyst 6500 and 7600 series

0 Kudos
Highlighted
Level 7

Re: How do I configure NetFlow on a Cisco Catalyst 9200?

Neomatrix1217, unfortunately those commands do not work on the Catalyst 9200 series switches (I am using 9200L) . For starters, the "ip flow ingress" command isn't supported on these switches and it looks like only "flexible netflow" is what's supported. As a result, I tried following these guides:

Success Center

How to Configure NetFlow for Cisco Routers and Switches Running IOS - YouTube

Here are the details of the switches:

Cisco IOS XE Software, Version 16.11.01

Cisco IOS Software [Gibraltar], Catalyst L3 Switch Software (CAT9K_LITE_IOSXE), Version 16.11.1, RELEASE SOFTWARE (fc3)

Model Number                       : C9200L-24P-4G

Here is the current NetFlow configuration:

flow record SolarwindsNetflow

match ipv4 source address

match ipv4 destination address

match ipv4 protocol

match transport source-port

match transport destination-port

match ipv4 tos

match interface input

collect interface output

collect counter bytes long

collect counter packets long

flow exporter SolarwindsNetflow

destination *destination* vrf Mgmt-vrf

source GigabitEthernet0/0

transport udp 2055

template data timeout 60

flow monitor SolarwindsNetflow

exporter SolarwindsNetflow

cache timeout inactive 10

cache timeout active 5

record SolarwindsNetflow

interface GigabitEthernet1/0/1

description Fortinet-A port 3

switchport access vlan *vlan*

switchport mode access

ip flow monitor SolarwindsNetflow input

interface GigabitEthernet1/0/2

description Fortinet-A port 2

switchport access vlan *vlan*

switchport mode access

ip flow monitor SolarwindsNetflow input

With the above setup, I see data being exported successfully, however nothing shows up in NTA:

flx-edge#show flow exporter statistics

Flow Exporter SolarwindsNetflow:

  Packet send statistics (last cleared 00:53:47 ago):

    Successfully sent:         5897                  (8422214 bytes)

  Client send statistics:

    Client: Flow Monitor SolarwindsNetflow

      Records added:           203952

        - sent:                203952

      Bytes added:             8422214

        - sent:                8422214

I don't know what's missing but I have also seen this:

----------------------------------------------

IOS-XE Netflow Config to NTA?

Here's my ASR Netflow config, which works with NTA.  Note, netflow from management vrf on ASR seems to work, whereas it does not work on 4300 ISR routers.

-----------------------------------------------

This makes me wonder if there is also a vrf issue on the 9200 Catalyst devices.

0 Kudos
Highlighted
Level 15

Re: How do I configure NetFlow on a Cisco Catalyst 9200?

OK then you can use wireshark and see if the data is getting to Orion.

Success Center  - WireShark    

0 Kudos
Highlighted

Re: How do I configure NetFlow on a Cisco Catalyst 9200?

Here is a post from Cisco on it:

Network Management Configuration Guide, Cisco IOS XE Gibraltar 16.10.x (Catalyst 9200 Switches) - Co...

Note the "Prerequisites" which say you must configure a source interface and such.   I'd recommend making sure you can ping the Solarwinds server using whatever source interface and VRF you do it from also!   Personally I wouldn't use the Management VRF for this, but instead a loopback, but if routing is set up right and you can ping sourcing that interface it should work.   Actually, I take that back, another restriction says "Flexible NetFlow export is not supported on the Ethernet management port, GigabitEthernet 0/0.", so don't use it!!  

Also note the restrictions, such as "Flexible Netflow (TNF) is supported only on Cisco TrustSec (CTS) interfaces", never heard this one before, but...   Maybe you need to configure CTS on the interface?   There are other restrictions that hint this isn't the case, ie: they say "on non-CTS interfaces" which implies you can use non-CTS interfaces...

Definitely read through all the restrictions and such!!

0 Kudos
Highlighted
Level 7

Re: How do I configure NetFlow on a Cisco Catalyst 9200?

Thanks for mentioning that the Management VRF won't work as the source so I went ahead and created a loopback interface.

interface Loopback1

ip address *IP*

Then I changed the exporter config to the following:

flow exporter SolarwindsNetflow

destination *IP* vrf Mgmt-vrf

source Loopback1

transport udp 2055

template data timeout 60

 

With that, I still got nothing. I think part of the problem is that anything that's internal has to be navigated through the VRF interface so nothing can be reached without it: This is a perimeter switch so the VRF is in place as a security feature.

ip route vrf Mgmt-vrf 0.0.0.0 0.0.0.0 *gateway IP*

so even though I set destination IP with the  vrf Mgmt-vrf, I think the Loopback IP not being sourced from vrf is the issue.

I don't see the packets hitting the NTA server with WireShark. Any ideas on what to do here?

0 Kudos
Highlighted

Re: How do I configure NetFlow on a Cisco Catalyst 9200?

You could add the loopback to the management VRF, pay attention to what it says when you do that though, it will probably blow away the IP address configuration on the loopback when you do it.   You'll also have to set up routing for the loopback for the Mgmt-vrf...

Remember that when working with VRF's everything >has< to agree.  ie: if your destination IP is on the Mgmt-vrf, your source interface should be on it too.   That is unless you set up some sort of route leaking between VRF's which it doesn't sound like you want to do...

0 Kudos
Highlighted
Level 7

Re: How do I configure NetFlow on a Cisco Catalyst 9200?

My sincere apologies on wasting your time on this. I came to the realization that both stacks of Catalyst switches we have (we only have 2 stacks) are only working as layer 2 switches with no routing configured. One stack set is for perimeter/edge connected to a a set of Fortigate firewalls and the other set is utilized for DMZ, once again with only layer 2 capabilities. As a result of this, it will make more sense to utilize Netflow on the Fortigate firewalls as they provide the routing.

I thank you for your help regardless. I ended up learning a good bit about VRF and with this knowledge I was able to successfully configure Nexus 9k switches for NetFlow. Sure, NX-OS is a totally different beast but VRF still comes into play there as well.

0 Kudos