cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post
Highlighted
Level 12

IOS-XE Netflow Config to NTA?

Hi Everyone,

I'm having some trouble getting new Cisco 4331 routers sending netflow to NTA.  Can anyone take a look at my config and see if you see anything obviously wrong, or offer any tips/pointers?  These are outside edge Internet routers, with a management interface with VRF having a private IP.  The flow traffic should be coming from an inband interface, Gi0/0/01.10.  My firewalls are configured to allow UDP 2055 to flow from the outside source to a NAT to the NTA. 

Thanks.

EdgeRouter1#sh run | s flow

flow record ipv4

match ipv4 protocol

match ipv4 source address

match ipv4 destination address

match transport source-port

match transport destination-port

match interface input

collect interface output

collect counter bytes

collect counter packets

flow exporter NetFlow-to-Orion

destination X.Y.Z.149

source GigabitEthernet0/0/1.10

transport udp 2055

flow monitor Orion-NetFlow-Monitor

description Original Netflow captures

exporter NetFlow-to-Orion

cache timeout inactive 10

cache timeout active 5

record ipv4

ip flow monitor Orion-NetFlow-Monitor input

ip flow monitor Orion-NetFlow-Monitor input

ip flow monitor Orion-NetFlow-Monitor input

alias exec shflow show flow mon name Orion-NetFlow-Monitor cache

EdgeRouter1#

EdgeRouter1#sh run | i interface|flow

interface GigabitEthernet0/0/0

ip flow monitor Orion-NetFlow-Monitor input

interface GigabitEthernet0/0/1

interface GigabitEthernet0/0/1.10

ip flow monitor Orion-NetFlow-Monitor input

interface GigabitEthernet0/0/1.192

ip flow monitor Orion-NetFlow-Monitor input

EdgeRouter1#sh ver

Cisco IOS XE Software, Version 03.13.02.S - Extended Support Release

Cisco IOS Software, ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.4(3)S2, RELEASE SOFTWARE (fc3)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2015 by Cisco Systems, Inc.

Compiled Fri 30-Jan-15 15:19 by mcpre

ROM: IOS-XE ROMMON

EdgeRouter1 uptime is 14 weeks, 5 days, 42 minutes

Uptime for this control processor is 14 weeks, 5 days, 43 minutes

System returned to ROM by reload

System restarted at 08:50:36 EDT Wed May 20 2015

System image file is "bootflash:/isr4300-universalk9.03.13.02.S.154-3.S2-ext.SPA.bin"

Last reload reason: PowerOn

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to

export@cisco.com.

0 Kudos
11 Replies
Highlighted
Level 12

Re: IOS-XE Netflow Config to NTA?

Ps. NTA 4.1.0

0 Kudos
Highlighted
Level 7

Re: IOS-XE Netflow Config to NTA?

Flow packets will be ignored by Orion NTA if they do not include the following fields in your Flow template:

Field TypeField Type NumberDescription
IN_BYTES1Ingress bytes counter
IN_PKTS2Ingress packets counter
PROTOCOL4Layer 4 protocol
L4_SRC_PORT7Source TCP/UDP port
IPV4_SRC_ADDR8Source IP address
INPUT_SNMP10SNMP ingress interface index
L4_DST_PORT11Destination TCP/UDP port
IPV4_DST_ADDR12Destination IP address
OUTPUT_SNMP14SNMP egress interface index

According to your record configuration, the INPUT_SNMP and OUTPUT_SNMP fields are missing. You need to add these two commands under the record configuration:

flow record ipv4

match interface input snmp
match interface output snmp
Highlighted

Re: IOS-XE Netflow Config to NTA?

Hi pseudocyber‌,

Try command sh ip flow export to see if the flow been setup properly and any flow exported from the router.

Highlighted
Level 12

Re: IOS-XE Netflow Config to NTA?

Thanks both of you.

This is working:

RER2#sh run | s flow

flow record ipv4

match ipv4 protocol

match ipv4 source address

match ipv4 destination address

match transport source-port

match transport destination-port

match interface input

collect counter bytes long

collect counter packets long

flow exporter NetFlow-to-Orion

destination W.X.Y.Z

source GigabitEthernet0/0/1.10

transport udp 2055

flow monitor Orion-NetFlow-Monitor

description Original Netflow captures

exporter NetFlow-to-Orion

cache timeout inactive 10

cache timeout active 5

record ipv4

flow monitor Orion-Netflow-Monitor

cache timeout active 120

I added the match interface in|out snmp for good measure.

Highlighted

Re: IOS-XE Netflow Config to NTA?

I see you already resolved it, and I ran across this thread looking for the same information. Here is how I ended up solving it. Your way works too, I just wanted to provide an alternate solution for anybody else who stumbles onto this thread.

flow exporter Solarwinds

destination x.x.x.x

source (Interface)

transport udp 2055

!        

!        

flow monitor Solarwinds

exporter Solarwinds

record netflow-original     (netflow-original is a pre-defined record, so you don't have to customize if you don't want to)

interface GigabitEthernetx/x/x

ip flow monitor Solarwinds input

ip flow monitor Solarwinds output

Highlighted
Level 7

Re: IOS-XE Netflow Config to NTA?

This short version worked great for me on an ASR1001X

0 Kudos
Highlighted

Re: IOS-XE Netflow Config to NTA?

Just started working with NTA.  I configured the above on an Cisco ASR1004.  I do not see any received Netflow on my NTA Summary page.  I do have the device and interface defined in NTA but no traffic.

0 Kudos
Highlighted
Level 8

Re: IOS-XE Netflow Config to NTA?

I too am having trouble getting the above to work on my ASR 1002. I've tried both Geoff's and the SW NTA Admin guide template which is essentially what pseudocyber posted.

I've confirmed via Wireshark that the v9 flows I'm sending to NTA contain the right fields.I'm running IOS XE Version 15.4(3)S4.

Anyone see any issues with this config?

flow record custom_flow_record

match ipv4 protocol

match ipv4 source address

match ipv4 destination address

match transport source-port

match transport destination-port

match interface input

match interface input snmp

match interface output snmp

collect interface output

collect counter bytes

collect counter packets

flow exporter SL-FlowExporter

destination x.x.x.x vrf Netflow

source TenGigabitEthernet0/1/0

transport udp 2055

!

flow monitor SL-FlowMonitor

description Original Netflow captures

exporter SL-FlowExporter

cache timeout inactive 10

cache timeout active 120

record custom_flow_record

Int te0/1/0

ip flow monitor SL-FlowMonitor input

ip flow monitor SL-FlowMonitor output

0 Kudos
Highlighted
Level 12

Re: IOS-XE Netflow Config to NTA?

Here's my ASR Netflow config, which works with NTA.  Note, netflow from management vrf on ASR seems to work, whereas it does not work on 4300 ISR routers.

NTA 4.1.0

NPM 11.5.2

ASR 03.13.02.S / 15.4(3)S2

flow record ipv4

match ipv4 protocol

match ipv4 source address

match ipv4 destination address

match transport source-port

match transport destination-port

match interface input

collect interface output

collect counter bytes

collect counter packets

flow exporter NetFlow-to-Orion

destination 1.2.3.4 vrf Mgmt-intf

source GigabitEthernet0

transport udp 2055

flow monitor Orion-NetFlow-Monitor

description Original Netflow captures

exporter NetFlow-to-Orion

cache timeout inactive 10

cache timeout active 5

record ipv4

!

interface Port-channel9

ip flow monitor Orion-NetFlow-Monitor input

ip flow monitor Orion-NetFlow-Monitor output

!

interface GigabitEthernet0/0/0

ip flow monitor Orion-NetFlow-Monitor input

ip flow monitor Orion-NetFlow-Monitor output

0 Kudos