I have a lot of sFlow data being collected from Extreme switches. I just recently set up one of our BSd-based routers (pfSense) to export NetFlow data. However, NTA does not display any of the info and seems to act like it is ignoring all packets being sent to it from this router. I have used Wireshark to look at what is coming into the server, and I do see the flow packets coming on the correct port (2055), and that port is added to the NAT config. So, I am looking for help is seeing if there is an issue with the format of the packets coming from the router (pfSense running softflowd). And if not, then any other ideas?
Screenshots of Wireshark captures:
Thanks in advance.
Solved! Go to Solution.
I have a similar problem to the one shown here. We have a network of 3750 switches that won't do NetFlow, so we set up SPAN ports and pushed the traffic to a Linux box. The Linux box is using SoftFlowd to format the NetFlow stream and send it to my Orion NTA server. When I run a WireShark capture, I get something similar to what you see above - the source/destination IPs and ports are coming through, but the InputInt and OutputInt and ToS show zero.
I'm definitely getting a steady stream of NetFlow data from the Linux box, but NTA doesn't appear to be accepting or processing any of it. Has anyone else run into this situation, and can you suggest a fix?
the issue is, that both InputInterfaceIndex(InputInt) and OutputInterfaceIndex(OutputInt) are zero. If this happend, we can't map traffic to interface managed by Orion and we must drop this traffic.
Hi Andy, sorry for the confusion, the sFlow data I collect from my Extreme switches is fine, other than being able to collect egress traffic only.
The issue I am having is setting up the FreeBSD-based pfSense routers to send properly formatted NetFlow data.
There is a config option - it appears as though I can only enable it for one interface at a time. My config has one physical interface hosting numerous VLANs, so I tried enabling it first for the physical interface that hosts the VLANs, and then for a single logical VLAN interface. Either way, using v5, I would end up with the data showing zero as the input and output interface ID's as noted above. When I change to v9 I get the info shown above. Using Wireshark I do see the packets referencing the correct traffic cross the interface (physical or VLAN), but something is not agreeing with NTA.
And in that regard, I have no idea how to make the add-on package send out what it should. I haven't found much info on getting these packages to work well, and I have never found any info from anyone that was able to get something working with Orion (only other collectors).
I am doing some reading on nProbe right now. Is there a particular configuration you would recommend? I am trying to use NTA to collect all of the traffic flowing into this router - again, it all comes into via a single physical interface from an Extreme switch, that only supports sFlow. On this interface there is a pretty steady 10-15 Mbps outbound (to the network) and 5-10 Mbps inbound (to the router/Internet) - roughly 500+ wireless Internet customers. I am very willing to put a 2-port stand-alone box inline for this.
Thanks again for the info. Much appreciated.
Actually, that may just be my answer. More simple than you think.... I hope. Just by using the port-mirroring, I should be able to configure my switch to output all traffic to a single interface. Then, if possible, I can have the switch export the flow data for that port (not sure if it will do this on a mirror interface). Since sFlow sample egress data only, this is what I need. I can simply connect that interface to a dead-end node to bring it up. Again, the only thing I need to verify is if the Extreme XOS will allow me to configure sFlow on a mirrored destination port...
Thanks a bunch qle!!! I will update here a little later once I try it....
SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 150,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process. Learn more today by joining now.