cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 7

SolarWinds Netflow not showing Interfaces on my Core Switch

Jump to solution

Dear All,

I hope you guys can help me out with this one. I've set up Netflow on my Solarwinds. So far it actually looks like it is receiving some information on my Portal. Solarwinds came up fine telling me "NetFlow Receiver Service [XXXXXX] is receiving Netflow NetFlow data from an unmonitored interface. The Interface GigabitEthernet1/0/10 on XXXXXX is being added to NetFlow sources." I manually marked all the interfaces (from 1/0/8 - 1/0/24) and it started to grap information.

The Switch is our Core Switch and the Ports I've added the Flow Monitor on is on the UPLINK for my Distribution Switches.

Here is my Switch Config (Cisco WS-3850):

flow record NetFlow-to-Orion

match ipv4 tos

match ipv4 protocol

match ipv4 source address

match ipv4 destination address

match transport source-port

match transport destination-port

match interface input

collect interface output

collect counter bytes long

collect counter packets long

!

!

flow exporter NetFlow-to-Orion

destination 172.16.1.135

transport udp 2055

!

!

flow monitor NetFlow-to-Orion

exporter NetFlow-to-Orion

cache timeout active 60

record NetFlow-to-Orion

--------------------------------------------------------------

interface GigabitEthernet1/0/8

ip flow monitor NetFlow-to-Orion input

!

interface GigabitEthernet1/0/10

ip flow monitor NetFlow-to-Orion input

!

interface GigabitEthernet1/0/12

ip flow monitor NetFlow-to-Orion input

!

interface GigabitEthernet1/0/14

ip flow monitor NetFlow-to-Orion input

!

interface GigabitEthernet1/0/16

ip flow monitor NetFlow-to-Orion input

!

interface GigabitEthernet1/0/18

ip flow monitor NetFlow-to-Orion input

!

interface GigabitEthernet1/0/20

ip flow monitor NetFlow-to-Orion input

!

interface GigabitEthernet1/0/22

ip flow monitor NetFlow-to-Orion input

!

interface GigabitEthernet1/0/24

ip flow monitor NetFlow-to-Orion input

My problem is - I can't expand my NetFlow Sources - it just doesn't show the interfaces I've added?

pastedImage_0.png

I did make sure that the NetFlow is set as well.
pastedImage_2.png

What am I missing here? Let me know if you need any additional information?

Thanks guys!

0 Kudos
1 Solution

You bet –

In your flow exporter statement, add the following line:

source Loopback1

I hope this fixes your issue.

Ken

Kenneth W. Cohen

Network Analyst

Global Technical Services, IT

Office: 470-448-5870

Mobile: 678-428-9875

kenneth.cohen@hyh.com<mailto:kenneth.cohen@hyh.com>

Halyardhealth.com

View solution in original post

8 Replies

If you're not using a Loopback address to manage the device, you'll need to tell the switch which interface to use when sending outbound Netflow traffic.  Loopbacks are preferred for reliability and flexibility--especially for devices that may have more than one path into them, such as a triangular-shaped WAN, where a particular router might be accessed via several external interfaces.

A Loopback address allows access into the device from any interface, which is convenient when the interface you might ordinarily access happens to be down due to a WAN failure on one leg.  Other WAN legs to that device might be up, and the Loopback address is available through them.

Managing from an SVI or sub-interface can be done, but it doesn't have the higher availability and flexibility as a Loopback interface.

If you don't have a Loopback interface built, and don't want to build one, simply tell the device to send Netflow data out the SVI or sub-interface you use to manage the device.

Later, review the topic of Loopback interfaces and create an addressing scheme for your network that leverages the security and flexibility of Loopbacks, and then start building them and using them for monitoring and management of your gear.  Management traffic from your device should all reference the loopback address once it's built.  Typically traffic you'd tell the device to source to or from the Loopback includes ssh, ntp, syslog, traps, Netflow, tacacs and/or radius traffic, mls flow, wccp--and more.

Level 8

I agree with Ken.  We usually use Lo0 in our environment as the management interface for our Cisco devices.  Then source the flows from the Loopback interface using the source Loopback0 command. It's important for SolarWinds (any Netflow receiver, actually) that the Flow Source is the same IP address that is used to monitor the node.

HTH!

0 Kudos
Level 7

Anyone?

0 Kudos

I think you're missing a Source definition in your exporter statement. For example, we use "Loopback 1" to ensure correct identification of every device in our monitoring.

0 Kudos

Hey Ken_cohen,

Thanks for getting back. Can you provide me with the configuration of that? So I can set it up using Loopack 1?

0 Kudos

You bet –

In your flow exporter statement, add the following line:

source Loopback1

I hope this fixes your issue.

Ken

Kenneth W. Cohen

Network Analyst

Global Technical Services, IT

Office: 470-448-5870

Mobile: 678-428-9875

kenneth.cohen@hyh.com<mailto:kenneth.cohen@hyh.com>

Halyardhealth.com

View solution in original post

Hey Ken,

Sorry, but I was trying the statement you provided me with after I checked this as answered - but hopefully you will take a quick look and maybe let me know what's wrong here:

C3850(config-flow-exporter)#source Loopback ?

  <0-2147483647>  Loopback interface number

C3850(config-flow-exporter)#source Loopback 1

% Invalid input detected at '^' marker.

C3850(config-flow-exporter)#source Loopback ?

  <0-2147483647>  Loopback interface number

C3850(config-flow-exporter)#source Loopback in

C3850(config-flow-exporter)#source Loopback 1

C3850(config-flow-exporter)#source Loopback 1?

<0-2147483647>

C3850(config-flow-exporter)#source Loopback1

C3850(config-flow-exporter)#source Loopback1

% Invalid input detected at '^' marker.

C3850(config-flow-exporter)#source Loopback 1

% Invalid input detected at '^' marker.

C3850(config-flow-exporter)#

0 Kudos

Do you have a Loopback defined on the device? My apologies, I assumed you do as that’s how most it is usually done in Cisco land…

Kenneth W. Cohen

Network Analyst

Global Technical Services, IT

Office: 470-448-5870

Mobile: 678-428-9875

kenneth.cohen@hyh.com<mailto:kenneth.cohen@hyh.com>

Halyardhealth.com

0 Kudos