This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Cisco 4500X switch & Flexible Netflow

Hi,

We have 2 x Cisco 4500X switches running in VRRP mode , we think we have flexible netflow  configured properly but NTA is not receiving any flows. Has anybody had or got a similar issue ?

Config on the switch looks like this.

flow record FR1

match ipv4 source address

match ipv4 destination address

collect counter bytes long

collect counter packets long

collect timestamp sys-uptime first

collect timestamp sys-uptime last

!

!

flow exporter FE1

destination 10.71.4.115

source Vlan7

transport udp 2055

!

!

flow monitor FM1

exporter FE1

cache timeout inactive 30

cache timeout active 60

cache entries 1000

record FR1

interface TenGigabitEthernet2/1/21

description router_x 5/0/1

no switchport

ip flow monitor FM1 input

ip address x.x.x.x 255.255.255.252

ip pim sparse-mode

  • Here is the recommend configuration for the 4500; Example NetFlow Config - Cisco 4500 Sup7 - SolarWinds Worldwide, LLC. Help and Support

    Also, have you verified with a packet capture that the data is actually reaching the Orion server?

    !

    flow record ipv4

    ! match ipv4 tos

    match ipv4 protocol

    match ipv4 destination address

    match transport source-port

    match transport destination-port

    match interface input

    collect interface output

    collect counter bytes

    collect counter packets

    !

    flow exporter NetFlow-to-Orion

    destination 10.10.10.10

    source vlan254 (interface with which Orion is managing the device)

    transport udp 2055 (Orion’s collection port)

    export-protocol netflow-v5

    !

    flow monitor NetFlow-Monitor

    description Original Netflow captures

    record ipv4

    exporter NetFlow-to-Orion

    cache timeout inact 10

    cache timeout act 5

    !

    interface vlan254

    ip flow monitor NetFlow-Monitor input

    !

  • I posted the same last week. This has been killing me. I've engaged Cisco TAC and our SE just to make sure everything looks good on the Cisco end. Hoping someone here has an answer for us.

  • Can you verify with a PCAP that flow data is reaching the NTA server.  If so, do you think you could provide a PCAP for us to review so we can see what's going on with the data?

  • I have ran a capture and see no netflow traffic reaching the server. This leads me to believe it's an issue with the config on the 4500X which is why I am currently investigating with Cisco.

  • I am running my core on a pair of 4500-x's in VSS mode and am getting the netflow to my Orion server. Mine are running cat4500e-universalk9.SPA.03.06.03.E.152-2.E3.bin, and the netfow config is as following:

    flow record ipv4

    match ipv4 protocol

    match ipv4 source address

    match ipv4 destination address

    match transport source-port

    match transport destination-port

    match interface input

    collect interface output

    collect counter bytes

    collect counter packets

    !        

    !        

    flow exporter Orion

    destination 172.x.x.x

    source Vlan250

    transport udp 2055

    export-protocol netflow-v5

    !        

    !        

    flow monitor NetFlow-Mon

    exporter Orion

    cache timeout inactive 10

    cache timeout active 5

    record ipv4

    vlan configuration 5,10,15,100

    ip flow monitor NetFlow-Mon input

  • I used this configuration on my 4507's.  I modified the vlan, interface and IP to reflect my network.   I get the following from sh flow exporter command

    Flow Exporter NetFlow-to-Orion:

      Description:              User defined

      Export protocol:          NetFlow Version 5

      Transport Configuration:

        Destination IP address: 10.67.41.232

        Source IP address:      10.67.40.1

        Source Interface:       Vlan1

        Transport Protocol:     UDP

        Destination Port:       6343

        Source Port:            51809

        DSCP:                   0x0

        TTL:                    255

        Output Features:        Not Used

    and this from sh flow monitor

    Flow Monitor NetFlow-Monitor:

      Description:       Original Netflow captures

      Flow Record:       ipv4

      Flow Exporter:     NetFlow-to-Orion (inactive)

      Cache:

        Type:                 normal

        Status:               allocated

        Size:                 4096 entries / 245776 bytes

        Inactive Timeout:     10 secs

        Active Timeout:       5 secs

        Update Timeout:       1800 secs

        Synchronized Timeout: 600 secs

    I am still not seeing anything on the server.

  • do you have an ip address on your source interface (vlan7)?  I would verify the switch has reachability from this interface to orion.

    Also for giggles I would check to make sure the Orion server's firewall and any network firewall in the way is not blocking udp 2055.

    HTH

  • OK, I've finally got this working. It required a code upgrade and the config below. The code version I am using is the current recommended: cat4500e-universal.SPA.03.06.04.E.152-2.E4.bin. A little background on my setup... This is a pair of 4500X switches running in VSS mode. They are the edge of a small office and connect over a WAN to reach the Orion server.

    Here is the full config:

    flow record NTArecord

    match ipv4 tos

    match ipv4 protocol

    match ipv4 source address

    match ipv4 destination address

    match transport source-port

    match transport destination-port

    match interface input

    collect interface output

    collect counter bytes

    collect counter packets

    collect timestamp sys-uptime first

    collect timestamp sys-uptime last

    !

    !

    flow exporter NTAexport

    destination x.x.x.x (Orion Server)

    source Loopback0

    transport udp 2055

    export-protocol netflow-v5

    !

    !

    flow monitor NTAmonitor

    description NetflowToOrion

    exporter NTAexport

    cache timeout inactive 10

    cache timeout active 5

    record NTArecord

    (I went back and forth adding and removing these lines. Cisco says it wasn't required because I was trying to collect flow on my WAN interface but if I remove them I get no flow data).

    vlan configuration 227

    ip flow monitor NTAmonitor input

    On my WAN interface:

    interface TenGigabitEthernet2/1/3

    ip flow monitor NTAmonitor input

  • Cheers, Working well now  - Thank you.

  • Cheers, Working well now  - Thank you