8 Replies Latest reply on Dec 9, 2016 11:38 AM by rschroeder

    SolarWinds Netflow not showing Interfaces on my Core Switch

    yoinkz

      Dear All,

       

      I hope you guys can help me out with this one. I've set up Netflow on my Solarwinds. So far it actually looks like it is receiving some information on my Portal. Solarwinds came up fine telling me "NetFlow Receiver Service [XXXXXX] is receiving Netflow NetFlow data from an unmonitored interface. The Interface GigabitEthernet1/0/10 on XXXXXX is being added to NetFlow sources." I manually marked all the interfaces (from 1/0/8 - 1/0/24) and it started to grap information.

      The Switch is our Core Switch and the Ports I've added the Flow Monitor on is on the UPLINK for my Distribution Switches.

       

      Here is my Switch Config (Cisco WS-3850):

       

      flow record NetFlow-to-Orion

      match ipv4 tos

      match ipv4 protocol

      match ipv4 source address

      match ipv4 destination address

      match transport source-port

      match transport destination-port

      match interface input

      collect interface output

      collect counter bytes long

      collect counter packets long

      !

      !

      flow exporter NetFlow-to-Orion

      destination 172.16.1.135

      transport udp 2055

      !

      !

      flow monitor NetFlow-to-Orion

      exporter NetFlow-to-Orion

      cache timeout active 60

      record NetFlow-to-Orion

      --------------------------------------------------------------

      interface GigabitEthernet1/0/8

      ip flow monitor NetFlow-to-Orion input

      !

      interface GigabitEthernet1/0/10

      ip flow monitor NetFlow-to-Orion input

      !

      interface GigabitEthernet1/0/12

      ip flow monitor NetFlow-to-Orion input

      !

      interface GigabitEthernet1/0/14

      ip flow monitor NetFlow-to-Orion input

      !

      interface GigabitEthernet1/0/16

      ip flow monitor NetFlow-to-Orion input

      !

      interface GigabitEthernet1/0/18

      ip flow monitor NetFlow-to-Orion input

      !

      interface GigabitEthernet1/0/20

      ip flow monitor NetFlow-to-Orion input

      !

      interface GigabitEthernet1/0/22

      ip flow monitor NetFlow-to-Orion input

      !

      interface GigabitEthernet1/0/24

      ip flow monitor NetFlow-to-Orion input

       

      My problem is - I can't expand my NetFlow Sources - it just doesn't show the interfaces I've added?

      I did make sure that the NetFlow is set as well.

       

      What am I missing here? Let me know if you need any additional information?

       

      Thanks guys!

        • Re: SolarWinds Netflow not showing Interfaces on my Core Switch
          scubadvr

          I agree with Ken.  We usually use Lo0 in our environment as the management interface for our Cisco devices.  Then source the flows from the Loopback interface using the source Loopback0 command. It's important for SolarWinds (any Netflow receiver, actually) that the Flow Source is the same IP address that is used to monitor the node.

           

          HTH!

          • Re: SolarWinds Netflow not showing Interfaces on my Core Switch
            rschroeder

            If you're not using a Loopback address to manage the device, you'll need to tell the switch which interface to use when sending outbound Netflow traffic.  Loopbacks are preferred for reliability and flexibility--especially for devices that may have more than one path into them, such as a triangular-shaped WAN, where a particular router might be accessed via several external interfaces.

             

             

            A Loopback address allows access into the device from any interface, which is convenient when the interface you might ordinarily access happens to be down due to a WAN failure on one leg.  Other WAN legs to that device might be up, and the Loopback address is available through them.

             

             

            Managing from an SVI or sub-interface can be done, but it doesn't have the higher availability and flexibility as a Loopback interface.

             

             

            If you don't have a Loopback interface built, and don't want to build one, simply tell the device to send Netflow data out the SVI or sub-interface you use to manage the device.

             

             

            Later, review the topic of Loopback interfaces and create an addressing scheme for your network that leverages the security and flexibility of Loopbacks, and then start building them and using them for monitoring and management of your gear.  Management traffic from your device should all reference the loopback address once it's built.  Typically traffic you'd tell the device to source to or from the Loopback includes ssh, ntp, syslog, traps, Netflow, tacacs and/or radius traffic, mls flow, wccp--and more.