7 Replies Latest reply on Sep 6, 2019 12:35 PM by esarac

    How do I configure NetFlow on a Cisco Catalyst 9200?

    esarac

      I have done this on my HP systems, and even on the Nexus. But for the Catalyst 9200 series I cannot figure out how to do this.

       

      jreves I met up with adatole at VMWorld and he said if anybody knew, it would be you!

        • Re: How do I configure NetFlow on a Cisco Catalyst 9200?
          neomatrix1217

          Here are some examples for a Catalyst 6500 and 7600 that might be a good a starting point.

           

          Enable NetFlow on Catalyst 6500 and 7600 series

            • Re: How do I configure NetFlow on a Cisco Catalyst 9200?
              esarac

              Neomatrix1217, unfortunately those commands do not work on the Catalyst 9200 series switches (I am using 9200L) . For starters, the "ip flow ingress" command isn't supported on these switches and it looks like only "flexible netflow" is what's supported. As a result, I tried following these guides:

               

              Success Center

              How to Configure NetFlow for Cisco Routers and Switches Running IOS - YouTube

               

              Here are the details of the switches:

               

              Cisco IOS XE Software, Version 16.11.01

              Cisco IOS Software [Gibraltar], Catalyst L3 Switch Software (CAT9K_LITE_IOSXE), Version 16.11.1, RELEASE SOFTWARE (fc3)

              Model Number                       : C9200L-24P-4G

               

              Here is the current NetFlow configuration:

               

              flow record SolarwindsNetflow

              match ipv4 source address

              match ipv4 destination address

              match ipv4 protocol

              match transport source-port

              match transport destination-port

              match ipv4 tos

              match interface input

              collect interface output

              collect counter bytes long

              collect counter packets long

               

              flow exporter SolarwindsNetflow

              destination *destination* vrf Mgmt-vrf

              source GigabitEthernet0/0

              transport udp 2055

              template data timeout 60

               

              flow monitor SolarwindsNetflow

              exporter SolarwindsNetflow

              cache timeout inactive 10

              cache timeout active 5

              record SolarwindsNetflow

               

              interface GigabitEthernet1/0/1

              description Fortinet-A port 3

              switchport access vlan *vlan*

              switchport mode access

              ip flow monitor SolarwindsNetflow input

               

              interface GigabitEthernet1/0/2

              description Fortinet-A port 2

              switchport access vlan *vlan*

              switchport mode access

              ip flow monitor SolarwindsNetflow input

               

              With the above setup, I see data being exported successfully, however nothing shows up in NTA:

               

              flx-edge#show flow exporter statistics

              Flow Exporter SolarwindsNetflow:

                Packet send statistics (last cleared 00:53:47 ago):

                  Successfully sent:         5897                  (8422214 bytes)

               

               

                Client send statistics:

                  Client: Flow Monitor SolarwindsNetflow

                    Records added:           203952

                      - sent:                203952

                    Bytes added:             8422214

                      - sent:                8422214

               

              I don't know what's missing but I have also seen this:

              ----------------------------------------------

              IOS-XE Netflow Config to NTA?

              Here's my ASR Netflow config, which works with NTA.  Note, netflow from management vrf on ASR seems to work, whereas it does not work on 4300 ISR routers.

              -----------------------------------------------

              This makes me wonder if there is also a vrf issue on the 9200 Catalyst devices.

            • Re: How do I configure NetFlow on a Cisco Catalyst 9200?
              Craig Norborg

              Here is a post from Cisco on it:

               

              Network Management Configuration Guide, Cisco IOS XE Gibraltar 16.10.x (Catalyst 9200 Switches) - Configuring Flexible N…

               

              Note the "Prerequisites" which say you must configure a source interface and such.   I'd recommend making sure you can ping the Solarwinds server using whatever source interface and VRF you do it from also!   Personally I wouldn't use the Management VRF for this, but instead a loopback, but if routing is set up right and you can ping sourcing that interface it should work.   Actually, I take that back, another restriction says "Flexible NetFlow export is not supported on the Ethernet management port, GigabitEthernet 0/0.", so don't use it!!  

               

              Also note the restrictions, such as "Flexible Netflow (TNF) is supported only on Cisco TrustSec (CTS) interfaces", never heard this one before, but...   Maybe you need to configure CTS on the interface?   There are other restrictions that hint this isn't the case, ie: they say "on non-CTS interfaces" which implies you can use non-CTS interfaces...

               

              Definitely read through all the restrictions and such!!

                • Re: How do I configure NetFlow on a Cisco Catalyst 9200?
                  esarac

                  Thanks for mentioning that the Management VRF won't work as the source so I went ahead and created a loopback interface.

                   

                  interface Loopback1

                  ip address *IP*

                   

                  Then I changed the exporter config to the following:

                   

                  flow exporter SolarwindsNetflow

                  destination *IP* vrf Mgmt-vrf

                  source Loopback1

                  transport udp 2055

                  template data timeout 60

                   

                  With that, I still got nothing. I think part of the problem is that anything that's internal has to be navigated through the VRF interface so nothing can be reached without it: This is a perimeter switch so the VRF is in place as a security feature.

                   

                  ip route vrf Mgmt-vrf 0.0.0.0 0.0.0.0 *gateway IP*

                   

                  so even though I set destination IP with the  vrf Mgmt-vrf, I think the Loopback IP not being sourced from vrf is the issue.

                   

                  I don't see the packets hitting the NTA server with WireShark. Any ideas on what to do here?

                    • Re: How do I configure NetFlow on a Cisco Catalyst 9200?
                      Craig Norborg

                      You could add the loopback to the management VRF, pay attention to what it says when you do that though, it will probably blow away the IP address configuration on the loopback when you do it.   You'll also have to set up routing for the loopback for the Mgmt-vrf...

                       

                      Remember that when working with VRF's everything >has< to agree.  ie: if your destination IP is on the Mgmt-vrf, your source interface should be on it too.   That is unless you set up some sort of route leaking between VRF's which it doesn't sound like you want to do...

                        • Re: How do I configure NetFlow on a Cisco Catalyst 9200?
                          esarac

                          My sincere apologies on wasting your time on this. I came to the realization that both stacks of Catalyst switches we have (we only have 2 stacks) are only working as layer 2 switches with no routing configured. One stack set is for perimeter/edge connected to a a set of Fortigate firewalls and the other set is utilized for DMZ, once again with only layer 2 capabilities. As a result of this, it will make more sense to utilize Netflow on the Fortigate firewalls as they provide the routing.

                           

                          I thank you for your help regardless. I ended up learning a good bit about VRF and with this knowledge I was able to successfully configure Nexus 9k switches for NetFlow. Sure, NX-OS is a totally different beast but VRF still comes into play there as well.