I've recently installed a trial version of Network Traffic Analyzer (NTA) and I want to get this configured and working so that I can make a case to my senior colleagues and manager to purchase it as I think it would benefit us greatly. The problem I'm having is that I can't get NBAR2 working even though our core switch supports it. To start with, I'm configuring this on 2 interfaces that link the ground floor switch (Cisco Catalyst 2960) to our core switch. There's a Port-channel between the ground floor and Core switch but I understand that Netflow must be configured on member interfaces of a Port-channel, not the Port-channel itself.
Our Core switch is made up of 3 x Cisco 3850 switches, see below:-
Switch Ports Model SW Version SW Image Mode
------ ----- ----- ---------- ---------- ----
* 1 62 WS-C3850-12X48U 16.3.5b CAT3K_CAA-UNIVERSALK9 INSTALL
2 62 WS-C3850-12X48U 16.3.5b CAT3K_CAA-UNIVERSALK9 INSTALL
3 62 WS-C3850-12X48U 16.3.5b CAT3K_CAA-UNIVERSALK9 INSTALL
Below is the technology licence version we're running on our Core:-
Technology-package Technology-package
Current Type Next reboot
------------------------------------------------------------------
ipservicesk9 Permanent ipservicesk9
Below is the firmware version we're running:-
SANKHCore3#show version
Cisco IOS Software [Denali], Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version 16.3.5b, RELEASE SOFTWARE (fc1)
I've read on some official Cisco documentation that says you must enable nbar protocol discovery on the interface, so I've run the following command first:-
conf t
interface TenGigabitEthernet1/1/2
ip nbar protocol-discovery
end
interface TenGigabitEthernet3/1/1
ip nbar protocol-discovery
end
I've then entered the following commands to monitor Netflow traffic:-
*** RECORDER ***
flow record SolWnds-Netflow-KH-GRD-REC-IN
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface input
match application name
collect transport tcp flags
collect interface output
collect counter bytes long
collect counter packets long
collect timestamp absolute first
collect timestamp absolute last
flow record SolWnds-Netflow-KH-GRD-REC-OUT
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface output
match application name
collect transport tcp flags
collect interface input
collect counter bytes long
collect counter packets long
collect timestamp absolute first
collect timestamp absolute last
*** EXPORTER ***
flow exporter SolWnds-Netflow-KH-GRD-EXP
description Netflow export from KH GRD Floor switch
destination 192.168.120.31
source Port-channel25
transport udp 2055
template data timeout 60
export-protocol netflow-v9
option application-table timeout 60
option application-attributes timeout 300
*** MONITOR ***
flow monitor SolWnds-Netflow-KH-GRD-MON-IN
exporter SolWnds-Netflow-KH-GRD-EXP
cache timeout active 60
cache timeout inactive 10
record SolWnds-Netflow-KH-GRD-REC-IN
flow monitor SolWnds-Netflow-KH-GRD-MON-OUT
exporter SolWnds-Netflow-KH-GRD-EXP
cache timeout active 60
cache timeout inactive 10
record SolWnds-Netflow-KH-GRD-REC-OUT
*** ASSOCIATE FLOW MONITOR TO INTERFACE ***
conf t
interface Te1/1/2 and Te3/1/1
ip flow monitor SolWnds-Netflow-KH-GRD-MON-IN input
ip flow monitor SolWnds-Netflow-KH-GRD-MON-OUT output
As soon as I associate a flow monitor to one of the interfaces i get a message:-
Failed to add monitor to interface: invalid set of fields in monitor record for wired interface
Switch(config-if)#
If I remove the "match application name" bits from the Record section of the config it accepts the commands and works perfectly fine.
This is great, but the issue issue when going into NTA and selecting NBAR2 from the drop down menu it doesn't show anything.
Any help / advice would be much appreciated.
