4 Replies Latest reply on Oct 11, 2010 2:54 AM by Ismo

    Which VLAN to capture

    Ismo

      I have Cisco 6500 switch which is sending netflow data to Orion server from all of its physical and virtual interfaces. Switch is added to Orion with management VLAN address (VLAN1, 192.168.100.1). Orion gives this event notification:
      NetFlow Receiver Service [SERVER111] is receiving a NetFlow data stream from an unmanaged device (10.10.10.1). The NetFlow data stream from 10.10.10.1 will be discarded. Please use Orion Node Management to manage this IP address in order to process this NetFlow data stream, or just use Manage this device.

      Why's that? Is it because the server is in 10.10.10.1 subnet and gets netflow data from same VLAN? Sounds logical, but do I really have to manage the device twice (and all interfaces!) to get also VLAN10 traffic data without this event message? To pay the element license twice?!? I think it's stupid...

      Changing node IP in Orion doesn't sound good either, because then I'd see switch in wrong IP address in NCM. It should show with same address as every other switch in this LAN, management address is of course the natural way to see switch with NCM. Any suggestions for this? How to get rid of this unpleasant detail...?

      And what this means: "The NetFlow data stream from 10.10.10.1 will be discarded..."
      No it isn't! As far as I know, I'm getting VLAN10 data without any problems. Or do I miss something...?

      Backgroung information:
      VLAN1, 192.168.100.1 = switch management vlan
      VLAN10, 10.10.10.1 = office vlan
      SERVER111 = Orion server, NPM, NTA & NCM.
      Netflow source = Catalyst 6500, about 100 interfaces

        • Re: Which VLAN to capture
          Mark Roberts

          You simply need to specify the correct source port in the Netflow configuration on the 6500. This determines which interface the packets get sent from. This needs to match the interface you are using for the management IP in Orion

          Extract from the SW Cisco 6500 PDF (Page 5, point 5)

          http://www.solarwinds.com/support/Netflow/docs/OrionNetFlowSwitches.pdf

          Enter ip flow-export source {{vlan vlan_ID} | {type slot/port} | {port-channel
          number} | {loopback number}} to configure the interface used as the source of the NDE packets
          containing statistics from the MSFC.

          Hope this helps.

            • Re: Which VLAN to capture
              Ismo

              Thanks, that was easy when you know what to do. I totally missed a chance to configure also the source interface for netflow. Quite obvious option thinking it afterwards, but didn't come to my mind then. Thanks!

                • Re: Which VLAN to capture
                  Ismo

                  Maybe I was too quick in my "judgement". Now everything should be ok:

                  SW#sh mls nde
                   Netflow Data Export enabled
                   Exporting flows to  10.100.10.81 (9996)
                   Exporting flows from 192.168.100.1 (51282)

                  SW#show ip flow export
                  Flow export v1 is enabled for main cache
                    Exporting flows to 10.100.10.81 (9996)
                    Exporting using source interface Vlan1

                  Before Exporting flows from..." address was 10.100.16.1. So that's right how it should be (..100.1 is switch native vlan). But I'm still getting these event messages:

                  " NetFlow Receiver Service [SERVER] is receiving a NetFlow data  stream from an unmanaged device (10.100.10.1). The NetFlow data stream from 10.100.10.1 will be discarded.  Please use Orion Node Management to manage this IP address in order to process this NetFlow data stream, or just use  Manage this device. "
                  and
                  " You have not enabled NetFlow data export on 192.168.100.1 device. For more information, see "Enabling NetFlow and NetFlow Data Export (NDE) on Cisco Catalyst Switches" in the Support - Product Documentation area of www.solarwinds.com. "

                  Ideas?

                • Re: Which VLAN to capture
                  Ismo

                  I still get this messages once in a couple weeks:
                  You have not enabled NetFlow data export on 192.168.100.1 device. For more information, see "Enabling NetFlow and NetFlow Data Export (NDE) on Cisco Catalyst Switches" in the Support - Product Documentation area of www.solarwinds.com.

                  That IP is VLAN1 IP so it should be ok, but it isn't. Why? What's wrong in my configuration? We have two supervisor-modules (the other one is hot spare), does that cause this problem? Should I somehow enable them both to export netflow?