11 Replies Latest reply on Feb 8, 2016 4:08 PM by bdubswheel

    IOS-XE Netflow Config to NTA?

    pseudocyber

      Hi Everyone,

       

      I'm having some trouble getting new Cisco 4331 routers sending netflow to NTA.  Can anyone take a look at my config and see if you see anything obviously wrong, or offer any tips/pointers?  These are outside edge Internet routers, with a management interface with VRF having a private IP.  The flow traffic should be coming from an inband interface, Gi0/0/01.10.  My firewalls are configured to allow UDP 2055 to flow from the outside source to a NAT to the NTA. 

       

      Thanks.

       

      EdgeRouter1#sh run | s flow

      flow record ipv4

      match ipv4 protocol

      match ipv4 source address

      match ipv4 destination address

      match transport source-port

      match transport destination-port

      match interface input

      collect interface output

      collect counter bytes

      collect counter packets

      flow exporter NetFlow-to-Orion

      destination X.Y.Z.149

      source GigabitEthernet0/0/1.10

      transport udp 2055

      flow monitor Orion-NetFlow-Monitor

      description Original Netflow captures

      exporter NetFlow-to-Orion

      cache timeout inactive 10

      cache timeout active 5

      record ipv4

      ip flow monitor Orion-NetFlow-Monitor input

      ip flow monitor Orion-NetFlow-Monitor input

      ip flow monitor Orion-NetFlow-Monitor input

      alias exec shflow show flow mon name Orion-NetFlow-Monitor cache

      EdgeRouter1#

       

      EdgeRouter1#sh run | i interface|flow

      interface GigabitEthernet0/0/0

      ip flow monitor Orion-NetFlow-Monitor input

      interface GigabitEthernet0/0/1

      interface GigabitEthernet0/0/1.10

      ip flow monitor Orion-NetFlow-Monitor input

      interface GigabitEthernet0/0/1.192

      ip flow monitor Orion-NetFlow-Monitor input

       

      EdgeRouter1#sh ver

      Cisco IOS XE Software, Version 03.13.02.S - Extended Support Release

      Cisco IOS Software, ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.4(3)S2, RELEASE SOFTWARE (fc3)

      Technical Support: http://www.cisco.com/techsupport

      Copyright (c) 1986-2015 by Cisco Systems, Inc.

      Compiled Fri 30-Jan-15 15:19 by mcpre

       

       

       

       

      ROM: IOS-XE ROMMON

       

       

      EdgeRouter1 uptime is 14 weeks, 5 days, 42 minutes

      Uptime for this control processor is 14 weeks, 5 days, 43 minutes

      System returned to ROM by reload

      System restarted at 08:50:36 EDT Wed May 20 2015

      System image file is "bootflash:/isr4300-universalk9.03.13.02.S.154-3.S2-ext.SPA.bin"

      Last reload reason: PowerOn

       

       

      A summary of U.S. laws governing Cisco cryptographic products may be found at:

      http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

       

       

      If you require further assistance please contact us by sending email to

      export@cisco.com.

       

       

       

        • Re: IOS-XE Netflow Config to NTA?
          pseudocyber

          Ps. NTA 4.1.0

            • Re: IOS-XE Netflow Config to NTA?
              walidtun

              Flow packets will be ignored by Orion NTA if they do not include the following fields in your Flow template:

              Field TypeField Type NumberDescription
              IN_BYTES1Ingress bytes counter
              IN_PKTS2Ingress packets counter
              PROTOCOL4Layer 4 protocol
              L4_SRC_PORT7Source TCP/UDP port
              IPV4_SRC_ADDR8Source IP address
              INPUT_SNMP10SNMP ingress interface index
              L4_DST_PORT11Destination TCP/UDP port
              IPV4_DST_ADDR12Destination IP address
              OUTPUT_SNMP14SNMP egress interface index

              According to your record configuration, the INPUT_SNMP and OUTPUT_SNMP fields are missing. You need to add these two commands under the record configuration:

              flow record ipv4

               

              match interface input snmp
              match interface output snmp
              1 of 1 people found this helpful
            • Re: IOS-XE Netflow Config to NTA?
              hanif.solarwinds

              Hi pseudocyber,

              Try command sh ip flow export to see if the flow been setup properly and any flow exported from the router.

              1 of 1 people found this helpful
              • Re: IOS-XE Netflow Config to NTA?
                pseudocyber

                Thanks both of you.

                 

                This is working:

                RER2#sh run | s flow

                flow record ipv4

                match ipv4 protocol

                match ipv4 source address

                match ipv4 destination address

                match transport source-port

                match transport destination-port

                match interface input

                collect counter bytes long

                collect counter packets long

                flow exporter NetFlow-to-Orion

                destination W.X.Y.Z

                source GigabitEthernet0/0/1.10

                transport udp 2055

                flow monitor Orion-NetFlow-Monitor

                description Original Netflow captures

                exporter NetFlow-to-Orion

                cache timeout inactive 10

                cache timeout active 5

                record ipv4

                flow monitor Orion-Netflow-Monitor

                cache timeout active 120

                 

                I added the match interface in|out snmp for good measure.

                • Re: IOS-XE Netflow Config to NTA?
                  geoff.hubbard

                  I see you already resolved it, and I ran across this thread looking for the same information. Here is how I ended up solving it. Your way works too, I just wanted to provide an alternate solution for anybody else who stumbles onto this thread.

                   

                  flow exporter Solarwinds

                  destination x.x.x.x

                  source (Interface)

                  transport udp 2055

                  !        

                  !        

                  flow monitor Solarwinds

                  exporter Solarwinds

                  record netflow-original     (netflow-original is a pre-defined record, so you don't have to customize if you don't want to)

                   

                  interface GigabitEthernetx/x/x

                  ip flow monitor Solarwinds input

                  ip flow monitor Solarwinds output

                  2 of 2 people found this helpful
                  • Re: IOS-XE Netflow Config to NTA?
                    CourtesyIT

                    Just started working with NTA.  I configured the above on an Cisco ASR1004.  I do not see any received Netflow on my NTA Summary page.  I do have the device and interface defined in NTA but no traffic.

                      • Re: IOS-XE Netflow Config to NTA?
                        chefwear

                        I too am having trouble getting the above to work on my ASR 1002. I've tried both Geoff's and the SW NTA Admin guide template which is essentially what pseudocyber posted.

                         

                        I've confirmed via Wireshark that the v9 flows I'm sending to NTA contain the right fields.I'm running IOS XE Version 15.4(3)S4.

                         

                        Anyone see any issues with this config?

                         

                        flow record custom_flow_record

                        match ipv4 protocol

                        match ipv4 source address

                        match ipv4 destination address

                        match transport source-port

                        match transport destination-port

                        match interface input

                        match interface input snmp

                        match interface output snmp

                        collect interface output

                        collect counter bytes

                        collect counter packets

                         

                        flow exporter SL-FlowExporter

                        destination x.x.x.x vrf Netflow

                        source TenGigabitEthernet0/1/0

                        transport udp 2055

                        !

                        flow monitor SL-FlowMonitor

                        description Original Netflow captures

                        exporter SL-FlowExporter

                        cache timeout inactive 10

                        cache timeout active 120

                        record custom_flow_record

                         

                        Int te0/1/0

                        ip flow monitor SL-FlowMonitor input

                        ip flow monitor SL-FlowMonitor output

                      • Re: IOS-XE Netflow Config to NTA?
                        pseudocyber

                        Here's my ASR Netflow config, which works with NTA.  Note, netflow from management vrf on ASR seems to work, whereas it does not work on 4300 ISR routers.

                         

                        NTA 4.1.0

                        NPM 11.5.2

                        ASR 03.13.02.S / 15.4(3)S2

                         

                        flow record ipv4

                        match ipv4 protocol

                        match ipv4 source address

                        match ipv4 destination address

                        match transport source-port

                        match transport destination-port

                        match interface input

                        collect interface output

                        collect counter bytes

                        collect counter packets

                        flow exporter NetFlow-to-Orion

                        destination 1.2.3.4 vrf Mgmt-intf

                        source GigabitEthernet0

                        transport udp 2055

                        flow monitor Orion-NetFlow-Monitor

                        description Original Netflow captures

                        exporter NetFlow-to-Orion

                        cache timeout inactive 10

                        cache timeout active 5

                        record ipv4

                        !

                        interface Port-channel9

                        ip flow monitor Orion-NetFlow-Monitor input

                        ip flow monitor Orion-NetFlow-Monitor output

                        !

                        interface GigabitEthernet0/0/0

                        ip flow monitor Orion-NetFlow-Monitor input

                        ip flow monitor Orion-NetFlow-Monitor output

                          • Re: IOS-XE Netflow Config to NTA?
                            chefwear

                            That config looks 99% like the template from the NTA 4.1.1 guide, save for they're using NetFlow v5. Needless to say, I tested it with no luck.

                             

                            I even confirmed v5 flows from a Cisco 3725 running IOS 12.4 get to the server fine (verified via Wireshark), but NTA still doesn't care.

                             

                            Further, I installed SolarWinds netflow traffic analyzer (free tool) on my local machine, and pointed my flows to it. That program seems to like the flows fine.

                             

                            I put in a ticket yesterday for a SW rep to hit me up... waiting on that.

                              • Re: IOS-XE Netflow Config to NTA?
                                pseudocyber

                                Let us/me know what they say.  Maybe a Cisco ticket as well? 

                                 

                                One thing I think is really annoying about Cisco 43xx routers's they give this great Management interface, so if I have them on my edge - with an outside and an inside interface, and the Management int hooked up - but no netflow.  So, I have to burn an interface on the outside edge, dual homing the router - or poke holes in my firewall.  Or needlessly complicate the config - with more vrf's, .1q sub interfaces, etc.