You might want to include your netflow config so we can have an idea of what you're doing.
2960x's only do "Netflow lite", rather than returning stats on every packet that goes through them, at the most you'll get 1 out of every 32 packets reported on, which is configurable. You might have to manually set a sampling rate too. If you go to "Manage Netflow Sources", you should see "Auto-detect: " followed by something like "no sampling" or a sampling rate. If the sampling rate here doesn't match the sampling rate you chose on your 2960x, you will have to edit it to match.
Thanks for the reply, I was really asking the question whether it worked at all, because I couldn't find any definite answers by Googling.
I have heard that there seems to be some delay in the 2960x sending out its netflow template to the receiver, maybe you ran in to that. You're definitely seeing Netflow there, but like I said, its only sampling at most 1:32 packets, so make sure the ratio is set correctly!
Thanks for the info. As you can probably guess, I'm pretty new to NTA, so please can you have a look at the config I've put on the 2960 and see if I've missed anything, or there's anything that could be done better? ( Note: real destination IP address replaced with x.x.x.x)
flow record NFSWTRecord
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
collect interface input
collect flow sampler
collect counter bytes long
collect counter packets long
collect timestamp sys-uptime first
flow exporter NFSWExporter
description Solarwinds server
transport udp 2055
template data timeout 60
flow monitor NFSWMonitor
cache timeout inactive 120
cache timeout active 120
mode random 1 out-of 100
ip flow monitor NFSWMonitor sampler NFSWSampler input
Any suggestions would be greatly appreciated.
Hmm... Unfortunately all the 2960x's we have apparently are lanlite which don't support this, so I can't get in and play and tell you for sure. I'd be working off this document:
Which is generally a very good guideline. I don't see a 1:1 match in your config above with any of the examples given in this document. Might see if you can modify it based on one of these examples. I'd go for one of the larger switches like the 6500 or 7000 if possible. Although the 3560/3750 are probably pretty close, but you have to be careful in that they only support it on a single port, so they're doing ingress/egress, and you probably want ingress only like some of the other examples, but it depends on your application what you do want to use.
I think I need to do some experimentation to see what works best :-)
The reason for getting NTA working was for the scenario when someone says "the network or our UCS is running slow, please can you investigate" . NTA would seem to be a pretty good tool for having a quick look to see if there's any traffic congestion problems on the network, so I though I'd have a go at getting it working.
Unfortunately there seems to several minor differences between Netflow Lite and flexible Netflow, all of which seem to conspire to stop it working! And the error messages you get (if you get any) aren't particularly useful either.
Anyway, thanks for taking the time to reply, it's been very useful and much appreciated.
1 of 1 people found this helpful
I am not sure if you have fixed your issue but we have a similar issue.
Our investigation discovered a Thwack message "Support for Cisco Netflow-Lite" under "NetFlow Feature requests that was updated November 2015 to say that Netflow-lite is now supported in "NTA 4.1.1"
I noticed in one of your post's with your setup that you are using version 3.1.x this may be the issue.