Flexible Netflow help
Flexible Netflow from Cisco seems overly complicated. I was able to get Netflow going with my Palo Alto firewalls in about 5 minutes with LogicMonitor. With my Cisco C3850 and 9300 switches, it's been a nasty struggle. Here's what I have set up for my flow records, exporter, and monitors
flow record LogicMonitor-In
match ipv4 destination address
match ipv4 protocol
match transport source-port
match transport destination-port
match ipv4 tos
match interface input
match flow direction
match ipv4 source address
collect interface output
collect counter bytes long
collect timestamp absolute first
collect timestamp absolute last
!
!
flow record LogicMonitor-Out
match ipv4 destination address
match ipv4 protocol
match transport source-port
match transport destination-port
match ipv4 tos
match flow direction
match ipv4 source address
collect counter bytes long
collect timestamp absolute first
collect timestamp absolute last
!
!
flow exporter Netflow-to-LogicMonitor
destination <snip IP>
transport udp 2055
template data timeout 60
option application-table timeout 60
!
!
flow monitor Netflow-Monitor-In
exporter Netflow-to-LogicMonitor
cache timeout active 60
record LogicMonitor-In
!
!
flow monitor Netflow-Monitor-Out
exporter Netflow-to-LogicMonitor
cache timeout active 60
record LogicMonitor-Out
I've then used the "ip flow monitor Netflow-Monitor-In input" and "ip flow monitor Netflow-Monitor-Out output" commands on my interfaces, but I'm not getting any flows in LogicMonitor. I did some troubleshooting with the collector debug command "!netFlow func=dump <deviceid>", I think I'm seeing that I've got some mandatory fields that are missing and that's why it isn't collecting flows. I get a return from the above command saying "msg=Miss mandatory field, both (type=14, name=OUTPUT_SNMP) or (type=10, name=INPUT_SNMP) is absent in template". So, I think I'm missing some collect or match lines in my flow records, but trying to figure out what I need to include for OUTPUT_SNMP and INPUT_SNMP in my flow record, I'm just not having any luck. Contacted support and they basically told me, "you'll need to figure it out on your own". I'm assuming SOMEONE has gotten netflow working with a Cisco 3850 or 9300 before, and can just give me an idea of what they've got in their flow record.
Sure, I have developed internal docs on this which I exported to PDF, but of course this forum does not allow that. Honestly, this is stuff that should be maintained in the LM documentation. I will see if I can copy the details over to a blog post or something on our website. In the meantime, here is the 3650/3850 section. I believe the 9300 should be pretty similar, but I do have distinct notes for 9200 and 9500 switches.
3650/3850
This platform requires separate flow records for input and output. To monitor traffic to/from the switch (e.g., for Internet flow reporting), the monitors below should be applied as input and output, respectively:
interface GigabitEthernet2/0/11 ip flow monitor LM-IN input ip flow monitor LM-OUT outputflow exporter WM-LMW2 destination 192.168.x.x transport udp 2055 template data timeout 60 option interface-table option exporter-stats export-protocol netflow-v9 flow record Netflow-In match flow direction match interface input match ipv4 destination address match ipv4 protocol match ipv4 source address match ipv4 tos match transport destination-port match transport source-port collect counter bytes long collect counter packets long collect interface output flow record Netflow-Out match flow direction match interface output match ipv4 destination address match ipv4 protocol match ipv4 source address match ipv4 tos match transport destination-port match transport source-port collect counter bytes long collect counter packets long collect interface inputflow monitor LM-IN exporter WM-LMW2 cache timeout inactive 10 cache timeout active 60 record Netflow-In flow monitor LM-OUT exporter WM-LMW2 cache timeout inactive 10 cache timeout active 60 record Netflow-Out
