Flexible Netflow help
Flexible Netflow from Cisco seems overly complicated. I was able to get Netflow going with my Palo Alto firewalls in about 5 minutes with LogicMonitor. With my Cisco C3850 and 9300 switches, it's...
Sure, I have developed internal docs on this which I exported to PDF, but of course this forum does not allow that. Honestly, this is stuff that should be maintained in the LM documentation. I will see if I can copy the details over to a blog post or something on our website. In the meantime, here is the 3650/3850 section. I believe the 9300 should be pretty similar, but I do have distinct notes for 9200 and 9500 switches.
3650/3850
This platform requires separate flow records for input and output. To monitor traffic to/from the switch (e.g., for Internet flow reporting), the monitors below should be applied as input and output, respectively:
interface GigabitEthernet2/0/11 ip flow monitor LM-IN input ip flow monitor LM-OUT outputflow exporter WM-LMW2 destination 192.168.x.x transport udp 2055 template data timeout 60 option interface-table option exporter-stats export-protocol netflow-v9 flow record Netflow-In match flow direction match interface input match ipv4 destination address match ipv4 protocol match ipv4 source address match ipv4 tos match transport destination-port match transport source-port collect counter bytes long collect counter packets long collect interface output flow record Netflow-Out match flow direction match interface output match ipv4 destination address match ipv4 protocol match ipv4 source address match ipv4 tos match transport destination-port match transport source-port collect counter bytes long collect counter packets long collect interface inputflow monitor LM-IN exporter WM-LMW2 cache timeout inactive 10 cache timeout active 60 record Netflow-In flow monitor LM-OUT exporter WM-LMW2 cache timeout inactive 10 cache timeout active 60 record Netflow-Out
