Hello All,

Just looking for a confirmation if a Cisco WS-C3560X-48P (Cisco C3560X) with a C3KX-NM-1G (FRULink 1G Module) will export Flexible NetFlow or NetFlow records?

Cisco IOS Software, C3560E Software (C3560E-UNIVERSALK9-M), Version 15.0(2)SE4, RELEASE SOFTWARE (fc1)

Here is the Running Config:

I did both methods neither show traffic?

ip flow-egress input-interface

ip flow-cache timeout active 15

ip flow-export source GigabitEthernet0/48

ip flow-export version 9

ip flow-export destination 10.x.x.x 2055

#show ip flow interface

Vlan254

  ip flow ingress

  ip flow egress

GigabitEthernet0/48

  ip flow ingress

  ip flow egress

GigabitEthernet1/1

  ip flow ingress

  ip flow egress

#show ip flow export

Flow export v9 is enabled for main cache

  Export source and destination details :

  VRF ID : Default

    Source(1)       10.180.175.1 (GigabitEthernet0/48)

    Destination(1)  10.15.254.22 (2055)

  Version 9 flow records

  0 flows exported in 0 udp datagrams

  0 flows failed due to lack of export packet

  0 export packets were sent up to process level

NOTE: I an unable to assign the Monitor to any phy or vlan interfaces:

(config-if)#ip flow monitor NetFlowMonitor input

% Flow Monitor: 'NetFlowMonitor' could not be added.

Per: SolarWinds Knowledge Base :: Required flow template fields

flow record SolarWinds

description Solarwinds Flow Template

match ipv4 protocol

match ipv4 source address

match ipv4 destination address

match transport source-port

match transport destination-port

match interface input physical snmp

match interface output physical snmp

collect counter bytes

collect counter packets

flow exporter NTA

destination 10.x.x.x

source GigabitEthernet0/48

transport udp 2055

export-protocol netflow-v5

option interface-table

option exporter-stats

flow monitor NetFlowMonitor

record SolarWinds

exporter NTA

#show flow exporter

Flow Exporter NTA:

  Export protocol:          NetFlow Version 5

  Transport Configuration:

    Destination IP address: 10.x.x.x

    Source IP address:      10.y.y.y

    Source Interface:       GigabitEthernet0/48

    Transport Protocol:     UDP

    Destination Port:       2055

    Source Port:            53509

    DSCP:                   0x0

    TTL:                    255

    Output Features:        Not Used

  Options Configuration:

    interface-table (timeout 600 seconds)

    exporter-stats (timeout 600 seconds)

#show flow monitor

Flow Monitor NetFlowMonitor:

  Description:       User defined

  Flow Record:       SolarWinds

  Flow Exporter:     NTA (inactive)

  Cache:

    Type:              normal

    Status:            not allocated

    Size:              128 entries / 0 bytes

  Cache:

    Type:              normal (Platform cache)

    Status:            not allocated

    Size:              Unknown

  Timers:

                       Local        Global

    Inactive Timeout:  15 secs

    Active Timeout:    1800 secs    1800 secs

    Update Timeout:    1800 secs

#show flow record

flow record SolarWinds:

  Description:        Solarwinds Flow Template

  No. of users:       1

  Total field space:  29 bytes

  Fields:

    match ipv4 protocol

    match ipv4 source address

    match ipv4 destination address

    match transport source-port

    match transport destination-port

    match interface input physical snmp

    match interface output physical snmp

    collect counter bytes

    collect counter packets

I need to monitor, analyze and display the traffic (application) of 2 different interfaces of 2 different Cisco routers. I

have configured the netflow in the routers. NTA is showing the traffics in a combined way, i.e. in a single pie chart.

How can I create two different pie charts for two different interfaces in a single view and place them side by side?

I've been asked by our Security team for reporting on our internet connections.  They want who's going where and for what content.

First, I would think that a report like this should already be available.  It seems like a no-brainer to me 

However, the canned web console reports don't have the ability to filter to specific interfaces, and Report Writer doesn't have any NetFlow data sources.  I find this ridiculous at best, and aggravating at worst.

What's the point of having all the NetFlow data if I can't report on it?

Has anybody else faced this situation?

Is it possible to monitor traffic with NTA on a Cisco Nexus 9000?  Ive found info on a Cisco forum which states Netflow is not supported.  Is there any workaround for this type of device?

Heres some info about my device...

9372-100# sh ver

Cisco Nexus Operating System (NX-OS) Software

Software

  BIOS: version 07.17

  NXOS: version 6.1(2)I3(3a)

  NXOS image file is: bootflash:///n9000-dk9.6.1.2.I3.3a.bin

Hardware

  cisco Nexus9000 C9372PX chassis

  Intel(R) Core(TM) i3-3227U C with 16402544 kB of memory.

  Processor Board ID SAL19089Z7N

plugin

  Core Plugin, Ethernet Plugin

Hi have been trying to work with Cisco over the past 4 weeks to get Flexible Netflow to work properly with Orion/NTA with zero success. This is a 4507R+E with dual Sup 7's

I have the works TAC support person, but that's beside the point. I've spoken with SW and didn't get the warm and fuzzies on their answers either.

It appears to me I will not be able to monitor layre "virtual" interfaces on the 4507, which is unacceptable and if the case I will raise a stink with Cisco one I get it working.

So my questions are:

Does it even work? This hardware, Flexible Network and NTA 3.7?

The commands take and it just seems like NTA doesn't accept them, I'm guessing they are missing something like TOS, but this is not the same as regular Netflow.

I have been testing many permitations, but I either get the traffic in NTA showing that it is coming from all interfaces, or it doesn't see any at all.

 Here's the config I am testing with today:

flow record ipv4
! match ipv4 tos
 match ipv4 protocol
 match ipv4 source address
 match ipv4 destination address
 match transport source-port
 match transport destination-port
collect interface input
!
!
flow exporter NetFlow-to-Orion
 destination 10.10.10.1
 source vlan254
 transport udp 2055
export-protocol netflow-v5
!
!
flow monitor NetFlow-Monitor
 description Original Netflow captures
 record ipv4
 exporter NetFlow-to-Orion

vlan configuration 254
ip flow monitor NetFlow-Monitor input

Any help would be great

Bob

We just installed a Cisco ASR 1002, The old net flow commands used in our 3845 do not work. Has anyone set configuration to export Top-Talkers?

Thanks

Hi,

I configured netflow on cisco router 2921 and here is my config..

ip flow-export source Gigabitethernet 0/1

ip flow-export source Gigabitethernet 0/2

ip flow-export source Gigabitethernet 0/0

ip flow-export version 5

ip flow-export destination 131.x.x.x 2055

I also configure this on each interface

Interface Gigabitethernet 0/0

ip flow ingress

ip flow egress

ip route-cache flow

Interface Gigabitethernet 0/1

ip route-cache flow

Interface Gigabitethernet 0/1.55

ip flow ingress

ip flow egress

ip route-cache

Interface Gigabitethernet 0/1.56

ip flow ingress

ip flow egress

ip route-cache

Interface Gigabitethernet 0/2

ip flow ingress

ip flow egress

ip route-cache flow

when I performed show run on the router this is the configuration that appeared:

ip flow-export source Gigabitethernet 0/0

ip flow-export version 5

ip flow-export destination 131.x.x.x 2055

I noticed that the last source (Gigabitethernet0/0) that I typed was the source that was registered on the router

What could be the effect of this configuration?

Gigabitethernet0/1 and Gigabitethernet0/2 are on the public side of the router,I want to monitor the traffic that is going in and out of these interface because I have vpn tunnels configured on this interfaces (Gigabitethernet 0/1.55 and Gigabitethernet0/1.56) 

Did I enter the right configuration for my router?

By the way my Solarwinds server resides on the Gigabitethernet0/0 network.

Please help..

Thank you very much!

Hi Team,

I am looking for the document which gives me information on "Device wise Netflow methods" which needs to be enabled at Network device level to add them in NTA for Network traffic analyses.

Hi,

We have Orion with NPM (12.2) and NTA (4.2.3). NTA is installed on a separate server, but in C: drive.

Since one month, the drive is getting full (99%) and server team asked us to remove some data. We are working on mulitple clients and having Solarwinds environments. We never got any problem like this, except this one and never cleaned up NTA flow storage data space/files.

Based on our request, they have increased 60GB as well on C: drive. Still it is reaching 98% in one week. May we remove some old data, if need be or we should not remove any historical data as attached here.

Dear Solarwinds Experts,

We have to move from a existing stand alone NTA solution to Highly available NTA solution with remote FSDB.

Below is information available in SolarWinds site.

http://www.solarwinds.com/documentation/en/flarehelp/netflow/content/nta-setting-up-nta-flow-storage-database-covered-by-ms-failover-cluster-sw425.htm

Option 1 : Using MS cluster with a SAN drive

Option 2 : Using FOE ( Reached its End of Life).

With no choice, we validated option 1, but SAN makes things bit complicated for us and so we drafted below architecture

Points considered:

> A stretch cluster(between 2 DC) will be created across DC1 and DC2 with dedicated storage(flash) at each node.

> MS storage replication will be enabled using cluster failover wizard.

> Configure a witness quorum file share of Solarwinds Orion Server

Looking forward for your inputs and feedback with respect to this solution

I've been asked by our Security team for reporting on our internet connections.  They want who's going where and for what content.

First, I would think that a report like this should already be available.  It seems like a no-brainer to me 

However, the canned web console reports don't have the ability to filter to specific interfaces, and Report Writer doesn't have any NetFlow data sources.  I find this ridiculous at best, and aggravating at worst.

What's the point of having all the NetFlow data if I can't report on it?

Has anybody else faced this situation?

Problem

I was looking for an alternative to NProbe as a NetFlow Probe/Agent for a CentOS as NProbe is not free and i wanted somehing that i could run as a Probe only and in deamon mode.  After looking at various options, I settled on SoftFlowD as an alternative and thought that I would share with the community how exactly I did it.  It works like a dream for me so enjoy!!!

Installing SoftFlowD as a TCP Flow Based Probe

The following is a description of how we can install a TCP Flow based probe to capture the data going in and out of a Centos Linux server and to export this in NetFlow Version 5 format to a collector for further analysis.

First of ak, we need to ensure that we have a few utilities installed on the server to satisfy the dependencies.

[root@wbcphpxy01 ~]# yum install libtool automake autoconf python-devel

libpcap-devel

Once these are installed, then let’s get a copy of the softflowd compressed source files:-

[root@wbcphpxy01 ~]# cd /root

[root@wbcphpxy01 ~]#wget http://softflowd.googlecode.com/files/softflowd-0.9.9.tar.gz

--2013-09-30 11:17:13--  http://softflowd.googlecode.com/files/softflowd-0.9.9.tar.gz

Resolving softflowd.googlecode.com... 173.194.70.82, 2a00:1450:4001:c02::52

Connecting to softflowd.googlecode.com|173.194.70.82|:80... connected.

HTTP request sent, awaiting response... 200 OK

Length: 91939 (90K) [application/x-gzip]

Saving to: âsoftflowd-0.9.9.tar.gzâ

100%[======================================>] 91,939      --.-K/s   in 0.1s

2013-09-30 11:17:13 (673 KB/s) - âsoftflowd-0.9.9.tar.gzâ

Now let’s decompress them:-

[root@wbcphpxy01 ~]# tar -zxvf softflowd-0.9.9.tar.gz

softflowd-0.9.9

softflowd-0.9.9/softflowctl.8

softflowd-0.9.9/.hg_archival.txt

softflowd-0.9.9/.cvsignore

softflowd-0.9.9/.hgtags

softflowd-0.9.9/LICENSE

softflowd-0.9.9/Makefile.in

softflowd-0.9.9/README

softflowd-0.9.9/TODO

softflowd-0.9.9/aclocal.m4

softflowd-0.9.9/closefrom.c

softflowd-0.9.9/collector.pl

softflowd-0.9.9/common.h

softflowd-0.9.9/configure.ac

softflowd-0.9.9/convtime.c

softflowd-0.9.9/convtime.h

softflowd-0.9.9/daemon.c

softflowd-0.9.9/freelist.c

softflowd-0.9.9/freelist.h

softflowd-0.9.9/install-sh

softflowd-0.9.9/log.c

softflowd-0.9.9/log.h

softflowd-0.9.9/mkinstalldirs

softflowd-0.9.9/netflow1.c

softflowd-0.9.9/netflow5.c

softflowd-0.9.9/netflow9.c

softflowd-0.9.9/softflowd.sysconfig

softflowd-0.9.9/softflowctl.c

softflowd-0.9.9/softflowd.8

softflowd-0.9.9/softflowd.c

softflowd-0.9.9/softflowd.h

softflowd-0.9.9/softflowd.init

softflowd-0.9.9/softflowd.spec

softflowd-0.9.9/strlcat.c

softflowd-0.9.9/strlcpy.c

softflowd-0.9.9/sys-tree.h

softflowd-0.9.9/treetype.h

softflowd-0.9.9/configure

softflowd-0.9.9/config.h.in

Now that we have uncompressed the files, let’s change to the relevant directory and then run the configuration script that checks whether you have the relevant programs dependencies such as gcc in place and where those binaries are on your system:-

[root@wbcphpxy01 ~]# cd softflowd-0.9.9

[root@wbcphpxy01 softflowd-0.9.9]# ./configure

checking for gcc... gcc

checking whether the C compiler works... yes

checking for C compiler default output file name... a.out

checking for suffix of executables...

checking whether we are cross compiling... no

checking for suffix of object files... o

checking whether we are using the GNU C compiler... yes

checking whether gcc accepts -g... yes

checking for gcc option to accept ISO C89... none needed

checking for a BSD-compatible install... /usr/bin/install -c

checking how to run the C preprocessor... gcc -E

checking for grep that handles long lines and -e... /bin/grep

checking for egrep... /bin/grep -E

checking for ANSI C header files... yes

checking for sys/types.h... yes

checking for sys/stat.h... yes

checking for stdlib.h... yes

checking for string.h... yes

checking for memory.h... yes

checking for strings.h... yes

checking for inttypes.h... yes

checking for stdint.h... yes

checking for unistd.h... yes

checking net/bpf.h usability... no

checking net/bpf.h presence... no

checking for net/bpf.h... no

checking pcap.h usability... yes

checking pcap.h presence... yes

checking for pcap.h... yes

checking pcap-bpf.h usability... yes

checking pcap-bpf.h presence... yes

checking for pcap-bpf.h... yes

checking for struct sockaddr.sa_len... no

checking for struct ip6_ext.ip6e_nxt... yes

checking for library containing daemon... none required

checking for library containing gethostbyname... none required

checking for library containing socket... none required

checking for pcap_open_live in -lpcap... yes

checking for closefrom... no

checking for daemon... yes

checking for setresuid... yes

checking for setreuid... yes

checking for setresgid... yes

checking for setgid... yes

checking for strlcpy... no

checking for strlcat... no

checking for u_int64_t... yes

checking for int64_t... yes

checking for uint64_t... yes

checking for u_int32_t... yes

checking for int32_t... yes

checking for uint32_t... yes

checking for u_int16_t... yes

checking for int16_t... yes

checking for uint16_t... yes

checking for u_int8_t... yes

checking for int8_t... yes

checking for uint8_t... yes

checking size of char... 1

checking size of short int... 2

checking size of int... 4

checking size of long int... 4

checking size of long long int... 8

configure: creating ./config.status

1. config.status: creating Makefile
2. config.status: WARNING:  'Makefile.in' seems to ignore the --datarootdir setting
3. config.status: creating config.h

Now we need to run the make utility to build a binary executable ready to install, which is customised to your environment:-

[root@wbcphpxy01 softflowd-0.9.9]# make

gcc -g -O2 -DFLOW_SPLAY          -DEXPIRY_RB             -I.   -c -o softflowd.o softflowd.c

gcc -g -O2 -DFLOW_SPLAY          -DEXPIRY_RB             -I.   -c -o log.o log.c

gcc -g -O2 -DFLOW_SPLAY          -DEXPIRY_RB             -I.   -c -o netflow1.o netflow1.c

gcc -g -O2 -DFLOW_SPLAY          -DEXPIRY_RB             -I.   -c -o netflow5.o netflow5.c

gcc -g -O2 -DFLOW_SPLAY          -DEXPIRY_RB             -I.   -c -o netflow9.o netflow9.c

gcc -g -O2 -DFLOW_SPLAY          -DEXPIRY_RB             -I.   -c -o freelist.o freelist.c

gcc -g -O2 -DFLOW_SPLAY          -DEXPIRY_RB             -I.   -c -o convtime.o convtime.c

gcc -g -O2 -DFLOW_SPLAY          -DEXPIRY_RB             -I.   -c -o strlcpy.o strlcpy.c

gcc -g -O2 -DFLOW_SPLAY          -DEXPIRY_RB             -I.   -c -o strlcat.o strlcat.c

gcc -g -O2 -DFLOW_SPLAY          -DEXPIRY_RB             -I.   -c -o closefrom.o closefrom.c

gcc -g -O2 -DFLOW_SPLAY          -DEXPIRY_RB             -I.   -c -o daemon.o daemon.c

gcc  -o softflowd softflowd.o log.o netflow1.o netflow5.o netflow9.o freelist.o convtime.o strlcpy.o strlcat.o closefrom.o daemon.o -lpcap

gcc -g -O2 -DFLOW_SPLAY          -DEXPIRY_RB             -I.   -c -o softflowctl.o softflowctl.c

gcc  -o softflowctl softflowctl.o convtime.o strlcpy.o strlcat.o closefrom.o daemon.o -lpcap

Now that we have a binary ready for installing, we just need to install the application on your system:-

[root@wbcphpxy01 softflowd-0.9.9]# make install

[ -d /usr/local/sbin ] || \./mkinstalldirs /usr/local/sbin

[ -d /usr/local/share/man/man8 ] || \./mkinstalldirs /usr/local/share/man/man8

/usr/bin/install -c -m 0755 -s softflowd /usr/local/sbin/softflowd

/usr/bin/install -c -m 0755 -s softflowctl /usr/local/sbin/softflowctl

/usr/bin/install -c -m 0644 softflowd.8 /usr/local/share/man/man8/softflowd.8

/usr/bin/install -c -m 0644 softflowctl.8 /usr/local/share/man/man8/softflowctl.8

[root@wbcphpxy01 softflowd-0.9.9]#

Now that we have a working copy of softflowd on the system, we can review the help file for the application by typing the following:-

[root@wbcphpxy01 ~]# softflowd -h

-i or -r option not specified.

Usage: softflowd [options] [bpf_program]

This is softflowd version 0.9.9. Valid commandline options:

  -i [idx:]interface Specify interface to listen on

  -r pcap_file       Specify packet capture file to read

  -t timeout=time    Specify named timeout

  -m max_flows       Specify maximum number of flows to track (default 8192)

  -n host:port       Send Cisco NetFlow(tm)-compatible packets to host:port

  -p pidfile         Record pid in specified file

                     (default: /var/run/softflowd.pid)

  -c pidfile         Location of control socket

                     (default: /var/run/softflowd.ctl)

  -v 1|5|9           NetFlow export packet version

  -L hoplimit        Set TTL/hoplimit for export datagrams

  -T full|proto|ip   Set flow tracking level (default: full)

  -6                 Track IPv6 flows, regardless of whether selected

                     NetFlow export protocol supports it

  -d                 Don't daemonise (run in foreground)

  -D                 Debug mode: foreground + verbosity + track v6 flows

  -s sampling_rate   Specify periodical sampling rate (denominator)

  -h                 Display this help

Now, we should be able to run the software in Debug mode in the foreground using the following command to ensure that we see the relevant messages (especially error messages):-

[root@wbcphpxy01 ~]# softflowd -D -v 5 -i eth0 -n 10.20.30.15:2055 -T full

Using eth0 (idx: 0)

softflowd v0.9.9 starting data collection

Exporting flows to [10.20.30.15]:iop

ADD FLOW seq:1 [10.170.1.201]:1335 <> [10.170.5.251]:22 proto:6

ADD FLOW seq:2 [10.140.42.250]:58374 <> [239.255.255.250]:1900 proto:17

ADD FLOW seq:3 [10.170.5.101]:0 <> [224.0.0.252]:0 proto:2

ADD FLOW seq:4 [10.170.5.101]:0 <> [239.255.255.250]:0 proto:2

...

In the above example, the following explains each of the switches I have used:-

-D                                           Debug mode, which bring this to the foreground

-v 5                                         Version 5 of Netflow

-i eth0                                   The Interface number

-n 10.20.30.15:2055         The target host IP address and port number of the collector/analyser

-T full                                     All protocols

Now running this is Debug mode is useful if you want to make sure that is working but it more useful to have this running in the background so the way we do that is to remove the –D statement in the option like such and you will just see the command prompt come back:-

[root@wbcphpxy01 ~]# softflowd -v 5 -i eth0 -n 10.20.30.15:2055 -T full

[root@wbcphpxy01 ~]#

You can still see that the flows are being “recorded” and that they are being exported in NetFlow version 5 and set to in this case 10.20.30.15 using destination port 2055.  This is done using a utility such as TCPDUMP:-

[root@wbcphpxy01 ~]# tcpdump -n –v dst port 2055

listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

14:14:01.426775 IP 10.170.5.251.35829 > 10.20.30.15.iop: UDP, length 312

14:15:01.185508 IP 10.170.5.251.35829 > 10.20.30.15.iop: UDP, length 408

14:16:01.944233 IP 10.170.5.251.35829 > 10.20.30.15.iop: UDP, length 168

Now all this is fine, but it really only becomes useful if we can stop/start and restart the application like a service and have this enabled after the server has had a reboot.  To do this we edit a file called /etc/init.d/softflowd and empty the following contents into the file and save it:-

#! /bin/bash

#

# chkconfig: 2345 80 30

# description: SoftFlow Deamon Service

### BEGIN INIT INFO

# Provides: SOFTFLOWD

# Short-Description: Start/Stop/Restart SOFTFLOWD TCP Flow Probe

### END INIT INFO

#

# SOFTFLOWD This init.d script is used to start SOFTFLOWD.

#

SOFTFLOWD=/usr/local/sbin/softflowd

VERSION="5"

INTERFACE="eth0"

COLLECTOR="10.20.30.15"

CPORT="2055"

PID_FILE="/var/run/softflowd.pid"

OPTIONS="-v ${VERSION} -i ${INTERFACE} -n ${COLLECTOR}:${CPORT} -T full -p ${PID_FILE}"

start_SOFTFLOWD() {

${SOFTFLOWD} ${OPTIONS} > /dev/null &

return 1

}

stop_SOFTFLOWD() {

if [ -f ${PID_FILE} ]; then

kill `cat ${PID_FILE}` 2>1 /dev/null

\rm ${PID_FILE}

fi

}

########

case "$1" in

start)

echo -n "Starting SOFTFLOWD"

start_SOFTFLOWD;

echo " Done."

;;

stop)

echo -n "Stopping SOFTFLOWD"

stop_SOFTFLOWD;

echo " Done."

;;

restart)

echo -n "Restarting SOFTFLOWD"

stop_SOFTFLOWD;

sleep 1

start_SOFTFLOWD;

echo " Done."

;;

*)

echo "Usage: /etc/init.d/SOFTFLOWD {start|stop|restart}"

exit 1

esac

exit 0

After saving the file, we need to change the file permissions to:-

[root@wbcphpxy01 ~]# chmod 755 /etc/init.d/softflowd

Now let’s make the script a loadable initialisation script as part of the “service <application name> start” function by adding this with the chkconfig command:-

[root@wbcphpxy01 ~]# chkconfig --add softflowd

If you need to remove the script from being initiated at boot up as a service, then issue the following:-

[root@wbcphpxy01 ~]# chkconfig --remove softflowd

Finally, let’s start the service:-

[root@wbcphpxy01 ~]# service softflowd start

Start SOFTFLOWD Done.

I have spend many days trying to get my Cisco routers (12.4) working with the Network Traffic Anaysis and nothing seems to be working (no firewalls are blocking).

 Can someone provide a cisco config that actually works with this tool?  Ideally, I want to capture sub-interfaces and also our WAN interface (multilink and/or serial interfaces). 

interface Multilink1
ip flow egress

ip flow-export source Multilink 1
ip flow-export version 9 (have tried ver 5 as well)
ip flow-export destination x.x.x.x 2055

 In the network analsysis site

NetFlow Receiver Service [server] is receiving a NetFlow data stream from an unmanaged interface on 172.x.x.x. The NetFlow data stream will be discarded. Please use the Orion System Manager to add Interface #14 in order to process this NetFlow data stream.

Hi,

I configured netflow on cisco router 2921 and here is my config..

ip flow-export source Gigabitethernet 0/1

ip flow-export source Gigabitethernet 0/2

ip flow-export source Gigabitethernet 0/0

ip flow-export version 5

ip flow-export destination 131.x.x.x 2055

I also configure this on each interface

Interface Gigabitethernet 0/0

ip flow ingress

ip flow egress

ip route-cache flow

Interface Gigabitethernet 0/1

ip route-cache flow

Interface Gigabitethernet 0/1.55

ip flow ingress

ip flow egress

ip route-cache

Interface Gigabitethernet 0/1.56

ip flow ingress

ip flow egress

ip route-cache

Interface Gigabitethernet 0/2

ip flow ingress

ip flow egress

ip route-cache flow

when I performed show run on the router this is the configuration that appeared:

ip flow-export source Gigabitethernet 0/0

ip flow-export version 5

ip flow-export destination 131.x.x.x 2055

I noticed that the last source (Gigabitethernet0/0) that I typed was the source that was registered on the router

What could be the effect of this configuration?

Gigabitethernet0/1 and Gigabitethernet0/2 are on the public side of the router,I want to monitor the traffic that is going in and out of these interface because I have vpn tunnels configured on this interfaces (Gigabitethernet 0/1.55 and Gigabitethernet0/1.56) 

Did I enter the right configuration for my router?

By the way my Solarwinds server resides on the Gigabitethernet0/0 network.

Please help..

Thank you very much!

Hello,

I am trying to set up Solarwinds NTA but I am having a bit trouble conceptulising the deployment and configuration. Can someone advise on which ports Netflow should be enabled within a multi-campus network environment?

I have three sites A, B and C that are connected with WAN links (A to B, B to C and C to A). There is a Cisco 3850 core switch at each site which is capable of doing Cisco Flexible Netflow. My question is on which interfaces should I enable Netflow on the cores?

I presume to enable it on the L3 WAN Link ports between each of the sites.

1. Should I enable Netflow on the trunk ports between the Core and Edge Switches at each site?

2. For each interface where Netflow is enabled, what direction should it be enabled for (Ingress, Egress or Both)? I did find this article which said not to enable both Ingress and Egress capture for Netflow interfaces due to double-capturing data. But if you just enable Ingress monitoring on each interface then the Egress statistics in NTA are blank.  Should this be how it is done?

3. How is traffic between two ports on the same VLAN, on the same edge switch captured by Netflow? Or is NTA with Netflow only designed to capture routed traffic?

Thanks

Hello!

We have some Meraki MX64 appliances in our network and wanted to monitor Netflow from these devices. However, we encountered some errors with regards to the V9 template, and found out the reason in the Meraki documentation below:

NetFlow Overview - Cisco Meraki

"SolarWinds NTA ignores Netflow packets that do not contain either an SNMP ingress or egress interface index. The MX and Z1 do not support exporting an SNMP ingress or egress interface index via NetFlow."

Is there currently a workaround for this? Is this being considered on the road map for NTA or are we on Meraki's mercy?

Thanks in advance.

Paulo

NetFlow Receiver Service [SOLARWINDS ] is receiving flow data from unmanaged interface '#334' on NEXUS7K and it does not support SNMP. Click the "Add this interface" to manage interface and process its flow data.

Receiving these alerts after implementing Netflow config on our Nexus devices. The Nexus are already monitored in SolarWinds orion, it knows about the interfaces already and polls them via the Mgmt0 interfaces.

I can "Add this interface" but 1) it's hard to determine which "NTA Virtual Interface #333" is which actual interface and 2) If I change it to Ethernet 1/1, but thats already monitored now I have 2 instances of e1/1, one that has the NetFlow data but is in a constant "unknown" state and then one who's Tx/Rx, etc is properly reported.

Is there either 1) a way to tie these interfaces together. or b) and more ideally, have NTA properly and automatically determine which interface is which.

I'm not sure why it's saying it does not support SNMP.

Using Ver5 Netflow on the exporters.

Thanks. ,

Hi Team,

I am looking for the document which gives me information on "Device wise Netflow methods" which needs to be enabled at Network device level to add them in NTA for Network traffic analyses.

Hello!

We have some Meraki MX64 appliances in our network and wanted to monitor Netflow from these devices. However, we encountered some errors with regards to the V9 template, and found out the reason in the Meraki documentation below:

NetFlow Overview - Cisco Meraki

"SolarWinds NTA ignores Netflow packets that do not contain either an SNMP ingress or egress interface index. The MX and Z1 do not support exporting an SNMP ingress or egress interface index via NetFlow."

Is there currently a workaround for this? Is this being considered on the road map for NTA or are we on Meraki's mercy?

Thanks in advance.

Paulo

Hi have been trying to work with Cisco over the past 4 weeks to get Flexible Netflow to work properly with Orion/NTA with zero success. This is a 4507R+E with dual Sup 7's

I have the works TAC support person, but that's beside the point. I've spoken with SW and didn't get the warm and fuzzies on their answers either.

It appears to me I will not be able to monitor layre "virtual" interfaces on the 4507, which is unacceptable and if the case I will raise a stink with Cisco one I get it working.

So my questions are:

Does it even work? This hardware, Flexible Network and NTA 3.7?

The commands take and it just seems like NTA doesn't accept them, I'm guessing they are missing something like TOS, but this is not the same as regular Netflow.

I have been testing many permitations, but I either get the traffic in NTA showing that it is coming from all interfaces, or it doesn't see any at all.

 Here's the config I am testing with today:

flow record ipv4
! match ipv4 tos
 match ipv4 protocol
 match ipv4 source address
 match ipv4 destination address
 match transport source-port
 match transport destination-port
collect interface input
!
!
flow exporter NetFlow-to-Orion
 destination 10.10.10.1
 source vlan254
 transport udp 2055
export-protocol netflow-v5
!
!
flow monitor NetFlow-Monitor
 description Original Netflow captures
 record ipv4
 exporter NetFlow-to-Orion

vlan configuration 254
ip flow monitor NetFlow-Monitor input

Any help would be great

Bob