Csr1000v netflow source IP

Similar Messages

• VRF as a NetFlow source

  Is it possible to make a VRF as a NetFlow and SNMP traps source on 12.2SR IOS release?

  Hi,
  As you specify the source-interface, just put this interface in a VRF and it should be fine.
  I made a quick test for SNMP and it's working. I used the snmp-server trap-source command.
  HTH
  Laurent.

• How netflow works with ASA Firepower and Virtual Defense ?

  Hi,
   In the discovery rules of the Virtual Defense, i can see that's it's possible to configure netflow source. I have a pair of Cisco 4500X as the core switch L3, and would like to send a flow to the IPS.
   I configure the switch like that :
  flow record IPV4-FLOW-RECORD
   match ipv4 tos
   match ipv4 protocol
   match ipv4 source address
   match ipv4 destination address
   match transport source-port
   match transport destination-port
   collect interface input
   collect interface output
   collect counter bytes long
   collect counter packets long
  flow exporter Firepower
   source Vlan12
   destination IP_OF_tHE_ASA_IPS_MODULE
  flow monitor IPV4-FLOW
   exporter Firepower
   cache timeout inactive 30
   cache timeout active 60
   cache entries 1000
   record IPV4-FLOW-RECORD
  vlan configuration 100-102 ip flow monitor IPV4-FLOW input
  It's the correct configuration ? Can't see how to check in Virtual Defense if it's receive netflow packets

  SOLUTION!
  Install a second NIC bind vmnet0 to eth1 instead of eth0
  Details:
  Goal was to have the Host OS (Ubuntu 8.04) which is running an Apache web server also serve as an e-mail gateway (SpamTitan) since on a heavy day the web server might hit 5% CPU.
  Why but a whole new machine, right?
  When it did not work right away I went into troubleshooting mode and tried several different things as mentioned above. Which led me to the idea to create my own VM of SpamTitan and bind it to a different NIC.
  Before I went that far I tried reassigning vmnet0 from eth0 to my newly installed eth1 and running it. That seems to have done the trick!
  So now the setup is:
  eth0 192.168.2.4
  eth1 192.168.2.5
  vmnet0 192.168.2.6
  With vmnet0 bridged to eth1
  Why is it working now and not before?
  I am unsure. It is not a Linux thing because I tried both Windows XP and OS X 10.5 with the same result. I think it has more to do with primary network and associated services than Host OS.
  If anyone has any insight please let me know. Otherwise I am going to chase it down later.
  Thanks again for your responses!

• AVC, Netflow and Flexconnect APs

  Hi all,
  I have few questions - if anybody was solving the same problem.
  My situation : few branches with Flexconnect APs (in every of them). APs are set for some SSIDs as locally switched (to save WAN connectivity) and some are centrally switched. WLC code 7.4.
  I was very looking forward to implement AVC. AVC works fine but only on centrally switched SSID - this is a big problem.
  Is there any chance how to export traffic info for locally switched SSID?
  I was wondering if LAP can serve as Netflow source (when I'm unable to see AVC data)?
  Any idea?
  Thnx

  HI,
  First: AVC will not work if  you have locally swicthed.
  if you checked the local switching under the SSID, then the AP will handle the traffic on its own, without sending the packets to the WLC, hence the WLC does not know what the users are using.
  2nd : http://mrncciew.com/2013/02/12/configuring-netflow-on-wlc-7-4/
  Reagrds

• NetFlow on MPLS PE

  Hi,
  I have a customer requiring NetFlow data sent to them from the PE router. Is there a way to enable NetFlow only for a specific VRF?

  Hi Carlos,
  Thanks a lot for the response. It is quite helpful. This doc describes a case in which NetFlow is sent to provider collector.
  I want the NetFlow source interface and destination collector address are in the same VPN so that it can be sent to the customer collector. Otherwise, because of IP address space overlapping, it's quite complex to 'NAT' addresses to get to the customer destination via the backbone netowrk.
  Thanks again.

• Netflow not reporting Egress traffic on 6509 Vlan

  Hi...
  We have a pair of 6509 working in a VSS configuration (IOS 12.2(33)SX5). The 6509s connect to a pair of ASAs (7.2 code) running in an Active/Standby setup. These ASAs in turn connect to routers going to remote sites. I have configured Netflow on the following VLANS,
  VLAN 10 - Servers Vlan
  VLAN 9 - Transit/ASA VLAN (connects ASAs to 6509s). All traffic originating from any VLAN on the 6509 crosses this VLAN in order to reach remote                 sites and vice versa
  I configured the netflow source VLAN 11 although I am not collecing any netflow from it.
  Although I have been getting lots of Netflow info, I noticed that netflow for traffic originating from any user VLAN on the 6509s going to any remote site via TRANSIT/ASA VLAN(9) does not get reported, I even tested with 4 GB traffic but no result. Only reverse traffic (i.e. from remote site to user VLAN) is reported as it traverses the Transit VLAN (9).
  I read somewhere that egress netflow is not supported in 6500, but isnt traffic originating from a user vlan to a remote site via the transit VLAN (9) considered ingress with respect to the transit VLAN (9)? 
  I would like to know whether bidirectional Netflow is supported on 6500 VLANS. I have mimimum control on routers beyond the ASAs, and since these ASAs run 7.2 code netflow is not supported, and Monitoring this Transit Vlan gives me extremely useful info.
  I do get netflow biderectional traffic from the Server Vlan 10, but I think it is correlated by the netflow collector from vlans 9 and 10
  Below is a show run | inc flow
  ip flow-cache timeout active 1
  ip flow ingress layer2-switched vlan 9,10
  mls netflow interface
  mls flow ip interface-full
  interface vlan 9
  ip flow ingress
  ip flow egress
  interface vla 10
  ip flow ingress
  ip flow egress
  ip flow-export source vlan11
  ip flow-export version 9
  ip flow-export destination 10.10.10.10 2055
  All help is appreciated.
  Thanks

  Hi,
  So if I want to capture traffic out only one specific interface is there any option to do that in catalyst 6500.
  If I made only that specific interface in another vlan and if under the interface vlan , I give "ip flow ingress" will this capture the outgoing traffic through the interface while it is doing intervlan routing. Also is it must to give ip address in that vlan interface ? Please clarify.

• Netflow reporting via SNMP

  Looking for a Cisco config doc that talks at Netflow reporting via SNMPv3.
  We have serveral routers (7600) that do not support Netflow (only on flexwan card), so our plan is to use SNMPv3 reporting.
  I have a Cisco Netflow document reporting via SNMPv2c but cannot find any good examples using SNMPv3.
  Thanks
  Frank

  Hello Racquel,
  You cannot  explicitly view netflow messages within MARS. Once the MARS starts to see a flow of netflow messages it will collect and collate the information for 7 days (including a weekend). This will then produce a baseline for this netflow source. After 7 days MARS will switch from collecting to monitoring. In monitoring state MARS will, using predefined internal metrics, determine if newer netflow records indicate exceptional traffic. If this is the case, then the MARS will generate an incident on the GUI. Over time, the MARS will adjust the baseline values using the received netflow records.
  If you select to store IOS or ASA netflow records (admin -> system  setup -> netflow configuration), then the records will be written to the internal database and archived (if configured). This will impact disk usage but would mean that if you needed to recover the MARS from archive after failure (re-image or RMA) then you could recover the baseline settings.  Also, if you write them to disk, you can then export the raw netflow records to a file (admin -> system maintenance -> retrieve raw messages), but you need will to provide some external means of processing them.
  Matthew

• What is "Source ID" in Netflow V9 Packet Header

  Hi,
  My question is regarding the "Source ID" field that appears in Netflow V.9 packet header. Following Cisco link (http://www.cisco.com/en/US/technologies/tk648/tk362/technologies_white_paper09186a00800a3db9.pdf) gives Source ID definition as -
  "The Source ID field is a 32-bit value that is used to guarantee uniqueness for all flows exported from a particular device. (The Source ID field is the equivalent of the engine type and engine ID fields found in the NetFlow Version 5 and Version 8 headers). The format of this field is vendor specific. In the Cisco implementation, the first two bytes are reserved for future expansion, and will always be zero. Byte 3 provides uniqueness with respect to the routing engine on the exporting device. Byte 4 provides uniqueness with respect to the particular line card or Versatile Interface Processor on the exporting device."
  I am using "Source ID" (combined with template id) to uniquely identify options templates exported by different routers. At our new lab setup where we have more than one routers configured to export Netflow, I observed that all the routers were exporting "Source ID" value as "0"(zero). It failed my assumption that I had formed based on definition from above Cisco doc.
  I assumed -
  SourceID    Template Id  Unique Key
  source1       256              source1-256
  source1       257              source1-257
  source2       256              source2-256
  source3       258              source3-258
  But, I observed
  SourceID    Template Id  Unique Key
  0                  256              0-256
  0                  257              0-257
  0                  256              0-256
  0                  258              0-258
  Thus, same template id(256) from different routers(source1, source3) eventually form same unique key and breaks my code.
  I would like to know if my interpretation that Source ID can be used to uniquely identify templates in this manner is correct or not ? 
  Is "Source ID" user configurable attribute ? How does it comply to the definition given in above Cisco doc ?
  Thanks,
  Deepak

  Deepak,
  Consider these quotations from the same RFC 3954:
  Section 2: Terminology:
  Observation Point
  An Observation Point is a location in the network where IP packets
  can be observed; for example, one or a set of interfaces on a network
  device like a router. Every Observation Point is associated with an
  Observation Domain.
  Observation Domain
  The set of Observation Points that is the largest aggregatable set of
  flow information at the network device with NetFlow services enabled
  is termed an Observation Domain. For example, a router line card
  composed of several interfaces with each interface being an
  Observation Point.
  Section 7: Template Management:
  A NetFlow Collector that receives Export Packets from several
  Observation Domains from the same Exporter MUST be aware that the
  uniqueness of the Template ID is not guaranteed across Observation
  Domains.
  Section 9: The Collector Side:
  At any given time the Collector SHOULD maintain the following for all
  the current Template Records and Options Template Records: Exporter,
  Observation Domain, Template ID, Template Definition, Last Received.
  Note that the Observation Domain is identified by the Source ID field
  from the Export Packet.
  So in other words, the Source ID is an identifier of the Observation Domain (and in fact, the IPFIX RFC calls this header field directly as Observation Domain ID). Template IDs are unique per Exporter and per Observation Domain, and if a single Exporter uses multiple templates in its different Observation Domains, the IDs of these templates could overlap even in a single Exporter. Observation Domain IDs (that is, Source IDs) identify only the internal structure of a single Exporter, and no provisions are done to preserve their uniqueness across multiple Exporters - for this, the source IP shall be used.
  With respect to whether there can be multiple NetFlow instances on a single router, I am getting a feeling that with decentralized, distributed platforms, multiple linecards in a single router could run their own NetFlow analysis for data that pass through them, so each one provides a separate NetFlow collection. Thus, each linecard or each feature card doing its own NetFlow analysis should be assigned its own unique Observation Domain ID.
  If it is not user configurable then system should automatically form the value based on router engine and line card. But what I have observed, at more than one routers, is that this value is always 0(zero).
  I believe this is strongly dependent to the hardware construction of the router. As a remotely-related example, old 2600 series routers had two WIC slots. If you inserted two WIC-2T modules into these slots, you'd expect that they would be numbered Serial0/0, Serial0/1, Serial1/0, Serial1/1. Very surprisingly, however, these routers considered both slots to be internally connected to a single bus, and the interfaces were named Serial0/0, Serial0/1, Serial0/2 and Serial0/3 - as if they all were installed in a single slot '0'. Something similar may happen to the Observation Domains and their IDs. You would believe that each single linecard constituted a separate Observation Domain. However, the reality may be different, and the whole router can act as a single Observation Domain to the outside world. It's just the way it is constructed - and programmed.
  It is not clear why Cisco doc says that one should use both "Source ID" and "Source IP Address" to properly distinguish between flows.
  I think it's a poor wording in the RFC. I think what they want to say is that if you use the duplet <Source IP, Source ID> to distinguish between flows, then you're fine both for multiple flows from the same Exporter, and for multiple flows from different Exporters.
  Moreover, isn't "Source IP Address" good enough to distinguish between flows from different sources ?
  If an Exporter could truly be partitioned into multiple Observation Domains then the source IP would not be sufficient. I am just making up examples with no real-life backup here, but think of, say, a multi-chassis router with each chassis being one Observation Domain, or each linecard of a distributed switch being a standalone Observation Domain, or one router virtualized to several different contexts and virtual routers, each of them being a unique Observation Domain, reporting about the flows using the same source IP... I think you get the point.
  I would put it this way... The existence of Source ID in NetFlow v9 (and Observation Domain ID in IPFIX) allows these protocols to nicely cope with situations in which a single physical device can be partitioned into several Observation Domains and perform independent reporting on them using a single source IP. However, the fact that these protocols have this ability does not mean that each and every device, even a Cisco router/switch, must necessarily make use of it.
  Best regards,
  Peter

• 5508 pair show "Down" as data sources for Netflow

  I've setup my 5508s to monitor and export netflow to Cisco Prime Infrastructure but no data populates in the expected tabs.  When I check Admin-> Data Sources they show up as "down", while other netflow exporters (ASA1000s I used to test) show as "up".  I verified in the WLC CLI that they are exporting flows.  Thoughts?
  WLC show flow exporter stat:
  Exporter-name: CiscoPrime
    Total Flows Sent: 69536
    Total Pkts Sent: 4021
    Total Pkts Dropped: 0
    Last Sent Time: Thu Aug 15 15:24:29 2013

  Hi Marcin,
  You are most welcome my friend I think the great NetPros in this thread
  offer some excellent tips and strategies for this plan as well as the restrictions
  you will encounter moving forward. You will likely want to make the 5508 the
  primary controller with an eye on moving away from the 4400 at some point
  due to it's EoL and inability to run the latest code versions.
  Cheers!
  Rob
  "Show a little faith, there's magic in the night" - Springsteen

• Can anyone please recommend a good open source netflow analyzer?

  Thank you in advance for your suggestions.
  Regards,

  http://www.cisco.com/en/US/prod/iosswrel/ps6537/ps6555/ps6601/networking_solutions_products_genericcontent0900aecd805ff72b.html

• Flexible Netflow (v.9) question on 3850 ipservices doesn't seem to register

  Greetings all - I am trying to enable netflow on a new 3850-24 with ipservices.  I am leveraging LiveAction and have raised a ticket with them to help me through the issue, but more generally I'm confused about the lack of features I'm seeing. Per the 3850 guide here (http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3se/flexible_netflow/configuration_guide/b_fnf_3se_3850_cg/b_fnf_3se_3850_cg_chapter_010.html) it is stated that you will have the option of turning on inbound and outbound directions on 3850's with ipbase and ipservices.  
  We are running ip services:
   Slot#  License name   Type     Count   Period left 
   1      ipservices   permanent     N/A   Lifetime
  However, we get the following error when trying to turn on flow inbound and outbound on the interfaces - whether they are svi (layer3) or interface (layer2)
  -----------------Layer2: ----------------------------------------------
  (config)#interface GigabitEthernet1/0/24
  switch(config-if)#ip flow monitor LIVEACTION-FLOWMONITOR input
  switch(config-if)#ip flow monitor LIVEACTION-FLOWMONITOR output
  % Flow Monitor: Flow Monitor 'LIVEACTION-FLOWMONITOR' 
  Unsupported match field "interface input" for ipv4 traffic in output direction
  Unsupported collect field "interface output" for ipv4 traffic in output direction
  ---------------- Layer3 ---------------------------------------------
  switch(config)#interface Vlan190
  switch(config-if)#ip flow monitor LIVEACTION-FLOWMONITOR input
  % Flow Monitor: Flow Monitor 'LIVEACTION-FLOWMONITOR' flexible netflow not supported on vlan interfaces
  switch(config-if)#ip flow monitor LIVEACTION-FLOWMONITOR output
  % Flow Monitor: Flow Monitor 'LIVEACTION-FLOWMONITOR' flexible netflow not supported on vlan interfaces
  ------------------------------------ untruncated output ------------------------------
  switch(config-flow-record)#collect counter bytes
  % Incomplete command.
  switch(config-flow-record)#collect counter packets
  % Incomplete command.
  switch(config-flow-record)#collect flow sampler
                                                      ^
  % Invalid input detected at '^' marker.
  switch(config-flow-record)#collect interface output
  switch(config-flow-record)#collect ipv4 destination mask
                                                  ^
  % Invalid input detected at '^' marker.
  switch(config-flow-record)#collect ipv4 dscp
                                                  ^
  % Invalid input detected at '^' marker.
  switch(config-flow-record)#collect ipv4 id
                                                  ^
  % Invalid input detected at '^' marker.
  switch(config-flow-record)#collect ipv4 source mask
                                                  ^
  % Invalid input detected at '^' marker.
  switch(config-flow-record)#collect ipv4 source prefix
                                                  ^
  % Invalid input detected at '^' marker.
  switch(config-flow-record)#collect routing destination as
                                                 ^
  % Invalid input detected at '^' marker.
  switch(config-flow-record)#collect routing next-hop address ipv4
                                                 ^
  % Invalid input detected at '^' marker.
  switch(config-flow-record)#collect routing source as
                                                 ^
  % Invalid input detected at '^' marker.
  switch(config-flow-record)#collect timestamp sys-uptime first
                                                           ^
  % Invalid input detected at '^' marker.
  switch(config-flow-record)#collect timestamp sys-uptime last
                                                           ^
  % Invalid input detected at '^' marker.
  switch(config-flow-record)#collect transport tcp flags
  switch(config-flow-record)#exit
  switch(config)#flow monitor LIVEACTION-FLOWMONITOR
  switch(config-flow-monitor)#$ DO NOT MODIFY. USED BY LIVEACTION. 
  switch(config-flow-monitor)#exporter LIVEACTION-FLOWEXPORTER
  switch(config-flow-monitor)#cache timeout inactive 10
  switch(config-flow-monitor)#cache timeout active 60
  switch(config-flow-monitor)#record LIVEACTION-FLOWRECORD
  switch(config-flow-monitor)#exit
  switch(config)#interface Vlan197
  switch(config-if)#ip flow monitor LIVEACTION-FLOWMONITOR input
  % Flow Monitor: Flow Monitor 'LIVEACTION-FLOWMONITOR' flexible netflow not supported on vlan interfaces
  switch(config-if)#ip flow monitor LIVEACTION-FLOWMONITOR output
  % Flow Monitor: Flow Monitor 'LIVEACTION-FLOWMONITOR' flexible netflow not supported on vlan interfaces
  switch(config-if)#exit
  switch(config)#interface Vlan190
  switch(config-if)#ip flow monitor LIVEACTION-FLOWMONITOR input
  % Flow Monitor: Flow Monitor 'LIVEACTION-FLOWMONITOR' flexible netflow not supported on vlan interfaces
  switch(config-if)#ip flow monitor LIVEACTION-FLOWMONITOR output
  % Flow Monitor: Flow Monitor 'LIVEACTION-FLOWMONITOR' flexible netflow not supported on vlan interfaces
  -------------------- config it's trying to apply----------------------------
  config t
  ip cef
  snmp-server ifindex persist
  flow exporter LIVEACTION-FLOWEXPORTER
  description DO NOT MODIFY. USED BY LIVEACTION.
  destination <removed private IP address to liveaction server>
  source Loopback0
  transport udp 2055
  template data timeout 600
  option interface-table
  exit
  flow record LIVEACTION-FLOWRECORD
  description DO NOT MODIFY. USED BY LIVEACTION.
  match flow direction
  match interface input
  match ipv4 destination address
  match ipv4 protocol
  match ipv4 source address
  match ipv4 tos
  match transport destination-port
  match transport source-port
  collect counter bytes
  collect counter packets
  collect flow sampler
  collect interface output
  collect ipv4 destination mask
  collect ipv4 dscp
  collect ipv4 id
  collect ipv4 source mask
  collect ipv4 source prefix
  collect routing destination as
  collect routing next-hop address ipv4
  collect routing source as
  collect timestamp sys-uptime first
  collect timestamp sys-uptime last
  collect transport tcp flags
  exit
  flow monitor LIVEACTION-FLOWMONITOR
  description DO NOT MODIFY. USED BY LIVEACTION.
  exporter LIVEACTION-FLOWEXPORTER
  cache timeout inactive 10
  cache timeout active 60
  record LIVEACTION-FLOWRECORD
  exit
  interface Vlan197
  ip flow monitor LIVEACTION-FLOWMONITOR input
  ip flow monitor LIVEACTION-FLOWMONITOR output
  exit
  interface Vlan190
  ip flow monitor LIVEACTION-FLOWMONITOR input
  ip flow monitor LIVEACTION-FLOWMONITOR output
  exit
  interface GigabitEthernet1/0/13
  ip flow monitor LIVEACTION-FLOWMONITOR input
  ip flow monitor LIVEACTION-FLOWMONITOR output
  exit
  interface GigabitEthernet1/0/18
  ip flow monitor LIVEACTION-FLOWMONITOR input
  ip flow monitor LIVEACTION-FLOWMONITOR output
  exit
  interface GigabitEthernet1/0/4
  ip flow monitor LIVEACTION-FLOWMONITOR input
  ip flow monitor LIVEACTION-FLOWMONITOR output
  exit
  interface GigabitEthernet1/0/3
  ip flow monitor LIVEACTION-FLOWMONITOR input
  ip flow monitor LIVEACTION-FLOWMONITOR output
  exit
  interface GigabitEthernet1/0/6
  ip flow monitor LIVEACTION-FLOWMONITOR input
  ip flow monitor LIVEACTION-FLOWMONITOR output
  exit
  interface GigabitEthernet1/0/5
  ip flow monitor LIVEACTION-FLOWMONITOR input
  ip flow monitor LIVEACTION-FLOWMONITOR output
  exit
  interface GigabitEthernet1/0/23
  ip flow monitor LIVEACTION-FLOWMONITOR input
  ip flow monitor LIVEACTION-FLOWMONITOR output
  exit
  interface GigabitEthernet1/0/24
  ip flow monitor LIVEACTION-FLOWMONITOR input
  ip flow monitor LIVEACTION-FLOWMONITOR output

  Welcome to the Arch forums.  That was an amazing first post.  It is refreshing to see a new forum member actually post with as much detail as possible in order to explain the situation.  Too often we get people saying things like "I can't get to the internet... why?" as the extent of their post.  So thanks.
  So I am curious about what the dhcpcd is trying to do.  It seems to be trying to soliciting for a ipv6 address, but mentions nothing about in ipv4 address.  It is not unfortunately not entirely uncommon for dhcpcd to time out waiting for an ipv6 address that never comes.  So are you using ipv6?  Do you expect an ipv6 address?  I noticed that when you tried to ping the google DNS server, you used their ipv4 address (8.8.8.8).  So I am thinking that means you are actually using ipv4.
  I wonder if you might be able to poll for just an ipv4 address with dhcpcd.  Just run it with -4 and it should disable the ipv6 stuff.  You might also want to try dhclient and see what kind of output it gives you.  If you are definitely not using ipv6, and it is not offered in your area, you might want to disable it.  There are instructions in the wiki on how to do this... but you might want to wait until you establish the issue before doing things like that.

• Netflow is not showing on prime infra 1.2 and also reports are not generating

  Hi friends,
  I add my router to cisco prime for netflow and configured it by temelate as mentioned by cisco in deployment guide. I got netfloe till last friday but today i am getting anyflow on prime.
  second I am not able to generate raw netflow.
  how can i removed any device from data sources ifthis is nolonger present there. for better understanding i am also ataching the snapshot.

  Hi,
  Thanks
  Yes I have configured the command “aaa accounting exec default start-stop group tacacs+”
  As I have mentioned all the other reports are working. Which user and when he has logged in and what commands he has used. Only the TACAS+ Accounting and logned user is not working.
  Regards,
  Vineet

• 6506 NetFlow

  Hi,
  I'm trying to capture an ingress traffic on SVI interface of my Cisco 6506 (WS-C6506-E).
  I've enabled NetFlow on the Multilayer Switch Feature Card (MSFC):
  ip flow-export source Vlan254ip flow-export version 5ip flow-export destination 172.23.100.21 2055
  Enabled NetFlow and NetFlow Data Export (NDE) on the Policy Feature Card (PFC):
  ip flow ingress layer2-switched vlan 130mls netflow interfacemls flow ip interface-destinationmls nde sender version 5mls aging fast threshold 127mls aging long 1000mls sampling time-based 512mls cef error action resetmls netflow sampling
  and on the monitorable interface:
  interface Vlan130 ip address 172.23.170.2 255.255.255.0 ip flow ingress mls netflow sampling standby 1 ip + timers + priority + preempt + authentication
  Now I'm trying to see capruted flows. The point is I can't see flow's source address, source and destination port, and L4 protocol for unicast flows:
  Cat6506-LAN1#sh mls netflow ipDisplaying Netflow entries in Active Supervisor EARL in module 5DstIP           SrcIP           Prot:SrcPort:DstPort  Src i/f          :AdjPtr-----------------------------------------------------------------------------Pkts         Bytes         Age   LastSeen  Attributes---------------------------------------------------172.23.131.5    0.0.0.0         0   :0      :0        Vl130            :0x0202          52554         2     17:04:35   L2 - Dynamic0.0.0.0         0.0.0.0         0   :0      :0        --               :0x013312        6807977       2     17:04:35   L3 - Dynamic172.23.170.64   0.0.0.0         0   :0      :0        Vl130            :0x00            0             2     17:04:34   L2 - Dynamic172.23.170.123  0.0.0.0         0   :0      :0        Vl130            :0x00            0             2     17:04:35   L2 - Dynamic224.0.0.2       172.23.170.3    udp :1985   :1985     Vl130            :0x02            156           1     17:04:35   Multicast
  224.0.0.2       172.23.170.3    udp :1985   :1985     Vl130            :0x08            624           6     17:28:03   Multicast172.23.170.181  0.0.0.0         0   :0      :0        Vl130            :0x00            0             5     17:28:03   L2 - Dynamic
  The same output info I get on my NetFlow collector.
  Anybody know a reason what can prevent of collecting flows correctly?
  Thanks.

  might want to change the flow mask to full instead of destination. I think that should give you the rest of the info. chris

• Netflow on 6509 in Native Mode from Vlan Interface

  I'm trying to get a 6509-E, running Cisco IOS Software, s72033_rp Software (s72033_rp-IPSERVICES_WAN-M), Version 12.
  2(33)SXI9, RELEASE SOFTWARE (fc2), to send netflow traffic from a vlan interface to a Solarwinds server.
  The server is not seeing all the vlan traffic, but does see all the traffic on the layer 2 ports (not netflow).
  I've seen that a command, ip flow ingress layer2-switched vlan, needs to be enabled, but the OS I have does not support that command.
  Or could it be that MLS is not configured except for a couple commands:
  mls netflow interface
  mls cef error action reset 
  netflow setup:
  Flow export v5 is enabled for main cache
    Export source and destination details :
    VRF ID : Default
      Source(1)       10.31.101.1 (Vlan52)
      Destination(1)  10.30.2.196 (2055)
    Version 5 flow records
    14927339 flows exported in 615072 udp datagrams
    0 flows failed due to lack of export packet
    0 export packets were sent up to process level
    0 export packets were dropped due to no fib
    0 export packets were dropped due to adjacency issues
    0 export packets were dropped due to fragmentation failures
    0 export packets were dropped due to encapsulation fixup failures
    0 export packets were dropped enqueuing for the RP
    0 export packets were dropped due to IPC rate limiting
    0 export packets were dropped due to Card not being able to export  
  interface:
  interface Vlan52
   description AN.VDI.stu
   ip address 10.31.101.1 255.255.255.0
   ip helper-address 10.31.149.200
   no ip redirects
   ip flow ingress
   ip flow egress
   ip pim neighbor-filter 98
   ip pim sparse-dense-mode
   ip cgmp

  Enabling MLS was the fix.
  mls netflow interface
  mls flow ip interface-full
  mls nde sender version 5
  mls cef error action reset   

• How to: Netflow on a L3 Switch WS-C3560X-48P

  Hello Community,
  I want to use netflow on our l3 switches. But my configurations dont work.
  What is my mistake? 
  Modell: WS-C3560X-48P
  Software Version: 15.0(1)SE3
  My Config:
  interface vlan 250
   ip flow monitor Monitor-FNF input
   ip flow monitor Monitor-FNF output
  flow record Record-FNF
   description Flexible NetFlow with NBAR Flow Record
   match ipv4 tos
   match ipv4 protocol
   match ipv4 source address
   match ipv4 destination address
   match transport source-port
   match transport destination-port
   collect routing next-hop address ipv4
   collect transport tcp flags
   collect interface output
   collect counter bytes
   collect counter packets
  flow exporter Export-FNF
   description DescriptionTEXT
   destination [NetFlow collector IP address]
   source vlan50
   transport udp 9001
   export-protocol netflow-v9
  flow monitor Monitor-FNF
   description FNF/NBAR Application Traffic Analysis
   record Record-FNF
   exporter Export-FNF
   cache timeout active 60
   cache timeout inactive 10

  Silly question but do you have a network services module installed? 
  From the documentation: "Flexible NetFlow is supported only on the Catalyst 3750-X and 3560-X switch running the IP base or IP services feature set and equipped with the network services module. It is not supported on switches running the NPE or the LAN base image."
  It actually also mentions: "NetFlow analysis is performed on traffic crossing the physical interfaces on the network services module." 
  Sourced from here: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/15-0_1_se/configuration/guide/3750xcg/swmnetflow.html