NetFlow on Cisco Catalyst 9200 for Solarwinds
David Sudjiman
Strategist in Technology Architecture | Roadmap Development | Driving Innovative Technology Solutions
A little note when configuring Netflow on Catalyst 9200 series to be exported to Solarwinds.
Solarwinds will show something like
The NetFlow Receiver Service [Solarwinds-Host] received an invalid V9 template with ID 256 from device . See knowledge base for more information.
This is due to the NetFlow configured does not have sufficient minimum packet information requirement. Just imagine that Solarwinds uses NetFlow information to show it up on a dashboard but some information is missing. The problem here, although the knowledge base provided (https://www.solarwinds.com/documentation/kbLoader.aspx?lang=en&kb=802 ) explained what are the required information to be exported, we somehow need to translate this into Cisco IOS language.
So, I tried to follow the recommended KB from Solarwinds but when I configured the Catalyst 9200 switch, it shows the error below.
领英推荐
% Flow Record: Failed to field add: Failed to validate Unsetting Public:behaviour % Flow Monitor: Failed to add monitor to interface: Unsupported key field "interface input" for ip traffic in Output direction
After searching on both Solarwinds and Cisco website without luck, I came across this https://www.k4route.ru/2020/04/netflow-config-cisco-catalyst-3850.html a nice trick to make this work. Instead of using the same flow record, you need to create an inbound and outbound flow record. This also implies that you will need to create an inbound and outbound flow monitor.
flow record NETFLOW_REC_IN
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match flow direction
match interface input
collect counter bytes long
collect counter packets long
!
flow record NETFLOW_REC_OUT
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match flow direction
match interface output
collect counter bytes long
collect counter packets long
!
flow exporter NETFLOW_EXP
destination <SOLARWINDS_IP>
source lo0
transport udp 2055
!
flow monitor NETFLOW_MON_IN
exporter NETFLOW_EXP
record NETFLOW_REC_IN
!
flow monitor NETFLOW_MON_OUT
exporter NETFLOW_EXP
record NETFLOW_REC_OUT
!
sampler NETFLOW_SAM
mode random 1 out-of 2
!
interface VLAN100
ip flow monitor NETFLOW_MON_IN sampler NETFLOW_SAM input
ip flow monitor NETFLOW_MON_OUT sampler NETFLOW_SAM output
Now, there is also another catch that on IOS-XE (Catalyst Switches and Router), the exporter source address must not be management interface. This link https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9200/software/release/16-12/configuration_guide/nmgmt/b_1612_nmgmt_9200_cg/b_1612_nmgmt_9200_cg_chapter_01000.html says “Flexible NetFlow export is not supported on the Ethernet management port, GigabitEthernet 0/0.”
One last thing, sampler is required for either network-essentials or network-advantage license, otherwise your switch will complain as below.
Switch(config-if)# ip flow monitor NETFLOW_MON_OUT output % Flow Monitor: Failed to add monitor to interface: Current license type (network-essentials) allows user to configure "Sampled Netflow" only.
Switch(config-if)# ip flow monitor NETFLOW_MON_IN input % Flow Monitor: Failed to add monitor to interface: Current license type (network-advantage) allows user to configure "Sampled Netflow" only. License upgrade required to use "Full Netflow" feature.