We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now


Unable to capture NetFlow on Cisco switch via SolarWinds NetFlow Analyzer

High Priority
Last Modified: 2018-08-14
A few years back I had SolarWinds Real-Time NetFlow Analyzer working with my Cisco 3750x switch. Recently we had some suspicious traffic so I installed a new version of the software on a Win 10 machine. I can connect through the software to my switch, I can see all of the interfaces but none of them show NetFlow enabled. When I click on the interface I want to monitor then click "Start Flow Capture" I get a 'NetFlow is not detected on the selected interface'.

How do I get this port configured correctly to capture NetFlow data?

Additional Facts:
IOS version 15.0(2)SE6

Config on switch:
int gig <port to be monitored>
ip flow ingress
ip flow egress

ip flow-export source <port to be monitored>
ip flow-export version 5
ip flow-export destination <IP of my Win 10 machine> 2055

Open in new window

Per this thread- https://thwack.solarwinds.com/thread/20498 
I tried to run the ip nbar protocol-discovery and the ip route-cache flow on the port to be monitored. Neither of those commands were accepted on that port.

Any help is appreciated.

I've had users on other forums attempt to help me by pointing me to towards flexible netflow configurations that use the command ip flow monitor <name of monitor> input applied to the interface they want to monitor. My switch does not allow flexible netflow to be applied to non-service module ports. What I'm trying to monitor are the standard gigabit interfaces.

The netflow commands I can apply to those standard interfaces are those listed above: ip flow ingress and ip flow egress. How do I get netflow analysis that way?
Watch Question

Dale McKayGlobal Principal Architect

How is the port to be monitored configured? Layer 2 or Layer 3? Netflow does not show same VLAN (layer2) traffic by default.


Dale, ip flow ingress and ip flow egress were the commands I applied to interface I want to monitor. I'd like to see layer2 and layer3 traffic so I can capture endpoints and protocols.

" Netflow does not show same VLAN (layer2) traffic by default. " This comment I don't understand.
Technical EngeneerTechnical Support Specialist

Consider using another piece of software to rule out the possibility that your Solarwinds installation is having issues (functionality missing/the machine itself having issues/MIBs).
NetCrunch would be a good way to go. All versions of SNMP are supported and VLANs are supported out of the box. It's paid software, but you can use it for 30 days and then uninstall it after you're done.


Marius, this is a new installation of the software plus I'm familiar with that interface.
Dale McKayGlobal Principal Architect

Problem unclear

NetFlow needs a layer 3 interface (an IP addressed interface used for routing). Netflow won't work with just a layer 2 interface.

Netflow by default does not show statistics for traffic that goes across the same VLAN, but only for traffic that comes in from one VLAN and out to another Layer 3 interface, when those interfaces have the ip route-cache flow command configured individually.

Beyond this feature, there is no support to enable netflow on a Layer 2 interface in an isolated manner.

Hence, regular netflow does not show traffic that goes within the same VLAN. It must pass through the Layer 3 interface to be caught by the netflow process. This displays statistics for traffic that goes within each VLAN, through the switch, for example, bridged traffic, in addition to routed traffic."



Dale, I've changed the source address to the interface I used to ssh into the switch (by IP), unfortunately the solarwinds software still doesn't show netflow on that or any interface.


Relevant parts of the config:

flow record <record name>
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
collect counter bytes
collect counter packets

flow exporter <exporter name>
destination <netflow analyzer IP>
transport udp 2055

flow monitor <monitor name>
description Original Netflow captures
record ipv4
exporter <exporter name>

interface <interface to be monitored>
ip flow ingress
ip flow egress

interface Vlan <Vlan # used to ssh into switch>
ip flow monitor NTAmon input
ip flow monitor NTAmon output

ip flow-export source <Vlan interface IP used to ssh into switch>
ip flow-export version 9
ip flow-export destination <netflow analyzer address> 2055
ip flow-top-talkers
top 10
sort-by bytes


sh flow exporter command output:

Flow Exporter NTAexp:
  Description:              User defined
  Export protocol:          NetFlow Version 9
  Transport Configuration:
    Destination IP address: <netflow collector>
    Source IP address:      <Vlan interface IP used to ssh into switch>
    Source Interface:       <Vlan interface used to ssh into switch>
    Transport Protocol:     UDP
    Destination Port:       2055
    Source Port:            56488
    DSCP:                   0x0
    TTL:                    255
    Output Features:        Not Used


show flow interface command output:

Interface <Vlan interface used to ssh into switch>
  FNF:  monitor:          NTAmon
        direction:        Input
        traffic(ip):      on
  FNF:  monitor:          NTAmon
        direction:        Output
        traffic(ip):      on
Dale McKayGlobal Principal Architect

Problem unclear

The Netflow monitoring of the port that you use to log into the switch is going to have very little traffic on it. If it is the Management port, I don't think Netflow will work.

Almost all of your match statements are matching on info that only exists at layer 3. The standard layer 2 switching port is totally unaware of the IP address in the Ethernet frame that it just switched. The layer 2 port only cares about MAC addresses.

Here is my configuration for a Cisco 1841 that sends Netflows to a collector. Notice these are layer 3 interfaces.

interface FastEthernet0/0
 ip address dhcp
 ip flow ingress
 ip flow egress

interface FastEthernet0/1.100
 description 100 Subnet Interface
 encapsulation dot1Q 100
 ip address
 ip flow ingress
 ip flow egress

ip flow-cache timeout inactive 300
ip flow-cache timeout active 1
ip flow-export source FastEthernet0/1.100
ip flow-export version 5
ip flow-export destination 9996
ip flow-export destination 2055


Dale, I added the two ip flow-cache timeout commands and added the ip flow ingress and ip flow egress to several of my vlan interfaces with static ip addresses. When I open up the netflow real time analyzer app I can still see all of the interfaces on the devices, but still all of them have a blank spot in the "flow type" column.

What software do you use to analyze netflow?


Marius, I've tried using ManageEngine and am getting a "No interface found.Device Adding Failed".
The piece of equipment I was trying to monitor on could only pull netflow data from a module with four ports on it, not the other 48 ports on the device that I need monitoring on. I'll be using another piece of equipment.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Kyle SantosQuality Assurance Engineer at Dassault Systemes

Thank you for letting us know.
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.