Unable to capture NetFlow on Cisco switch via SolarWinds NetFlow Analyzer

A few years back I had SolarWinds Real-Time NetFlow Analyzer working with my Cisco 3750x switch. Recently we had some suspicious traffic so I installed a new version of the software on a Win 10 machine. I can connect through the software to my switch, I can see all of the interfaces but none of them show NetFlow enabled. When I click on the interface I want to monitor then click "Start Flow Capture" I get a 'NetFlow is not detected on the selected interface'.

How do I get this port configured correctly to capture NetFlow data?

Additional Facts:
IOS version 15.0(2)SE6

Config on switch:
int gig <port to be monitored>
ip flow ingress
ip flow egress

ip flow-export source <port to be monitored>
ip flow-export version 5
ip flow-export destination <IP of my Win 10 machine> 2055

Open in new window


Per this thread- https://thwack.solarwinds.com/thread/20498 
I tried to run the ip nbar protocol-discovery and the ip route-cache flow on the port to be monitored. Neither of those commands were accepted on that port.

Any help is appreciated.

EDIT:
I've had users on other forums attempt to help me by pointing me to towards flexible netflow configurations that use the command ip flow monitor <name of monitor> input applied to the interface they want to monitor. My switch does not allow flexible netflow to be applied to non-service module ports. What I'm trying to monitor are the standard gigabit interfaces.

The netflow commands I can apply to those standard interfaces are those listed above: ip flow ingress and ip flow egress. How do I get netflow analysis that way?
travisryanAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dale McKayGlobal Principal ArchitectCommented:
How is the port to be monitored configured? Layer 2 or Layer 3? Netflow does not show same VLAN (layer2) traffic by default.
travisryanAuthor Commented:
Dale, ip flow ingress and ip flow egress were the commands I applied to interface I want to monitor. I'd like to see layer2 and layer3 traffic so I can capture endpoints and protocols.

" Netflow does not show same VLAN (layer2) traffic by default. " This comment I don't understand.
Technical EngeneerTechnical Support SpecialistCommented:
Consider using another piece of software to rule out the possibility that your Solarwinds installation is having issues (functionality missing/the machine itself having issues/MIBs).
NetCrunch would be a good way to go. All versions of SNMP are supported and VLANs are supported out of the box. It's paid software, but you can use it for 30 days and then uninstall it after you're done.
Free and Easy Network Configuration

Network Configuration Generator is designed to make it easy to configure network devices, including Virtual LANs and other advanced features without opening the Command-Line Interface (CLI)! Help boost your network performance, run advanced network scripts, and bypass the CLI.

travisryanAuthor Commented:
Marius, this is a new installation of the software plus I'm familiar with that interface.
Dale McKayGlobal Principal ArchitectCommented:
Problem unclear

NetFlow needs a layer 3 interface (an IP addressed interface used for routing). Netflow won't work with just a layer 2 interface.

"Resolution
Netflow by default does not show statistics for traffic that goes across the same VLAN, but only for traffic that comes in from one VLAN and out to another Layer 3 interface, when those interfaces have the ip route-cache flow command configured individually.

Beyond this feature, there is no support to enable netflow on a Layer 2 interface in an isolated manner.

Hence, regular netflow does not show traffic that goes within the same VLAN. It must pass through the Layer 3 interface to be caught by the netflow process. This displays statistics for traffic that goes within each VLAN, through the switch, for example, bridged traffic, in addition to routed traffic."

https://supportforums.cisco.com/t5/network-infrastructure-documents/unable-to-configure-netflow-on-layer-2-gigabit-interfaces-on-a/ta-p/3131846
travisryanAuthor Commented:
Dale, I've changed the source address to the interface I used to ssh into the switch (by IP), unfortunately the solarwinds software still doesn't show netflow on that or any interface.
travisryanAuthor Commented:
Relevant parts of the config:

flow record <record name>
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
collect counter bytes
collect counter packets

flow exporter <exporter name>
destination <netflow analyzer IP>
transport udp 2055

flow monitor <monitor name>
description Original Netflow captures
record ipv4
exporter <exporter name>

interface <interface to be monitored>
ip flow ingress
ip flow egress

interface Vlan <Vlan # used to ssh into switch>
ip flow monitor NTAmon input
ip flow monitor NTAmon output

ip flow-export source <Vlan interface IP used to ssh into switch>
ip flow-export version 9
ip flow-export destination <netflow analyzer address> 2055
ip flow-top-talkers
top 10
sort-by bytes
travisryanAuthor Commented:
sh flow exporter command output:

Flow Exporter NTAexp:
  Description:              User defined
  Export protocol:          NetFlow Version 9
  Transport Configuration:
    Destination IP address: <netflow collector>
    Source IP address:      <Vlan interface IP used to ssh into switch>
    Source Interface:       <Vlan interface used to ssh into switch>
    Transport Protocol:     UDP
    Destination Port:       2055
    Source Port:            56488
    DSCP:                   0x0
    TTL:                    255
    Output Features:        Not Used
travisryanAuthor Commented:
show flow interface command output:

Interface <Vlan interface used to ssh into switch>
  FNF:  monitor:          NTAmon
        direction:        Input
        traffic(ip):      on
  FNF:  monitor:          NTAmon
        direction:        Output
        traffic(ip):      on
Dale McKayGlobal Principal ArchitectCommented:
Problem unclear

The Netflow monitoring of the port that you use to log into the switch is going to have very little traffic on it. If it is the Management port, I don't think Netflow will work.

Almost all of your match statements are matching on info that only exists at layer 3. The standard layer 2 switching port is totally unaware of the IP address in the Ethernet frame that it just switched. The layer 2 port only cares about MAC addresses.

Here is my configuration for a Cisco 1841 that sends Netflows to a collector. Notice these are layer 3 interfaces.

interface FastEthernet0/0
 description OUTSIDE INTERFACE
 ip address dhcp
 ip flow ingress
 ip flow egress

interface FastEthernet0/1.100
 description 100 Subnet Interface
 encapsulation dot1Q 100
 ip address 192.168.100.1 255.255.255.0
 ip flow ingress
 ip flow egress

ip flow-cache timeout inactive 300
ip flow-cache timeout active 1
ip flow-export source FastEthernet0/1.100
ip flow-export version 5
ip flow-export destination 192.168.100.112 9996
ip flow-export destination 192.168.100.9 2055
travisryanAuthor Commented:
Dale, I added the two ip flow-cache timeout commands and added the ip flow ingress and ip flow egress to several of my vlan interfaces with static ip addresses. When I open up the netflow real time analyzer app I can still see all of the interfaces on the devices, but still all of them have a blank spot in the "flow type" column.

What software do you use to analyze netflow?
travisryanAuthor Commented:
Marius, I've tried using ManageEngine and am getting a "No interface found.Device Adding Failed".
travisryanAuthor Commented:
The piece of equipment I was trying to monitor on could only pull netflow data from a module with four ports on it, not the other 48 ports on the device that I need monitoring on. I'll be using another piece of equipment.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Kyle SantosQuality AssuranceCommented:
Thank you for letting us know.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
netflow

From novice to tech pro — start learning today.