Missing OUT traffic with Cisco 4500
Just found a limitation and a bug when using Flexible NetFlow in Cisco 4500 running IOS XE and thought of sharing it. We were working with one of our customers to enable Flexible NetFlow on Cisco 4500. Everything went well, but the record command was not being accepted. We went over the issue over a couple of days, and after we checked with Cisco TAC, we found our solution. Let me tell you what happened.
The Flexible NetFlow configuration requires three steps:
- Create a flow exporter and a flow record.
- Create a flow monitor and associate the exporter and record with this monitor.
- Associate the flow monitor with an interface.
flow record nfa-recordmatch ipv4 protocolmatch ipv4 source addressmatch ipv4 destination addressmatch transport source-portmatch transport destination-portcollect interface inputcollect interface outputcollect counter bytescollect counter packets
Note the bold text—we will get to that soon. After you have created this record and associated it with the monitor, the monitor has to be attached to every L3 interface that needs to be monitored. This is where the limitation and the bug pops up. When trying to associate the monitor with an interface, let's see what happens:switch(config-if)# flow monitor NFAmonitor input
"intf output: cannot be supported as match field. Flow record fields can't be supported with the monitor type"
What does this mean? Simply that the statement collect interface output used when creating the record is not supported. This is a serious limitation as it is this line that helps capture the output interface for a traffic conversation. You need to remove that line from the flow record configuration and then attach the flow record to the interface. Result: Only the IN traffic across the interface is captured and not the OUT traffic. Now, let's have a look at the bug. I would not call it a bug, actually, but an issue of providing a clearer statement. The scenario is:switch(config-if)# flow monitor NFAmonitor output
"could not be added to interface due to invalid sub-traffic type: 0"
Makes no sense? I hope Cisco will change this to a show the same error as with the input monitor. But, more than that, I hope Cisco will arrange to get records with the collect interface output statement working on Cisco 4500 as the lack of support for this takes away the capability to view OUT traffic for an interface. Let's hope for the best.Download | Interactive demo | Customers
Cisco removes the basic netflow function and forces you to upgrade your license and after youve paid them extra for what was intgrated, its STILL crippled. I'll do whatever it takes to avoid Cisco.
Hi Terry, We tried calling you to try and assist you with the NetFlow configuration. However, we reached your voice mail. Please mail us at netflowanalyzer-support@manageengine.com with your convenient timing that we can call you. Praveen Manohar.
I was wondering if there were any updatre on this. I am the customer you were working with. It sure would be nice to get usable Netflow information from my 4506 again.