Wednesday, September 8, 2021

Switch C3560-G Netflow giving dropped traffic only !!!!

Hi

I tried to configure Netflow on cisco switch WS-C3560G-24TS version 15.0(2)SE11 with ELK Stack (Elasticsearch, Logstash, Kibana) Netflow analyzer, but after I finished the configuration I didn't receive correct traffic the ELK receives NetFlow traffic from the switch but the traffic looks like fake traffic or dropped traffic but the real traffic didn't appear on the ELK

The Configuration:

flow exporter Netflow-exporter
destination 10.10.30.100
source Vlan30
transport udp 2055
template data timeout 60

flow record Netflow-recorder
match datalink dot1q vlan input
match datalink dot1q vlan output
match datalink mac source address input
match datalink mac source address output
match datalink mac destination address input
match datalink mac destination address output
match ipv4 version
match ipv4 tos
match ipv4 ttl
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match transport tcp flags
match interface input
collect interface output
collect counter bytes long
collect counter packets
collect timestamp sys-uptime first
collect timestamp sys-uptime last

flow monitor Netflow-monitor
record netflow-recorder
exporter netflow-exporter
cache timeout active 60

interface Vlan 20
ip flow monitor Netflow-monitor input

interface Vlan 30
ip flow monitor Netflow-monitor input

show flow monitor NetFlow-monitor cache

Cache type: Normal
Cache size: 4096
Current entries: 16
High Watermark: 607

Flows added: 9508
Flows aged: 9492
- Active timeout ( 60 secs) 280
- Inactive timeout ( 15 secs) 9212
- Event aged 0
- Watermark aged 0
- Emergency aged 0

DATALINK DOT1Q VLAN INPUT: 0
DATALINK DOT1Q VLAN OUTPUT: 0
DATALINK MAC SOURCE ADDRESS INPUT: 34E4.D768.4502
DATALINK MAC SOURCE ADDRESS OUTPUT: 0000.0000.0000
DATALINK MAC DESTINATION ADDRESS INPUT: 0024.6042.DA5C
DATALINK MAC DESTINATION ADDRESS OUTPUT: 0000.0000.0000
IPV4 SOURCE ADDRESS: 10.10.20.60
IPV4 DESTINATION ADDRESS: 10.10.110.7
TRNS SOURCE PORT: 58237
TRNS DESTINATION PORT: 161
TCP FLAGS: 0x00
INTERFACE INPUT: Vl20
IP VERSION: 4
IP TOS: 0x00
IP PROTOCOL: 17
IP TTL: 127
interface output: Null
counter bytes long: 431
counter packets: 5
timestamp first: 14:25:18.307
timestamp last: 14:25:50.545



at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)