Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
229
Views
0
Helpful
4
Replies

Netflow config on switches for Stealthwatch

dijix1990
VIP
VIP

‎03-25-2024 06:53 AM - edited ‎03-25-2024 08:09 PM

Anybody know if the c9606R and c9300X-24Y can work with Stealthwatch?

I try to configure on the c9606R and c9300x-24y

 

flow record REC-IN
match ipv4 source address
 match ipv4 destination address
 match transport source-port
 match transport destination-port
 match ipv4 protocol
 match interface input
 match ipv4 tos
 match flow direction
 collect interface output
 collect counter bytes long
 collect counter packets long
 collect transport tcp flags
 collect timestamp absolute first
 collect timestamp absolute last

flow record REC-OUT
 match ipv4 source address
 match ipv4 destination address
 match transport source-port
 match transport destination-port
 match ipv4 protocol
 match interface output
 match ipv4 tos
 match flow direction
 collect interface input
 collect counter bytes long
 collect counter packets long
 collect transport tcp flags
 collect timestamp absolute first
 collect timestamp absolute last

flow monitor MON-IN
 exporter SFC_Exp
 cache timeout active 10
 record REC-IN

flow monitor MON-OUT
 exporter SFC_Exp
 cache timeout active 10
 record REC-OUT

flow exporter SFC_Exp
 destination 192.168.100.1
 source Loopback0
 transport udp 2055

Twe1/0/1
ip flow monitor MON-IN input
ip flow monitor MON-OUT output

 

exporter appeared on the Stealthwatch, Stealthwatch could read name of interfaces but there is not any traffic

Labels:
0 Helpful
4 Replies 4

balaji.bandi
Hall of Fame
Hall of Fame

‎03-25-2024 10:26 AM

high level should work, what config on Twe1/0/1 ? what IOS XE code running on switch :

example working one :

Netflow Example on Cat Switches | Balaji Bandi

https://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/netflow/config-trouble-netflow-stealth.pdf

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

dijix1990
VIP
VIP
In response to balaji.bandi

‎03-25-2024 08:27 PM

ios xe 17.9.4a and stealthwatch 7.5.0

I found out that for cisco vnam my config is correct but stealthwatch shows only outside traffic correctly but inside not correctly

dijix1990_3-1711423615106.png

 

 

0 Helpful

Aref Alsouqi
VIP
VIP

‎03-25-2024 02:24 PM

Yes it should work without any problem. If you want you can specify the NetFlow v9 under the flow exporter with the command "export-protocol netflow-v9" but even without specifying it it should work. What I think you are mainly missing is defining the flow record under the flow monitor, you should add that with the command "record ...".

How to configure NetFlow for Cisco routers and switches running IOS - video (site.com)

0 Helpful

dijix1990
VIP
VIP
In response to Aref Alsouqi

‎03-25-2024 08:24 PM

But I have recorder in my config

flow monitor MON-IN
 exporter SFC_Exp
 cache timeout active 10
 record REC-IN

BTW my config works with cisco vnam analyzer perfectly

dijix1990_2-1711423448441.png

 

and it's strange I found out that on the stealthwatch I can see only outside traffic (outside is shown correctly) but inside isn't correctly

dijix1990_1-1711423172552.png

 

 

 

0 Helpful
Customers Also Viewed These Support Documents