Submit a ticketCall us

Don’t fall victim to a ransomware attack
Backups are helpful, but sometimes that’s not enough to protect your business against ransomware. At our live webcast we will discuss how to protect against ransomware attacks with SolarWinds® Patch Manager and how to leverage log data to detect ransomware. Register now for our live webcast.

Home > Success Center > Netflow Traffic Analyzer (NTA) > Enable Netflow on Cisco VLAN interfaces to show layer 2 and 3 traffic

Enable Netflow on Cisco VLAN interfaces to show layer 2 and 3 traffic

Overview

This article discusses how user can enable Netflow on the VLAN interface to both layer 2 and 3 traffic. ​

Environment

All NTA versions

Resolution

To see the traffic arriving on the switch ports that belong to VLAN, you need to enable layer 3 Netflow to display the information on the VLAN interface.  

 

Layer 3 Switched Netflow commands:

ip flow ingress Enables Netflow on the layer 3 interface.
ip flow ingresslayer2-switched  Enables layer 3 switched Netflow.
ip flow ingress infer-fields Capture the input and output interfaces for logical interfaces.


Notes: 

  • Applying these commands on the device may differ and many devices only support Netflow layer 3 but not layer 2.
  • Make sure that the NDE version is v5 . By default, it is set on version 7. 
  • Verify the NDE version is version 5, by default version 7 is configured.


For more information on Netflow Layer 3, click here

Here is a link to a Cisco document that goes through the steps of configuring Netflow on 6500 series switches for both hybrid and native IOS. 

 
The key command to monitor layer 2 is

ip flow ingress layer2-switched vlan xxxx.


The commands for layer2-switched traffic:

ip flow ingress layer2-switched vlan vlanlist
ip flow export layer2-switched vlan vlanlist
set mls bridged-flow-statistics enable  vlanlist (for CatOS)

Note: A PFC3B or PFC3BXL running 12.2(18)SXE or higher is required for this command, which enables NDE for all traffic within the specified VLANs rather than just inter-VLAN traffic.

Cause

Netflow only summarizes traffic that passes from one VLAN to another (interVLAN) or routed traffic which does not show layer 3 switched traffic. This is due to a disabled Netflow on the VLAN interface. 

Last modified
14:09, 13 Nov 2015

Tags

Classifications

Public