While I was watching CiscoLive 2013 – London (via Ciscolive365) presentation about Application Visibility & Control on Cisco WLC, noticed few vendors’ netflow tools listed as supported 3rd party netflow collectors. Here is the screenshot of that (32nd min at given webex below).
Application Visibility & Control with Cisco Wireless – By Jeevan Patil
I wanted to verify this & did some testing with WLC 7.4 & netflow exports.
First with SolarWinds NetFlow Traffic Analyzer version 3.10.0 which is the version we have in our production environment. When I configure WLC to export netflow traffic to Solarwinds NTA, it could not able to decode flow exports getting from cisco WLC. Once we logged with support case with Solarwinds below answer was given.
Flow packets will be ignored by Orion NTA if they do not include the following fields in your Flow template:
|
Field Type |
Field Type Number |
Description |
| IN_BYTES |
1 |
Ingress bytes counter |
| IN_PKTS |
2 |
Ingress packets counter |
| PROTOCOL |
4 |
Layer 4 protocol |
| L4_SRC_PORT |
7 |
Source TCP/UDP port |
| IPV4_SRC_ADDR |
8 |
Source IP address |
| INPUT_SNMP |
10 |
SNMP ingress interface index |
| L4_DST_PORT |
11 |
Destination TCP/UDP port |
| IPV4_DST_ADDR |
12 |
Destination IP address |
| OUTPUT_SNMP |
14 |
SNMP egress interface index |
When we look at the Cisco WLC netflow export field information in the FAQ section, found below clarifying WLC netflow packet format.
You can see WLC netflow packet format is quiet different what Solarwinds Netflow Analyzer expects. It does not include any of the below fields which standard netflow v9.0 monitoring tool expect in their flows.
Destination IP addresses
Source and destination ports
Following are the unique field included in Cisco WLC flow packet.
• applicationTag
• ipDiffServCodePoint
• octetDeltaCount
• packetDeltaCount
• postIpDiffServCodePoint
• staIPv4Address
• staMacAddress
• wlanSSID
• wtpMacAddress
So as it is cisco WLC netflow does not work with current solarwinds tool (even though cisco claim it). Solarwinds need to either customized their product to suit this WLC’s flow export or Cisco has to modify flow format (looks very unlikely).
Since Cisco confirmed Plixer Scrutinizer supporting WLC netflow in the above FAQ page, I have downloaded the 30-days trial version to check this out. I think I downloaded 10.1.1 of their netflow analysis tool called Scrutinizer. Again it did not work well initially with Cisco WLC. I saw WLC successfully added via SNMP, but no real traffic reports from wireless controller. But these guys are offering technical assistance during this 30 days tria period as well. So I was able to get hold of a guy called “Jim Dougherty” who wrote the below blog post about Scrutinizer’s capability of getting Cisco WLC netflow export.
Plixer:Cisco WLC Netflow Support
He was kind enough to go through my test set up & see why it is not working. After few follow-ups he provided me a candidate release 10.1.2 version of this product which is perfectly work with this Cisco WLC. Thanks Jim for support extended.
Here is a snapshot of wireless reports available from this Scrutinizer tool.
I have tested this with Fluke Netflow Analyzer (NPA) as well. Again they do not support this WLC flow format at this time.
In conclusion, Currently Plixer Scrutinizer (out of Fluke, Solarwinds & Plixer) is the only 3rd party netflow tool supporting Cisco WLC netflow exports (Cisco Prime is the cisco mgmt platform which support this). You need to have that tool to get the required visibility on your wireless network. I think other neflow vendor’s will follow Scruinizer’s path & release software version of their product that can interpret Cisco WLC flow format.
Question remain is “how long will these product vendors take ?” Or “will Cisco change this on flow format in upcoming 8.0 code as it is completely IOS based ? ”
Status Update as 27 Feb 2013: I heard back from Cisco on a TAC case created for Solarwinds not working with WLC 7.4.100. Now Cisco admitted their WLC netflow export does not work with 3rd party (plixer is exception though) & they will update 7.4 documentation to reflect this correctly. You can find information about this here (CSCue57694)
Related Posts
1. Day 0 with WLC 7.4 code
2. Configuring Netflow on WLC 7.4
3. Configuring AVC on WLC 7.4
4. Configuring mDNS on WLC 7.4
mrn-cciew 
Thank you for mentioning Scrutinizer.
Hi Mike,
I am glad at least you guys play a leading role as a 3rd party to support these newer feature cisco brings into WLC. Jim was very helpful on this & I should thank him
Regards
Rasika
Thanks for sharing the info. Today I discovered that our SolarWinds does not Support 5508 WLC netflow fromat … Too bad I saw this post too late
Hi Moe,
Yes,Not many netflow vendors supporting this at the moment. Partly because the way Cisco is doing this & they want customer to use their own Prime Infrastructure to do these sort of things.
Also it may change with new IOS based controllers (3850/5760).
Hello Rasika,
Any idea if 7.5 or newer Solarwinds versions for NTA solved this incompatibility?
Hi Florin,
I do not think so. I haven’t test it myself, unless Solarwinds modified its NTA (or Cisco comply with standard Netflow format) it won’t work.
There are no sign such close partnership with Solarwinds & Cisco.
Rasika
Thank you Rasika!
Hi Rasika, excellent article and blog 🙂 i realized the same a couple of months ago with manage-engine netflow : also not working.
Do you plan to write an article on how to enable this in Cisco prime, tried some but not able to have it running 🙂
hello,
what an excellent article.
but i need to know if WhatsUP gold 16.0.3 supported now or not
Hii Mohamed,
I do not think that will support WLC Netflow.
HTH
Rasika
No whats up gold does not support it. I configured everything and in my wug console it is showing 0 flow for our 5508 wlc.
Its a shame that Cisco is not following a standard here.
Hi there, I´m trying to export flows from WLC2504 to PRIME2.2 but Prime is unable to locate interfaces from controller, is there any limitation with controllers and AVC in PI2.2?
Regards
Done, it was a firewall issue
Just ran across your post! Thanks for doing a great job talking about WLC reporting.
No problem James, you helped me on this 🙂
hi,
sorry for the little offtopic, but I want to find a little bit more details about “IOS based” WLC code and it seems it’s not easy. could you please give direction/link/etc. how to find more information regarding this matter?
thanks
p.s. you have an awsome blog, when I work tightly with cisco wireless I’m always stumbling on this blog:).
Hi
Thanks for kind remarks about this blog.
Typically IOS based WLC refer to 3850/3650/5760 based WLCs where software image based on IOS-XE.
Other controllers 5508 /2504 /7510 /8540/5520/vWLC is based on software image called AireOS.
This link may be useful to get it started
http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-3850-series-switches/white_paper_c11-726107.html
HTH
Rasika
ah, I see. before I thought in 8.0 release even for 2504/5508/etc. WLCs it became IOS based. that confused me, now it’s pretty clear. thanks for the quick explanation.
tried this and it’s working on our corp WLAN. however, the guest wifi is not diaplying, is this some kind of limitation due to the tunneled traffic from Foreign to Anchor? created both on Foreigh and Anchor but still the same.
Hi Rob, sorry for late response. Do you see stats under AVC for guest WLAN on your anchor ?
I think I haven’t test it for Guest SSID that time. In near future, I may again look at WLC Netflow with some other vendor tool. Will let you know an update afterward
HTH
Rasika