While I was watching CiscoLive 2013 – London (via Ciscolive365) presentation about Application Visibility & Control on Cisco WLC, noticed few vendors’ netflow tools listed as supported 3rd party netflow collectors. Here is the screenshot of that (32nd min at given webex below).
Application Visibility & Control with Cisco Wireless – By Jeevan Patil
I wanted to verify this & did some testing with WLC 7.4 & netflow exports.
First with SolarWinds NetFlow Traffic Analyzer version 3.10.0 which is the version we have in our production environment. When I configure WLC to export netflow traffic to Solarwinds NTA, it could not able to decode flow exports getting from cisco WLC. Once we logged with support case with Solarwinds below answer was given.
Flow packets will be ignored by Orion NTA if they do not include the following fields in your Flow template:
Field Type Number
|Ingress bytes counter|
|Ingress packets counter|
|Layer 4 protocol|
|Source TCP/UDP port|
|Source IP address|
|SNMP ingress interface index|
|Destination TCP/UDP port|
|Destination IP address|
|SNMP egress interface index|
When we look at the Cisco WLC netflow export field information in the FAQ section, found below clarifying WLC netflow packet format.
You can see WLC netflow packet format is quiet different what Solarwinds Netflow Analyzer expects. It does not include any of the below fields which standard netflow v9.0 monitoring tool expect in their flows.
Destination IP addresses
Source and destination ports
Following are the unique field included in Cisco WLC flow packet.
So as it is cisco WLC netflow does not work with current solarwinds tool (even though cisco claim it). Solarwinds need to either customized their product to suit this WLC’s flow export or Cisco has to modify flow format (looks very unlikely).
Since Cisco confirmed Plixer Scrutinizer supporting WLC netflow in the above FAQ page, I have downloaded the 30-days trial version to check this out. I think I downloaded 10.1.1 of their netflow analysis tool called Scrutinizer. Again it did not work well initially with Cisco WLC. I saw WLC successfully added via SNMP, but no real traffic reports from wireless controller. But these guys are offering technical assistance during this 30 days tria period as well. So I was able to get hold of a guy called “Jim Dougherty” who wrote the below blog post about Scrutinizer’s capability of getting Cisco WLC netflow export.
He was kind enough to go through my test set up & see why it is not working. After few follow-ups he provided me a candidate release 10.1.2 version of this product which is perfectly work with this Cisco WLC. Thanks Jim for support extended.
I have tested this with Fluke Netflow Analyzer (NPA) as well. Again they do not support this WLC flow format at this time.
In conclusion, Currently Plixer Scrutinizer (out of Fluke, Solarwinds & Plixer) is the only 3rd party netflow tool supporting Cisco WLC netflow exports (Cisco Prime is the cisco mgmt platform which support this). You need to have that tool to get the required visibility on your wireless network. I think other neflow vendor’s will follow Scruinizer’s path & release software version of their product that can interpret Cisco WLC flow format.
Question remain is “how long will these product vendors take ?” Or “will Cisco change this on flow format in upcoming 8.0 code as it is completely IOS based ? ”
Status Update as 27 Feb 2013: I heard back from Cisco on a TAC case created for Solarwinds not working with WLC 7.4.100. Now Cisco admitted their WLC netflow export does not work with 3rd party (plixer is exception though) & they will update 7.4 documentation to reflect this correctly. You can find information about this here (CSCue57694)