This is one feature I was waiting for long time. In previous models of controllers ( such as 5508,2504, WiSM2) with software code 7.4 onwards you can have some sort of visibility via AVC (Application Visibility & Control) & export netflow data to a collector. But you have to have particular Netflow Collector (Plixer or Cisco Prime Assurance) in order to view these exported netflow information as flow format is not exactly v9.0 compatible.
With new 3850, it is standard netflow v9.0 & nothing different in wireless traffic (since traffic terminated at the switch itself). In this post we will see how to configure netflow for a WLAN created on 3850. Here is the basic topology for the post.
I have defined a SSID called “3850” with open authentication for simplicity. Here is the WLAN configuration looks like.
wlan 3850 17 3850 no broadcast-ssid client vlan WLN-STF-1 ip dhcp server x.x.26.100 radio dot11a no security wpa no security wpa akm dot1x no security wpa wpa2 no security wpa wpa2 ciphers aes no shutdown
If you want to monitor the traffic to/from this WLAN you need to configure a flow monitor & apply that either inbound or outbound direction. In Flexible NetFlow you have this advantage where you can apply different flow monitors to the same interface depend on what flow information you want to monitor. In Traditional NetFlow(TNF) you have to collect all supported parameters and it cannot be customized. Flow monitor consist of flow record (only 1 allow) & flow exporters (multiple exporter allow). Here is the summary of config steps.
Let’s define flow record named “WLAN”
3850-1(config)#flow record WLAN 3850-1(config-flow-record)#match ? datalink Datalink (layer2) fields flow Flow identifying fields interface Interface fields ipv4 IPv4 fields ipv6 IPv6 fields transport Transport layer fields 3850-1(config-flow-record)#match ipv4 ? destination IPv4 destination address based fields protocol IPv4 protocol source IPv4 source address based fields tos IPv4 type of service ttl IPv4 TTL version IP version from IPv4 header 3850-1(config-flow-record)#collect ? counter Counter fields interface Interface fields timestamp Timestamp fields transport Transport layer fields 3850-1(config-flow-record)#collect cou 3850-1(config-flow-record)#collect counter ? bytes Total number of bytes packets Total number of packets 3850-1(config-flow-record)#collect counter by 3850-1(config-flow-record)#collect counter bytes ? layer2 Total number of layer 2 bytes long Total number of bytes (64 bit counter) flow record WLAN match ipv4 version match ipv4 tos match ipv4 ttl match ipv4 protocol match ipv4 source address match ipv4 destination address collect counter bytes long collect counter packets long
Here is my flow exporter named “FLK-1” configuration. I have used Fluke Netflow Tracker as collector.
3850-1(config)#flow exporter FLK-1 3850-1(config-flow-exporter)#? default Set a command to its defaults description Provide a description for this Flow Exporter destination Export destination configuration dscp Optional DSCP exit Exit from Flow Exporter configuration mode export-protocol Export protocol version no Negate a command or set its defaults option Select an option for exporting source Originating interface template Flow Exporter template configuration transport Transport protocol ttl Optional TTL or hop limit flow exporter FLK-1 destination x.x.8.216 source Vlan999 transport udp 9995
Then you can define the flow monitor & assign flow record & flow exporter onto it. In my case I have defined two different flow monitors called V4-IN & V4-OUT, but still use the same record & exporter for simplicity. But you can use different record in different monitor (single record per monitor) & multiple exporter if you have more than 1 netflow collectors.
3850-1(config)#flow monitor V4-IN 3850-1(config-flow-monitor)#? cache Configure Flow Cache parameters default Set a command to its defaults description Provide a description for this Flow Monitor exit Exit from Flow Monitor configuration mode exporter Add an Exporter to use to export records no Negate a command or set its defaults record Specify Flow Record to use to define Cache flow monitor V4-IN exporter FLK-1 record WLAN ! flow monitor V4-OUT exporter FLK-1 record WLAN
Now you can apply this to the WLAN you configured earlier.
3850-1(config)#wlan 3850 3850-1(config-wlan)#ip flow monitor V4-IN input 3850-1(config-wlan)#ip flow monitor V4-OUT output
Now it is time to see what’s coming in & going out in this WLAN. I am playing some youtube video on iPhone5 & tablet device while making a call between 7925G & 7965 Phones. Here is the traffic coming from these wireless devices.
Now if you want to look at what type of DSCP values coming from 7925G we can look detail of that as below.
Now if you want to look at down stream traffic to wireless clients I can see it as below. As expected, youtube video played on iPhone5 & tablet get most of the bandwidth.
Now if you trying to look at applications (or protocol) you would see something like this. But why all categorize as TCP or UDP port 0. This is because when we defined the flow record we did not include to collect these information.
Let’s add source-port & destination-port to the flow record. You have to remove the flow record from the monitor before doing any modification.
flow record WLAN +match transport source-port +match transport destination-port
Now let’s monitor the traffic & see whether it get captured. It’s all come with Application name/port numbers since we capturing that infromation.
Before finishing off this post it is worth to note that these flow monitor command cannot be applied on SVI interfaces (or vlan interfaces).
3850-1(config)#interface vlan 1420 3850-1(config-if)#ip flow monitor V4-IN ? input Apply Flow Monitor on input traffic output Apply Flow Monitor on output traffic sampler Optional Sampler to apply to this Flow Monitor 3850-1(config-if)#ip flow monitor V4-IN input % Flow Monitor: Flow Monitor 'V4-IN' flexible netflow not supported on vlan interfaces
If you want to apply this for L3 interface it has to be proper L3 physical interface. Anyway if your 3850 acting as proper L3 switch then you shoud have routed port from that switch to your core & you can apply flow monitor on that routed port. In my case we are having layer 2 access model & as long as we can monitor WLAN traffic at that level we are fine with that.
Ref: Configuring Flexible Netflow – 3850 Config Guide
1. Getting Started with 3850
2. Configuring Netflow on WLC 7.4
We just released IOS XE 3.3.0 yesterday. This update adds the ability to do NBAR2 for wireless traffic and export that using Flexible NetFlow and lots of other things.
Also try the Wireshark packet capture built into the IOS in 3.3.0.
Config guides for this release should come shortly as well, however release notes can be found here: http://www.cisco.com/en/US/docs/switches/lan/catalyst3850/software/release/3se/release_notes/OL_30562..html
Thanks for the update & actually I upgraded my 3850/5760 to this version. But for some reason I could not get this wireshark get working
I’ll send you some of the error messages I got while trying to do that
Pingback: WLC Enable on Cisco 3850 | hiteshlodhi
Manuelito Caoile said:
Is it possible to post my netflow configuration. It seems I can’t get netflow to work in the 5760.
Pls post your thread in CSC forum, it is the best platform to discuss this as many others can help you
Chris Andrew said:
Hi – please can I check – I assume your 3850 had the C3KX-SM-10G network service module installed? I understand you need this to support flexible net-flow. Thanks for the post.
No, In my switch there was not SM-10G network service module.
Since I am monitoring WLAN traffic there is no dependency on service module.