Cisco has improved WLC NetFlow feature in AireOS 8.2 release. In this software version, WLC is sending enhanced NetFlow records compatible with standard Netflow v9 format to a flow collector. Therefore prior to AireOS 8.2 release, only few Netflow collector software (eg-Cisco Prime, Scrutinizer) were able to decode Netflow Data coming from WLCs. With AireOS 8.2.x most of 3rd party Netflow collectors will able to analyze WLC NetFlow data as it compatible with standard NetFlow v9.
** Note only 8540, 8510 & 5520 controllers support this enhanced flow export. If you have other WLC models like 5508/WiSM2/2504 with AireOS 8.2 or higher, still use require a supported flow collector like PI/Scrutinizer to view flow data ***
In this post, we will look at those Netflow frame format differences and in a future post we will look at enhanced Netflow with a collector software.
When capturing NetFlow traffic, you need to ensure you capture it longer in order to capture “Template Frame“, otherwise you will not able to see the data field properly as shown below (you will see no template found).
Above is captured via a SPAN session with a source interface Port Channel (as WLC configured with LAG) using below commands on a Cisco 6506 where WLC connected.
monitor session 1 source interface port-channel 99 monitor session 1 destination interface g2/6/2
Depend on the traffic volume of your WLC, it is a good idea to filter the capture to NetFlow collector IP address. Using “host x.x.x.x” capture filter in wireshark, you can capture traffic to or from the given IP address. You can find other useful wireshark capture filters using this link.
When you capture ~5 min, you should be able to see your NetFlow frames properly as “Options Template Record” is there for wireshark to display it properly. Refer RFC 3954 – Cisco Netflow Services Export v9.0 for all granular detail. You can refer Netflow version 9 Flow-Record Format cisco documentation for more information about frame format.
Here is the “Option Template Record” frame which was frame#563 in my capture.
As you can see above, in “Data Template” fields you can see there are 10 fields listed below.
Subsequent frames you will see NetFlow data according to above data structure. Note that you will see Template Frame# as well (in case you do not know which frame it is to start with).
Below show FlowSet Id=256 information which include Application_ID & Application_Name mapping. As an example Application ID 13:82 (type:id) is “YouTube” where as 13:83 is “Skype”
Here is sample of Netflow information send to a collector by WLC. You can see given user (with MAC/IP Addr) on given SSID accessing YouTube Application while connected to given AP.
The above captures are actually from a 5508 running AireOS 184.108.40.206 . I have done a similar capture from a 5508 running on AireOS 220.127.116.11 and confirmed frame format is same as above.
Now let’s see how this enhanced Netflow exports in AireOS 8.2.x with Cisco 8540 controller.
My 8540 controller running AireOS 18.104.22.168 code. Below is the “Options Template Record” list the data structure.
You can see it include 17 data fields including SrcIPAddr, DstIPAddr,SrcPort, DstPort, Protocol, 802.1X username & many other fields. Below are the full 17 data fields
8.Client Mac Address
9.AP Mac address
11.VLAN Id – Mgmt/Dyn
12.TOS – DSCP Value
13.Flow Start Time
14.Flow End Time
If you look at FlowSet_ID=256, you will see the application mapping (similar to earlier AireOS codes)
FlowSet_ID=258 gives you WLAN_ID & WLAN_Name mapping as shown below.
As shown below, FlowSet_ID=259 gives you the vlan_ID & IfName associated in WLC.
Here is a sample capture of NetFlow data traffic which shows the collection of those 17 data fields mentioned above.
As you can see above is related to a user xxx873 on wlan_id=22 (in hex 16) with vlan 1360 accessing “youtube”.
You can use WLC CLI to find which application map to which app_id.
(WLC) >grep include 82 "show avc applications" youtube 82 13 82 voice-and-video
This AVC Feature Deployment Guide listed following Netflow Deployment Considerations that you should be aware of.
* WLC supports only one monitor and exporter.
* WLC will support only one type of Netflow record globally per controller.
* Flow records are exported directly and will not be shown on the controller.
* Application visibility statistics present today will continue on the controller.
* Change to monitor parameters will require the WLAN to be disabled and enabled.
* The new record will be supported on 8510, 5520 and 8540 controllers only.
* 2500, 5508, 7500 and WiSM2 controllers will not be supported.
* Netflow statistics are sent at an interval of 30 seconds (Not user configurable. Current value is 90 seconds).
* Netflow record will be sent even for the unclassified applications with new flow record.
* Netflow will be sent on enabling AVC on that WLAN.
* IPv6 traffic is not supported in Netflow in release 8.2.
* Netflow sending initial template will be sent from Control plane.
* Netflow export on service port is not supported.
In a future post, we will look at How Netflow Software can manipulate these flow records and generate some meaningful data for analysis.