Getting Cisco Flexible NetFlow (FNF) v9 Data Working with PRTG (Cisco 3850 & Gibraltar 16.12.13)

Getting Cisco Flexible NetFlow (FNF) v9 Data Working with PRTG (Cisco 3850 & Gibraltar 16.12.13)

By [Jason Knight]

After much unsuccessful searching, I wanted to share my findings on getting Cisco Flexible NetFlow (FNF) data to work with PRTG Network Monitor, specifically using a Cisco Catalyst 3850 running IOS XE Gibraltar 16.12.13 and PRTG version 25.4.114.1032.

Background

PRTG's standard NetFlow v9 sensor does not inherently support the fully customised fields often generated by FNF records right out of the box. PRTG requires specific, standard predefined fields to decode the flow packets reliably. While the template is generated by the switch, ensuring the record uses common, expected fields (like those below) is key to compatibility.

The critical issue in my initial setup was selecting the right combination of fields. Ok more by trial and error and the flow monitor was actively applied to an interface receiving traffic (VLAN).

The Fix

The configuration below ensures that the 3850 uses standard fields that PRTG understands and correctly applies the monitor to an active interface.

PRTG Configuration

In PRTG, you should use a NetFlow v9 sensor.

• Port: 9995 (matches the configuration below)
• IP Address: The IP of your PRTG Probe/Core Server.
• Active Flow Timeout: 60 seconds (Ensure this matches or is slightly longer than the active timeout on the switch, though the default is usually fine).
• Disabled Channels: I typically disable unnecessary channels like "IP Protocol" or "TOS" if I only care about top talkers and bandwidth.

Cisco 3850 Configuration

Here is the complete configuration required for the Cisco 3850.

cisco

! Define what information to capture in each flow
flow record myRecord
 match ipv4 source address
 match ipv4 destination address
 match ipv4 protocol
 match transport source-port
 match transport destination-port
 collect counter bytes long
 collect counter packets long
 collect timestamp absolute first
 collect timestamp absolute last
!
! Define where to send the data
flow exporter myExporter
 destination x.x.x.x  <-- Replace with your PRTG Server/Probe IP
 transport udp 9995
 source loopback0         <-- Ensure the source interface has an IP and is up
!
! Combine the record and the exporter
flow monitor myMonitor
 exporter myExporter
 record myRecord
!
! Apply the monitor to an active interface
interface Vlan10
 description Main VLAN Interface
 ip flow monitor myMonitor input  <-- THIS IS THE CRITICAL COMMAND
 ip address x.x.x.x 255.255.255.0 <-- The IP from the 'source' command above i.e the SVI gateway
!

Use code with caution.

Validation Commands and Results

After applying the configuration, use these commands to verify that data is being exported and cached. You should immediately see statistics increasing, indicating data is successfully sent to your PRTG server.

cisco

switch3850#show flow exporter statistics

switch3850#show flow exporter templates

switch3850#show flow exporter name myExporter statistics

switch3850#show flow monitor myMonitor cache

Use code with caution.

If everything is configured correctly, your PRTG sensor should turn green and start populating bandwidth graphs within a minute!

For further troubleshooting, you can use the free Paessler NetFlow Tester to confirm packets are hitting the Windows server machine even if PRTG is failing to decode them. For additional Cisco Netflow guidelines