Getting Cisco Flexible NetFlow (FNF) v9 Data Working with PRTG (Cisco 3850 & Gibraltar 16.12.13)

Getting Cisco Flexible NetFlow (FNF) v9 Data Working with PRTG (Cisco 3850 & Gibraltar 16.12.13)

By [Jason Knight]

After much unsuccessful searching, I wanted to share my findings on getting Cisco Flexible NetFlow (FNF) data to work with PRTG Network Monitor, specifically using a Cisco Catalyst 3850 running IOS XE Gibraltar 16.12.13 and PRTG version 25.4.114.1032.

Background

PRTG's standard NetFlow v9 sensor does not inherently support the fully customised fields often generated by FNF records right out of the box. PRTG requires specific, standard predefined fields to decode the flow packets reliably. While the template is generated by the switch, ensuring the record uses common, expected fields (like those below) is key to compatibility.

The critical issue in my initial setup was selecting the right combination of fields. Ok more by trial and error and the flow monitor was actively applied to an interface receiving traffic (VLAN).

The Fix

The configuration below ensures that the 3850 uses standard fields that PRTG understands and correctly applies the monitor to an active interface.

PRTG Configuration

In PRTG, you should use a NetFlow v9 sensor.

• Port: 9995 (matches the configuration below)
• IP Address: The IP of your PRTG Probe/Core Server.
• Active Flow Timeout: 60 seconds (Ensure this matches or is slightly longer than the active timeout on the switch, though the default is usually fine).
• Disabled Channels: I typically disable unnecessary channels like "IP Protocol" or "TOS" if I only care about top talkers and bandwidth.

Cisco 3850 Configuration

Here is the complete configuration required for the Cisco 3850.

cisco

! Define what information to capture in each flow
flow record myRecord
 match ipv4 source address
 match ipv4 destination address
 match ipv4 protocol
 match transport source-port
 match transport destination-port
 collect counter bytes long
 collect counter packets long
 collect timestamp absolute first
 collect timestamp absolute last
!
! Define where to send the data
flow exporter myExporter
 destination x.x.x.x  <-- Replace with your PRTG Server/Probe IP
 transport udp 9995
 source loopback0         <-- Ensure the source interface has an IP and is up
!
! Combine the record and the exporter
flow monitor myMonitor
 exporter myExporter
 record myRecord
!
! Apply the monitor to an active interface
interface Vlan10
 description Main VLAN Interface
 ip flow monitor myMonitor input  <-- THIS IS THE CRITICAL COMMAND
 ip address x.x.x.x 255.255.255.0 <-- The IP from the 'source' command above i.e the SVI gateway
!

Use code with caution.

Validation Commands and Results

After applying the configuration, use these commands to verify that data is being exported and cached. You should immediately see statistics increasing, indicating data is successfully sent to your PRTG server.

cisco

switch3850#show flow exporter statistics

switch3850#show flow exporter templates

switch3850#show flow exporter name myExporter statistics

switch3850#show flow monitor myMonitor cache

Use code with caution.

If everything is configured correctly, your PRTG sensor should turn green and start populating bandwidth graphs within a minute!

For further troubleshooting, you can use the free Paessler NetFlow Tester to confirm packets are hitting the Windows server machine even if PRTG is failing to decode them. For additional Cisco Netflow guidelines 

I thought I knew what I needed to protect myself online...

I thought I knew what I needed to protect myself on the internet. In the West Midlands, our kids came home from primary school, as young as seven, talking earnestly about internet safety: 'Don't share details or pictures,' they'd say. 'Great,' I thought, 'the schools will teach them everything they need to know.' But they don't.

The internet is like opening your front door..

The internet is a bit like opening your front door to the world. When things go wrong, you quickly realise you are completely on your own. For my family, it was a very stressful time when the kids were in primary school. We had nothing in place to protect them beyond basic advice. We quickly learned a harsh truth: you are ultimately responsible for their safety at home and there are some nasty people out there in the either 

The DATA we amass

The second major realisation was all about the sheer volume of data we amass. As of today, I have over 500,000 files—pictures, documents, finances, and videos—requiring 3TB of storage, and it keeps growing. My wife and I quickly adopted new technology, upgrading PCs every couple of years, only to realise that if a hard drive fails, you lose everything

Yes, we lost everything

We lost everything. Not to malware or ransomware, but simply to poor prioritisation of what is truly important: our data. That dual experience—the security gap and the data loss—is the main reason I’m writing this blog. It’s time to take control of our home network security and data backup.

How do you secure a growing family's digital world

 How do you secure a growing family's digital world while working in the heart of the cybersecurity field from your home office? That's the question I've been answering every day since the "new norm" took hold. With a background in Cisco technology and a genuine love for networking, I've been on a steep learning curve, navigating the intersection of personal life and professional security. This blog is my space to share that journey, the valuable lessons I've learned, and the honest truth about the ups and downs of making remote work truly work, securely and efficiently.

My world has changed dramatically over the last few years. As my family expanded, so did our need for seamless, secure internal access. The shift to working from home, solidified by the events of Covid, put my passion for networks and how they work to the ultimate test. As a cybersecurity professional, I live and breathe digital safety, but applying that expertise to a dynamic home environment is a different challenge entirely. This blog is a chronicle of that adventure. Join me as I document my real-world experiences, sharing practical advice and hard-won lessons on integrating enterprise-grade security (including my favourite Cisco gear) with the beautiful chaos of family life.