Netflow on P interface/routers

Similar Messages

• NetFlow on All Interfaces

  Hi All,
  We are using ManageEngine NetFlow Analyzer to monitor our network traffic.
  We have a few VLAN interfaces on the switch where we have enabled flow-export ingress and egress. We can see traffic that is passing between the VLANs on which flow-export has been configured. However, we have on interface that is connected to remote locations. We have not enabled flow-export on this interface. The idea was that, we have enabled ingress and egress flow-export, and the remote locations connect to VLANs where flow-export is already enabled, we must get all traffic from there. But we cannot see traffic from the remote locations, but we can see traffic from inside network to remote locations.
  After checking ManageEngine documentation, I see that we have to enable netflow on all interfaces to get accurate report. Can anyone let me know why this is required. We already have ingress and egress flow-export, and we must be getting all traffic. Please suggest.
  Thanks in advance,
  Faiz

  Hello Faiz,
  As you probably know, NetFlow by default is only collected ingress.  The ingress flows collected on all interfaces are used to display the outbound traffic on a selected interface.  I don't know about ManageEngine but, in some NetFlow solutions, interfaces without NetFlow/IPFIX enabled will not be displayed regardless of whethor or not flows are going out of it.
  Regarding ingress/egress being enabled on the same interface.  If you are using flexible NetFlow to configure the export, make sure the "flow direction" is exported in the template. The commands to export both look like this:
  ip flow monitor andrew-mon input
  ip flow monitor andrew-mon output
  Here is a good article on enabling ingress and egress NetFlow. Realize that just because you export both ingress and egress on a single interface and you export the direction, this doesn't mean the NetFlow solution will report on the data with a behavior that you would expect. 
  Ingress and egress flows are exported at the same time with only one difference "flow direction".  For this reason, this element must be included in the template to ensure that utilization isn't overstated in the flow report.  Again, this of course depends on your reporting solution.  
  Many vendors can't deal with a mixture of ingress and egress flows being enabled in a seemingly random fashion on the same device.  In other words, they expect all ingress or all egress.  Only a few vendors can handle a hybrid approach.
  I hope this helps. 
  Jake

• Is it possible for Nexus7000 flexible netflow monitor for interfaces with different vrf and export to one netflow analyzer?

  I have a Nexus 7000 with many vlan interfaces with multiple vrf, I would like to know if my netflow analyzer only connected to one vrf, can I use flexible netflow on the Nexus 7000 to monitor those vlan interfaces with multiple vrf and export them to my netflow analyzer, so that I can see all flow from different vrfs on my netflow analyzer?
  Thank you!

  Adriano, there is a RV042G, which supports the gig ports and a 800 mbps nat throughput. Here is the datasheet
  http://www.cisco.com/en/US/prod/collateral/routers/ps10907/ps9923/ps12262/data_sheet_c78-706724.html
  If you are using a DSL connection, the SRP527/547 models may be an alternative. These models support the RFC 1483 Bridges EOA Please note the SRP547 should be 10/100/1000. Also note the SRP521/541 are Fast Ethernet units and they do differ from the SRP527/547. The main selling point of these devices are the FXS/FXO ports. So this may also be a bit of an "unfocused" solution. But it's worth throwing the idea out there!
  Here is the admin guide;
  http://www.cisco.com/en/US/docs/voice_ip_comm/unified_communications/srp540_series/administration/srp500_AG_2567701.pdf
  Here is the datasheet;
  http://www.cisco.com/en/US/prod/collateral/voicesw/ps6790/gatecont/ps10500/data_sheet_c78-550705.pdf

• Netflow command and interface

  Hi,
  I have a few simple questions regarding netflow. Would anyone please clarify them for me?
  1. I usually configured netflow with "ip route-cache flow" command. Anyway, I have seen articles mentioning "ip flow ingress" and "ip flow egress" commands. What is different exactly i.e. ip route-cache flow and ip flow ingress|egress? Which one should be used?
  2. I understand netflow needs to be configured on every interface to export completely netflow data. Is it correct?
  3. If there are 2 physical and 2 logical i.e. tunnel interfaces, how many/which interfaces should netflow be configured? Are only physical interfaces enough?
  Please let me know if I misunderstand anything.
  Thank you very much,
  Nitass

  AFAIK:
  1. "ip route-cache flow" is deprecated starting in 12.2(18)SXD. See this URL for other IOS trains: http://www.cisco.com/en/US/docs/ios/netflow/command/reference/nf_01.html#wp1049320
  2. It's generally correct, due to the unidirectional nature of NetFlow records. Otherwise, you run the risks such as only seeing one direction of a given "conversation".
  3. My understanding was NetFlow cache could only be enabled on layer-3 interfaces. However, on the catalyst 6000s (and sup720?), you can get layer-2 bridged traffic between hosts in the same VLAN, using the following config:
  ip flow ingress layer2-switched vlan
  ip flow export layer2-switched vlan
  Then, there's this recent thread that makes it sound promising that layer-2 ports could become NetFlow-enabled, though it's not clear (to me) how it works out in practice:
  https://supportforums.cisco.com/message/678612#678612
  So YMMV. The best bet is to actually attempt configuring it. Odds are the physical interfaces won't accept the "ip route-cache flow" or "ip flow ingress/egress" config.

• NetFlow sends only interface-table, no templates, no flows

  Hi,
  configured NetFlow on a 3750-X with Network Module,
  but it generates only interface-tables, no templates or flows.
  Here my Config:
  flow record Ingress
   match datalink source-vlan-id
   match datalink dot1q priority
   match datalink mac source-address
   match datalink mac destination-address
   match ipv4 version
   match ipv4 tos
   match ipv4 ttl
   match ipv4 protocol
   match ipv4 source address
   match ipv4 destination address
   match transport source-port
   match transport destination-port
   match interface input physical snmp
   collect interface output snmp
   collect counter flows
   collect counter bytes
   collect counter packets
   collect timestamp sys-uptime first
   collect timestamp sys-uptime last
  flow record Egress
   match datalink destination-vlan-id
   match datalink dot1q priority
   match datalink mac source-address
   match datalink mac destination-address
   match ipv4 version
   match ipv4 tos
   match ipv4 ttl
   match ipv4 protocol
   match ipv4 source address
   match ipv4 destination address
   match transport source-port
   match transport destination-port
   match interface output physical snmp
   collect interface input snmp
   collect counter flows
   collect counter bytes
   collect counter packets
   collect timestamp sys-uptime first
   collect timestamp sys-uptime last
  flow exporter export-to-Paessler
   description PRTG Network Monitor - NetFLow
   destination 10.10.10.27
   source Vlan5
   transport udp 9991
   template data timeout 60
   option interface-table timeout 60
  flow monitor FlowMon_Ingress
   record Ingress
   exporter export-to-Paessler
   cache timeout active 60
  flow monitor FlowMon_Egress
   record Egress
   exporter export-to-Paessler
   cache timeout active 60
  interface Vlan91
   ip flow monitor FlowMon_Ingress input
   ip flow monitor FlowMon_Egress output
  sh switch service-modules
  Switch/Stack supports service module CPU version: 03.00.65
                            Temperature                     CPU
  Switch#  H/W Status       (CPU/FPGA)      CPU Link      Version
   2       OK               58C/66C         connected     03.00.65

  Hello,
  I do not have English version( I do not want log to US language I am lazy:) This is my translation:) Responsibility Order Management->Setup->Orders->Holds find you hold and look at Authorization. MAybe your pck has error because this.
  Regards,
  Luko

• Netflow with tunnel interfaces

  Hi I have a customer who is using tunnel interfaces with IPSEC on their WAN. They are collecting Netflow stats and exporting them to a server.Under the tunnel interface I have specified the bandwidth to be 1000.When I did not specify the bandwidth the tunnel speed came up on the management software as being 9kb. This was obviously not a true reflection when observing the data. The far end remote office is terminating via dsl and my question is should I specify the bandwidth under the tunnel interface to be closer to the dsl connection they have there ie 512k? There are many other tunnels coming from the main site and I have not configured Netflow on the this particular remote end.

  Hi Justin,
  If we would define bandwidth on tunnel interface it will manipulate routing decisions also and tunnel recursiuon issue could also occur where tunnel would see that the best way to reach teh destination is via tunnel itself. Beside taht the actual bandwidth used by the tunnel is based on the physical interface associated with it.

• Mars with Netflow on Interface VRF (on Router)

  Mars is collecting Netflow information from Interface VRF on Router, my question is that whether Mars will see the traffic inside of the VRF or not, or it will see only netflow traffic on Global routing (core MPLS devices).
  This router is PE, and connected to CE (Customer's device).
  interface GigabitEthernet5/2
  ip vrf forwarding ktb
  ip address 10.0.1.210 255.255.255.252
  ip flow ingress
  ip flow-export version 5
  ip flow-export destination 10.1.50.103 2055

  Refer to the document Top Issues for the Cisco Security Monitoring, Analysis, and Response System for more information
  http://www.cisco.com/en/US/products/ps6241/prod_troubleshooting_guide09186a008062f36e.html

• Netflow and interface

  there are interfaces in netflow output,   source interface and destination interface.   but how netflow know incoming and outgoing interface.
    i see some traffic has same interface for source interfce and destination interface,

  AFAIK:
  1. "ip route-cache flow" is deprecated starting in 12.2(18)SXD. See this URL for other IOS trains: http://www.cisco.com/en/US/docs/ios/netflow/command/reference/nf_01.html#wp1049320
  2. It's generally correct, due to the unidirectional nature of NetFlow records. Otherwise, you run the risks such as only seeing one direction of a given "conversation".
  3. My understanding was NetFlow cache could only be enabled on layer-3 interfaces. However, on the catalyst 6000s (and sup720?), you can get layer-2 bridged traffic between hosts in the same VLAN, using the following config:
  ip flow ingress layer2-switched vlan
  ip flow export layer2-switched vlan
  Then, there's this recent thread that makes it sound promising that layer-2 ports could become NetFlow-enabled, though it's not clear (to me) how it works out in practice:
  https://supportforums.cisco.com/message/678612#678612
  So YMMV. The best bet is to actually attempt configuring it. Odds are the physical interfaces won't accept the "ip route-cache flow" or "ip flow ingress/egress" config.

• Flexible NetFlow Causing DNS Issues

  I recently deployed Flexible NetFlow on some of my 2821 routers (Version 12.4(9)T3). This was required because I needed to export my flow records via an IPSEC / GRE tunnel, and traditional NetFlow wouldn't encapsulate within the IPSEC tunnel. So I migrated to Flexible NetFlow. As soon as I did this all DNS queries from hosts on the inside network began to fail. has anyone seen this issue? Is there a fix? Currently I have simply turned off NetFlow collection on the routers in question.
  Config:
  flow exporter StoFlowExporter
  destination 10.x.x.x
  source GigabitEthernet0/0.461
  transport udp 2055
  flow monitor StoNetFlow
  record netflow ipv4 original-input
  exporter StoFlowExporter
  interface GigabitEthernet0/0.461
  description LAN
  encapsulation dot1Q 461
  ip address 10.x.x.x 255.255.255.0
  ip access-group LAN_Outbound in
  ip flow monitor StoNetFlow input
  ip nat inside
  ip virtual-reassembly
  Thanks,

  It sound like you somehow have have got the ethernet 2 interface as the topmost interface in the Network settings "service order" which is a good thing for routing. The 192.168.1.0/24 network interface doesn't need a router setting but it will work as it is.
  The modem is really also working as a NAT router and probably sending out IPs through DHCP to machines on that subnet (the Server's "WAN"), but the server needs to have a static IP on that subnet so you can add it to your DNS server settings instead of 192.168.1.3 (or use both IPs in DNS server config for the same name but it's probably better to have only one because of the reverse IP lookup) as the machine will use the topmost interface as the default for it's name and services. The server will answer on the 192.168.1.3 inteface too for most services. If the server does NAT (probably is running the firewall and NAT?) Internet access should work without any static routes in the modem/router but you will have dual NAT from the server LAN (192.168.1.0/24 subnet).
  Both these subnets IP-"ranges" isn't using recommended values if you want to use the server for VPN later, as either one of those is the default on most broadband routers.
  Your setup looks like modem/router<-->server en port 2>--<server en port 1>---LAN switch<--->LAN client computers?
  You probably don't need to use both interfaces on the server as you (can/should) use only your modem/router for NAT but some people want to run the firewall in OS X server especiallay if forwarding a "DMZ" port from their internet router to the server IP.
  Just the servername should be in the "Sharing" setup and the domainname in "Search domain" field in Network config.
  So in your case "smcoserver" and "private" respectively.

• Interface bandwidth reporting incorrect

  We currently have Netflow configured on our HQ router and capturing Ingress / Egress Netflow on all interfaces.  We have a 150MB to our DR site.  So data traveling from our servers (internal) to the DR site will be captured twice... (take a 10MB example):
  10MB leaves Server -->  6509 -->  10MB Ingress on Inside interface --> 10MB Egress on Outside interface.  Therefore, according to our monitoring software, the Outside interface will show 20MB of traffic.
  We use Whatsup Flow Monitor.  When we view the Interface utilization, we will often see the interface way over 100%.  I realize we need to turn off Ingress or Egress strategically to make sure we only use one data stream, but what are other people doing to monitor the interfaces of their devices?
  We are using Netflow version 5.  Would version 9 do anything to solve this isse?  Or, with IOS v15 and Flexible Netflow, will this type of scenario be avoided with the use of templates?
  Any thoughts will be appreciated.
  Thanks

  Last I hear, the rule of thumb is to pick one direction (ingress or egress) and stick to that for configuring all the interfaces of the entire router, lest the same flow gets counted twice due to mixing ingress-and-egress as you've witnessed. Even then, if one router's all ingress or another all egress, but they both export NetFlow records to the same collector/reporting server, a flow passing through a set of neighbor interfaces on the two routers would still get double-counted. I don't know how NetFlow v9 or Flexi NetFlow resolves this issue without the IOS allowing an interface to be configured with both ingress and egress flow cache simultaneously. That, plus the NetFlow collector/analyzer needs to have the intelligence to deduplicate.
  Here's a blog post that seems to suggest some NetFlow reporting sw can resolve this issue alone, working with mixed-direction NetFlow v9 exports. However, I can't ascertain if this software exists yet.
  http://www.plixer.com/blog/scrutinizer/netflow-version-9-egress-vs-ingress/

• NetFlow from VRF on 4451-X

  I have a 4451-X router running XE 3.13.
  I want to get NetFlow data from interface G0/0/0 and sent it to my collector via the management VRF interface G0. Is this possible? If so, what is the configuration to make it work?
  This is what I have so far:
  flow record NetFlow
   match ipv4 tos
   match ipv4 protocol
   match ipv4 source address
   match ipv4 destination address
   match transport source-port
   match transport destination-port
   collect counter bytes
   collect counter packets
  flow exporter NetFlow-to-Orion
   destination 10.y.y.90 vrf Mgmt-intf
   source GigabitEthernet0
   transport udp 2055
   export-protocol netflow-v5
  flow monitor NetFlow-Monitor
   description Original Netflow captures
   exporter NetFlow-to-Orion
   cache timeout inactive 10
   cache timeout active 5
   record NetFlow
  interface GigabitEthernet0/0/0
   ip address xxx.xxx.xxx.xxx/30
   ip flow monitor NetFlow-Monitor input
   ip flow monitor NetFlow-Monitor output
   media-type sfp
   no negotiation auto
   no lldp transmit
  interface GigabitEthernet0
   vrf forwarding Mgmt-intf
   ip address 10.x.x.37 255.255.255.0
   negotiation auto
  What am I missing?
  Thanks,
  Patrick

  What netFlow tool do you have? Is the NetFlow tool seeing packets but not reporting anything?
  If so, it can be because the flow records exported does not have the necessary information needed by the tool to process the NetFlow datagrams. Most NetFlow tools expect the below configuration:
  flow record netfow
  match ipv4 tos
  match ipv4 protocol
  match ipv4 source address
  match ipv4 destination address
  match transport source-port
  match transport destination-port
  match interface input
  collect interface output
  collect counter bytes
  collect counter packets
  collect flow direction
  And in the flow exporter, reduce the active cache timeout to 1
  If the server where the NetFlow tool is installed is not seeing packets, make sure that:
  1. You have a route to the destination from the GigabitEthernet0
  2. No firewalls on the server or ACLs are blocking packets from the switch to the NetFlow server
  Thanks,
  Don

• Netflow Nexus 7000

  Hi all,
  A few months ago I have configured netflow on a Nexus 7000 with NX-OS version 6.0.2.
  This was my config:
  flow exporter Fluke_NetflowTracker
    description export netflow to Fluke_NetflowTracker
    destination x.x.x.x use-vrf management
    transport udp 2055
    source mgmt0
    version 9
  flow exporter Fluke_Optiview
    description export netflow to Fluke_Optiview
    destination x.x.x.x  transport udp 2055
    source Vlanx
    version 9
  flow monitor MonitorTrafficToFluke
    record netflow-original
    exporter Fluke_NetflowTracker
    exporter Fluke_Optiview
  This flow was activated on some SVI's. "ip flow monitor MonitorTrafficToFluke input"
  Recently we have upgraded the NX-OS to version 6.1.3. The netflow keeps on working, but the syntax of the netflow configuration has changed. Now you have to add a sampler as well.
  So I have created the following sampler.
  sampler NetFlow-Sampler
    description Netflow Sampler
    mode 1 out-of 1000
  When I want to update the current configuration with the sampler I can't adapt or remove the existing netflow configuration on the SVI.
  NK7(config-if)# no ip flow monitor MonitorTrafficToFluke input
  ERROR: A sampler must be configured for an interface on an F2 card
  NK7(config-if)# ip flow monitor MonitorTrafficToFluke input sampler NetFlow-Sampler
  An additional 1:100 sampler, over the configured sampler is applicable for F2 ports
  Error: Sampler can not be changed on Interface Vlanx. Remove flow monitor first.
  ERROR: Command has failed
  How do I update or remove the existing configuration on the SVI.
  I want the config to be "ip flow monitor MonitorTrafficToFluke input sampler NetFlow-Sampler"
  Thank you,
  Best Regards,
  Joris

  Hi Joris,
  Try no feature netflow under the interface and try to re-apply the whole configs. Since its a F2 we dont support config changes until 6.2(2) only way is to remove the configs using no feature netflow and re-applying it.
  Thanks,
  Richard.
  *Rate if its useful

• 3750 and Netflow

  Hi All,
  I am wanting to enable netflow on a pair of 3750's running EMI software.
  System image file is "flash:c3750-i5-mz.121-19.EA1c/c3750-i5-mz.121-19.EA1c.bin"
  I've enabled netflow on the interface..
  interface GigabitEthernet2/0/3
  description ########
  no switchport
  ip address #######
  ip access-group internet_in in
  ip access-group internet_out out
  no ip unreachables
  ip route-cache flow
  no logging event link-status
  duplex full
  speed 100
  no mdix auto
  no cdp enable
  end
  ..but i can't see any entries in the netflow table when i issue "show ip cache flow"
  I am currently runninng the desktop default SDM profile and wondered if this needs to be changed to routing to support Netflow.
  Thanks
  Paddy

  Hello Paddy,
  the command 'ip route-cache' is not supported in your IOS release, you need at least 12.2(20)SE...
  HTH,
  GP

• Network management system recommendations

  I have been looking at some network management systems such as SolarWinds, but I would like to kick the question back to the community to see what you guys recommend.
  I am looking for a powerful, uniform, monitoring system that includes the following:
  1. Network device management (syslog, configuration management, inventory, device tracker [like CW CampusManager], etc.)
  2. Application monitoring (checking if hyperlinks are working, availability, etc.)
  3. Database monitoring (SQL query response times, etc.)
  4. QoS monitoring (jitter, delay, SLA, etc.)
  5. Alerts
  Anything beyond this would be a plus.
  I am looking for the "best" solution out there in terms of performance and features ...                  

  NetFlow and IPSLA are different technologies.
  Cisco NetFlow captures header information from actual IP traffic passing through router interfaces and reports on traffic usage, applications used, souce and destination of traffic, port and protocol used, ToS, DSCP, next hop and so on. Using NetFlow you can see who is using your bandwidth, what application is being used, etc.
  Cisco IPSLA is a feature from Cisco that lets you measure the performance of a link using simulated packets and reports on jitter, latency, packet loss, Round-Trip time, packet loss, link availability, etc.
  In short, NetFlow is used for bandwidth monitoring and traffic analysis of actual IP traffic that is passing through a link and IPSLA is used to measure how a link will perform when traffic passes through it.
  Cisco supports both features - NetFlow and IPSLA.
  IPSLA needs Cisco devices with IPSLA support at the source and destination ends with atleast IOS 12.3(14)T
  NetFlow is exported as UDP packets to a flow analyzer tool - many tools use 9996 or 2055 for NetFlow export
  IPSLA requires routers with Cisco IPSLA capability and IPSLA stats is collected via SNMP.
  There are tools in the market which can monitor both. We at ManageEngine have NetFlow Analyzer, which supports NetFlow and IPSLA in addition to many more monitoring technologies like Cisco NBAR, WAAS monitoring, Cisco Medianet, etc.
  Cisco NBAR is a deep packet inspection technology which analyzes data packets to report on application usage. NBAR can detect applications hiding behind well know ports or using random ports and you can also further use NBAR to define your QoS polcies.
  If you need to know more on the software that can monitor these technologies, you can contact ManageEngine NetFlow Analyzer support at netflowanalyzer-support 'at' manageengine. com
  Regards,
  Don Thomas Jacob
  www.netflowanalyzer.com
  NOTE: Please rate posts and close questions if your query has been answered

• Static VTI tunnel to asa

  Hi All,
  I need to connect some routers to an ASA using IPSec tunnels. The goal is to get netflow traffic from the routers to a collector behide an ASA using IPSec tunnels.
  Recently I found out (locally orginated) netflow isn't properly encrypted when send through an IPSec tunnel (http://www.plixer.com/blog/network-traffic-analysis/sending-netflow-over-ipsec-tunnels/. The workaround seems to be using flexible netflow (which my collector doesn't support) or using a real tunnel interface on the router.
  This implies I need to use:
  - IPSec/GRE
  - EzVPN with DVTI
  - SVTI...?
  Since GRE is not supported on the ASA and I want the tunnel to be always active, implementing static VTI tunnels might be a good idea. So I would like to use something like this on the router.
  interface Tunnel0
  ip unnumberd loopback0
  tunnel source x.x.x.x
  tunnel destination y.y.y.y
  tunnel mode ipsec ipv4
  My question is, does anybody know if you can build an IPSec tunnel between an ASA and a router, using a SVTI interface on the router? A code sample for the ASA and the router would be more than welcome.
  Regards

  Hi Hielke ,
  if you managed to match the SAs proposed by the router when using SVTI which is any to any , and you will do this on the ASA using a crypto map access-list as follow :
  access-list crypto VPN permit ip any any
  then all traffic leaving the interface where the crypto map is applied will be subject to encryption , which is not practical in most cases .you may use different  interface (on the ASA) to this tunnel with the SVTI as it will use any any and that traffic is different than the one leaving the outside interface .
  so as Marcin this will not scale for you
  HTH
  Mohammad.