Netflow Report

Similar Messages

• Netflow reporting via SNMP

  Looking for a Cisco config doc that talks at Netflow reporting via SNMPv3.
  We have serveral routers (7600) that do not support Netflow (only on flexwan card), so our plan is to use SNMPv3 reporting.
  I have a Cisco Netflow document reporting via SNMPv2c but cannot find any good examples using SNMPv3.
  Thanks
  Frank

  Hello Racquel,
  You cannot  explicitly view netflow messages within MARS. Once the MARS starts to see a flow of netflow messages it will collect and collate the information for 7 days (including a weekend). This will then produce a baseline for this netflow source. After 7 days MARS will switch from collecting to monitoring. In monitoring state MARS will, using predefined internal metrics, determine if newer netflow records indicate exceptional traffic. If this is the case, then the MARS will generate an incident on the GUI. Over time, the MARS will adjust the baseline values using the received netflow records.
  If you select to store IOS or ASA netflow records (admin -> system  setup -> netflow configuration), then the records will be written to the internal database and archived (if configured). This will impact disk usage but would mean that if you needed to recover the MARS from archive after failure (re-image or RMA) then you could recover the baseline settings.  Also, if you write them to disk, you can then export the raw netflow records to a file (admin -> system maintenance -> retrieve raw messages), but you need will to provide some external means of processing them.
  Matthew

• NETFLOW REPORTS ON MARS

  Does anyone have any information on how to get good information on MARS about netflow? I have looked through all of the reports and can't find much. The MARS box is definitly reciving netflow data.

  The MARS platform will recieve netflow information, but there is not alot you can do with it. MARS is not built to be a true netflow collector. If you want to breakdown and have reports from netflow data, try a tool that is made to do that, such as PRTG, ARBOR (insert any one of the dozens of tools here)

• Interface Volume reporting

  Hi ,
  I am working on Interface Volume reporting of PI like daily, weekly and monthly, individual and aggregate reports and also interactive reporting of Interfaces, the sources are going to be databases of ABAP engine, AAE and Archive data of both the stacks.
  I am looking for if someone worked on volume reporting on the Interfaces on messages are in the database and Archived. Currently we are using Performance monitoring to get reporting from Database but our retention period of the interfaces is only 2 days so we can't rely on this monitoring we wanted to run the similar reports on the Archived data as well.
  My understanding is that History (SMX*HIST, ) and Archive metadata tables(ZARIXBC1) contains interfaces metadata info so we can run reports on these tables. So I am wondering if anyone worked on the same lines or any other better solution.
  Thanks,
  Laxman

  Last I hear, the rule of thumb is to pick one direction (ingress or egress) and stick to that for configuring all the interfaces of the entire router, lest the same flow gets counted twice due to mixing ingress-and-egress as you've witnessed. Even then, if one router's all ingress or another all egress, but they both export NetFlow records to the same collector/reporting server, a flow passing through a set of neighbor interfaces on the two routers would still get double-counted. I don't know how NetFlow v9 or Flexi NetFlow resolves this issue without the IOS allowing an interface to be configured with both ingress and egress flow cache simultaneously. That, plus the NetFlow collector/analyzer needs to have the intelligence to deduplicate.
  Here's a blog post that seems to suggest some NetFlow reporting sw can resolve this issue alone, working with mixed-direction NetFlow v9 exports. However, I can't ascertain if this software exists yet.
  http://www.plixer.com/blog/scrutinizer/netflow-version-9-egress-vs-ingress/

• Monitoring GRE traffic with Netflow

  Hi,
  I have a GRE tunnel between an 3660 and a 3725. Under this tunnel there are many routers from SP, that we not even can see.
  The problem is that at Netflow it shows me only a high GRE traffic, giving me only details if using Nbar but still like that loosing all of informations available at Netflow reports (Conversations, source, etc).
  So, does anybody knows what should be configured at routers to enable netflow detailed informations of GRE tunnel?
  Rds,
  Alex

  ip flow-cache timeout active 5
  ip flow-export source Loopback0
  ip flow-export version 5
  ip flow-export destination [Server IP] 9996
  interface Tunnel0
  description tunnel vers rct2sin2
  bandwidth 27000
  ip address x.x.x.x x.x.x.x
  ip mtu 1472
  ip nbar protocol-discovery
  ip route-cache flow
  ip tcp adjust-mss 1432
  load-interval 30
  These are my confiurations and the router is a 3660.
  Rds,
  Alex

• Interface bandwidth reporting incorrect

  We currently have Netflow configured on our HQ router and capturing Ingress / Egress Netflow on all interfaces.  We have a 150MB to our DR site.  So data traveling from our servers (internal) to the DR site will be captured twice... (take a 10MB example):
  10MB leaves Server -->  6509 -->  10MB Ingress on Inside interface --> 10MB Egress on Outside interface.  Therefore, according to our monitoring software, the Outside interface will show 20MB of traffic.
  We use Whatsup Flow Monitor.  When we view the Interface utilization, we will often see the interface way over 100%.  I realize we need to turn off Ingress or Egress strategically to make sure we only use one data stream, but what are other people doing to monitor the interfaces of their devices?
  We are using Netflow version 5.  Would version 9 do anything to solve this isse?  Or, with IOS v15 and Flexible Netflow, will this type of scenario be avoided with the use of templates?
  Any thoughts will be appreciated.
  Thanks

  Last I hear, the rule of thumb is to pick one direction (ingress or egress) and stick to that for configuring all the interfaces of the entire router, lest the same flow gets counted twice due to mixing ingress-and-egress as you've witnessed. Even then, if one router's all ingress or another all egress, but they both export NetFlow records to the same collector/reporting server, a flow passing through a set of neighbor interfaces on the two routers would still get double-counted. I don't know how NetFlow v9 or Flexi NetFlow resolves this issue without the IOS allowing an interface to be configured with both ingress and egress flow cache simultaneously. That, plus the NetFlow collector/analyzer needs to have the intelligence to deduplicate.
  Here's a blog post that seems to suggest some NetFlow reporting sw can resolve this issue alone, working with mixed-direction NetFlow v9 exports. However, I can't ascertain if this software exists yet.
  http://www.plixer.com/blog/scrutinizer/netflow-version-9-egress-vs-ingress/

• How you handle your signatures

  What are you doing with your signatures which fire and are false positives? Are you using event action filters or are you disabling the signature? In some cases I see where disabling that signature would be fine. Like if you have a DNS box which is patched and not susceptible to a exploit being noticed by IPS - Since your system is patched and no other boxes are susceptible to the exploit then it seems only logical to disable the signature, yes? But event action filters come into place for signatures like sig-3030 which, in most cases, should only fire when the source is from outside your network. Just want to make sure Im on the right track. Anyone know of a good site which discusses IPS best practice, administration and policy?
  Also how many of ya'll monitor your internal network?
  Thanks

  When I'm troubleshooting a new alert I usually enable 'log pair packets' so I can put more context around the alert itself. Although they get correlated in MARS I use CSM to tune the sensors and signatures. I'll cross-launch to IDM to pull down the packet captures, saving them with somewhat descriptive names in case I need to revisit them later. I also use a great netflow reporting engine (mazu networks) to see where else the suspect PC has been going, and then use online tools like dnsstuff.com, spamhaus DROP lists, Dshield, to see if the IP address is on any block lists. This tool (as well as Arbor Networks, Lancope, etc) also do their own non-signature-based network behavior analysis, and sometimes (not always) something with correlate here too.
  After I get enough information I try to tune the actions on the sensor itself. Sometimes you have to fall back on a MARS drop rule, just to screen out false positives or handle special cases, but I think its better to keep the alert from occuring in the first place. Having too many filters gets ugly fast.
  You should also be leveraging Cisco's Intellishield service ; each IPS sig subscription gives you (free) access to detailed information on the IPS sigs and the vulnerabilities that prompted the sig in the first place. Great service. I've been able to disable a bunch of sigs using this alone.
  Good luck.

• Netflow is not showing on prime infra 1.2 and also reports are not generating

  Hi friends,
  I add my router to cisco prime for netflow and configured it by temelate as mentioned by cisco in deployment guide. I got netfloe till last friday but today i am getting anyflow on prime.
  second I am not able to generate raw netflow.
  how can i removed any device from data sources ifthis is nolonger present there. for better understanding i am also ataching the snapshot.

  Hi,
  Thanks
  Yes I have configured the command “aaa accounting exec default start-stop group tacacs+”
  As I have mentioned all the other reports are working. Which user and when he has logged in and what commands he has used. Only the TACAS+ Accounting and logned user is not working.
  Regards,
  Vineet

• Netflow not reporting Egress traffic on 6509 Vlan

  Hi...
  We have a pair of 6509 working in a VSS configuration (IOS 12.2(33)SX5). The 6509s connect to a pair of ASAs (7.2 code) running in an Active/Standby setup. These ASAs in turn connect to routers going to remote sites. I have configured Netflow on the following VLANS,
  VLAN 10 - Servers Vlan
  VLAN 9 - Transit/ASA VLAN (connects ASAs to 6509s). All traffic originating from any VLAN on the 6509 crosses this VLAN in order to reach remote                 sites and vice versa
  I configured the netflow source VLAN 11 although I am not collecing any netflow from it.
  Although I have been getting lots of Netflow info, I noticed that netflow for traffic originating from any user VLAN on the 6509s going to any remote site via TRANSIT/ASA VLAN(9) does not get reported, I even tested with 4 GB traffic but no result. Only reverse traffic (i.e. from remote site to user VLAN) is reported as it traverses the Transit VLAN (9).
  I read somewhere that egress netflow is not supported in 6500, but isnt traffic originating from a user vlan to a remote site via the transit VLAN (9) considered ingress with respect to the transit VLAN (9)? 
  I would like to know whether bidirectional Netflow is supported on 6500 VLANS. I have mimimum control on routers beyond the ASAs, and since these ASAs run 7.2 code netflow is not supported, and Monitoring this Transit Vlan gives me extremely useful info.
  I do get netflow biderectional traffic from the Server Vlan 10, but I think it is correlated by the netflow collector from vlans 9 and 10
  Below is a show run | inc flow
  ip flow-cache timeout active 1
  ip flow ingress layer2-switched vlan 9,10
  mls netflow interface
  mls flow ip interface-full
  interface vlan 9
  ip flow ingress
  ip flow egress
  interface vla 10
  ip flow ingress
  ip flow egress
  ip flow-export source vlan11
  ip flow-export version 9
  ip flow-export destination 10.10.10.10 2055
  All help is appreciated.
  Thanks

  Hi,
  So if I want to capture traffic out only one specific interface is there any option to do that in catalyst 6500.
  If I made only that specific interface in another vlan and if under the interface vlan , I give "ip flow ingress" will this capture the outgoing traffic through the interface while it is doing intervlan routing. Also is it must to give ip address in that vlan interface ? Please clarify.

• WAAS and Netflow, traffic reports are inflated unpredictably

  Not sure if anybody has any luck getting Netflow to report correctly when WAAS is in a picture.  We have about 30 sites deployed with WAAS in out of line configuration and every single one of them incorrectly report Netflow traffic to our NetQoS Reporter Analyzer product.  Typically the traffic throughput seems to be inflated several times higher.  We tried every which way to alter the netflow configuration in the router including Egress Netflow but the traffic is still showing higher than actual traffic coming out of a port.  In one site, even the "show interface" command on the router shows 5-minute rate of 16Mbps on a 6Mbps Mulitlink circuit. 

  Hello Thang Lu,
  We have run into this issue with a few customers and here are a some things to consider:
  - If you have 'Flexible' NetFlow enabled: Beware, Flexible NetFlow does not export the flow direction by default you must configure the direction bit to be set for egress flows.  Traditional NetFlow v9 does this automatically.
  - Are you excluding certain protocols in NetQoS?  If you don't do this, some tunnels and VPN connections will be exported twice!
  These are the protocols we exclude by default in Scrutinizer NetFlow Analyzer:
  I hope these suggestions help you.
  Jake

• CISCO PRIME INFRASTRUCTURE NETFLOW TRAFFIC REPORT

  Hi,
  I have a report from cisco prime infrastructure, that I don´t know how to interpret,  because the fields in the report I don´t know what´s mean them,  the difference between them, what are optimal values, the worse values, etc.
  Can someone help me with this
  The name of the report is: FLEX NETFLOW TRAFFIC TQPQ
  The fields that I don´t know what are:

  hello,
  I also have a problem concerning the interpretation of the report that I got. if anyone knows how Cisco gets its premium reports, it will help me!

• MARS 4.3.6 - Keyword "Netflow" no longer working in reports

  Hi,
  we just upgraded from 4.2.6 to 4.3.6
  All of our reports that were based on the keyword netflow no longer display netflow statistics. All other reports function correctly. Anyone know of anything that changed?

  We do not store Netflow records, we run these reports off of the real time window. Cisco recommends that you do not chose to store Netflow in the case of large environments as the impact on performance is too great .
  The reports alway worked before the upgrade without storing the flows.

• Change the report type.

  I'm using a report for determine the top applications.
  How can modify the report to get session count and bytes trasmitted on the same report?
  Thanks, and happy new year!
  Andrea.

  Hi Andrea,
  Can you be more specific? From what i have perceived, you want to know the bytes transmitted for each application, rite? If that is your requirement, i am afraid MARS will not fulfill the purpose. For such analysis, you need some netflow analyzer (solarwinds, NFC, Manageengine NTA) will give you in depth analysis, or you can use NBAR on IOS if you have your devices on the IOS that support NBAR...MARS simply uses netflow to detect any anomaly in the traffic patterns,it does not correlate the netflow traffic unlike the syslogs. For flows correlation you have to use any of the NTAs that i mentioned before.
  regards,
  Mohsin

• What is "Source ID" in Netflow V9 Packet Header

  Hi,
  My question is regarding the "Source ID" field that appears in Netflow V.9 packet header. Following Cisco link (http://www.cisco.com/en/US/technologies/tk648/tk362/technologies_white_paper09186a00800a3db9.pdf) gives Source ID definition as -
  "The Source ID field is a 32-bit value that is used to guarantee uniqueness for all flows exported from a particular device. (The Source ID field is the equivalent of the engine type and engine ID fields found in the NetFlow Version 5 and Version 8 headers). The format of this field is vendor specific. In the Cisco implementation, the first two bytes are reserved for future expansion, and will always be zero. Byte 3 provides uniqueness with respect to the routing engine on the exporting device. Byte 4 provides uniqueness with respect to the particular line card or Versatile Interface Processor on the exporting device."
  I am using "Source ID" (combined with template id) to uniquely identify options templates exported by different routers. At our new lab setup where we have more than one routers configured to export Netflow, I observed that all the routers were exporting "Source ID" value as "0"(zero). It failed my assumption that I had formed based on definition from above Cisco doc.
  I assumed -
  SourceID    Template Id  Unique Key
  source1       256              source1-256
  source1       257              source1-257
  source2       256              source2-256
  source3       258              source3-258
  But, I observed
  SourceID    Template Id  Unique Key
  0                  256              0-256
  0                  257              0-257
  0                  256              0-256
  0                  258              0-258
  Thus, same template id(256) from different routers(source1, source3) eventually form same unique key and breaks my code.
  I would like to know if my interpretation that Source ID can be used to uniquely identify templates in this manner is correct or not ? 
  Is "Source ID" user configurable attribute ? How does it comply to the definition given in above Cisco doc ?
  Thanks,
  Deepak

  Deepak,
  Consider these quotations from the same RFC 3954:
  Section 2: Terminology:
  Observation Point
  An Observation Point is a location in the network where IP packets
  can be observed; for example, one or a set of interfaces on a network
  device like a router. Every Observation Point is associated with an
  Observation Domain.
  Observation Domain
  The set of Observation Points that is the largest aggregatable set of
  flow information at the network device with NetFlow services enabled
  is termed an Observation Domain. For example, a router line card
  composed of several interfaces with each interface being an
  Observation Point.
  Section 7: Template Management:
  A NetFlow Collector that receives Export Packets from several
  Observation Domains from the same Exporter MUST be aware that the
  uniqueness of the Template ID is not guaranteed across Observation
  Domains.
  Section 9: The Collector Side:
  At any given time the Collector SHOULD maintain the following for all
  the current Template Records and Options Template Records: Exporter,
  Observation Domain, Template ID, Template Definition, Last Received.
  Note that the Observation Domain is identified by the Source ID field
  from the Export Packet.
  So in other words, the Source ID is an identifier of the Observation Domain (and in fact, the IPFIX RFC calls this header field directly as Observation Domain ID). Template IDs are unique per Exporter and per Observation Domain, and if a single Exporter uses multiple templates in its different Observation Domains, the IDs of these templates could overlap even in a single Exporter. Observation Domain IDs (that is, Source IDs) identify only the internal structure of a single Exporter, and no provisions are done to preserve their uniqueness across multiple Exporters - for this, the source IP shall be used.
  With respect to whether there can be multiple NetFlow instances on a single router, I am getting a feeling that with decentralized, distributed platforms, multiple linecards in a single router could run their own NetFlow analysis for data that pass through them, so each one provides a separate NetFlow collection. Thus, each linecard or each feature card doing its own NetFlow analysis should be assigned its own unique Observation Domain ID.
  If it is not user configurable then system should automatically form the value based on router engine and line card. But what I have observed, at more than one routers, is that this value is always 0(zero).
  I believe this is strongly dependent to the hardware construction of the router. As a remotely-related example, old 2600 series routers had two WIC slots. If you inserted two WIC-2T modules into these slots, you'd expect that they would be numbered Serial0/0, Serial0/1, Serial1/0, Serial1/1. Very surprisingly, however, these routers considered both slots to be internally connected to a single bus, and the interfaces were named Serial0/0, Serial0/1, Serial0/2 and Serial0/3 - as if they all were installed in a single slot '0'. Something similar may happen to the Observation Domains and their IDs. You would believe that each single linecard constituted a separate Observation Domain. However, the reality may be different, and the whole router can act as a single Observation Domain to the outside world. It's just the way it is constructed - and programmed.
  It is not clear why Cisco doc says that one should use both "Source ID" and "Source IP Address" to properly distinguish between flows.
  I think it's a poor wording in the RFC. I think what they want to say is that if you use the duplet <Source IP, Source ID> to distinguish between flows, then you're fine both for multiple flows from the same Exporter, and for multiple flows from different Exporters.
  Moreover, isn't "Source IP Address" good enough to distinguish between flows from different sources ?
  If an Exporter could truly be partitioned into multiple Observation Domains then the source IP would not be sufficient. I am just making up examples with no real-life backup here, but think of, say, a multi-chassis router with each chassis being one Observation Domain, or each linecard of a distributed switch being a standalone Observation Domain, or one router virtualized to several different contexts and virtual routers, each of them being a unique Observation Domain, reporting about the flows using the same source IP... I think you get the point.
  I would put it this way... The existence of Source ID in NetFlow v9 (and Observation Domain ID in IPFIX) allows these protocols to nicely cope with situations in which a single physical device can be partitioned into several Observation Domains and perform independent reporting on them using a single source IP. However, the fact that these protocols have this ability does not mean that each and every device, even a Cisco router/switch, must necessarily make use of it.
  Best regards,
  Peter

• NetFlow Collector - Java heap space Error

  Hello,
  I have setup NetFlow colector v6 to receive flows from 3 devices, but today, 4 days after i have started the collector, i receive the folowing error and i'm unable to generate reports anymore:
  [2009-01-08 11:13:59 EET] ERROR com.cisco.nfc.report.ReportBuilder - An unexpected error occurred.
  java.lang.OutOfMemoryError: Java heap space
  I searched on net and it seems that i have to set higher heap space memory for java. Does anybody know how to rezolv this issue on Red Hat?
  Red Hat Enterprise Linux ES release 4 (Nahant Update 5)

  It seem like that the JVM has run out of all the memory that has been allocated to it. You can change the amount of memory allocated for use by your JVM using the -Xms and -Xmx command line parameters.