Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
573
Views
0
Helpful
1
Replies

Does WCCP skew results of 'ip flow top-talkers'?

nickmcpherson
Level 1
Level 1

‎03-02-2011 07:44 AM

I have a router that has been configured to show ip flow top-talker information.  I recently added a WAAS to this site that is using WCCP redirection.  The 'top-talkers' output on the router still works - but shows source/destination of the router and WAAS device as the talkers for all traffic that has been redirected.  I'm not able to see that actual client IPs for that traffic .. and that is the majority of my traffic.  Is there any way to still be able to view this traffic as I did before?  If I dump netflow to an actual netflow server instead of using top-talkers will that work - or will it display the same thing?

Router configuration:

interface multilink1

ip flow ingress

!

interface gi0/0

ip flow ingress

!

ip flow-top-talkers

  top 25

  sort-by bytes

Now when I do a 'show ip flow top-talkers', here's what I see:  10.10.11.18 is WAAS and 10.10.255.11 is loopback of the router.

SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP Bytes
Gi0/0.1       10.10.11.18     Mu1           10.10.255.11    2F 0000 0000   141M
Gi0/0.1       10.10.11.18     Mu1           10.10.255.11    2F 0000 0000    12M
Gi0/0.1       10.10.11.124    Gi0/0.1       10.10.10.53     06 1058 0A26  1801K
Gi0/0.1       10.10.11.54     Gi0/0.1       10.10.10.5      06 0E0C 0A26   882K
Gi0/0.1       10.10.11.107    Gi0/0.1       10.10.10.50     06 043D 05D6   736K
Gi0/0.1       10.10.11.60     Gi0/0.1       10.10.10.5      06 0409 0A26   723K
Gi0/0.1       10.10.11.103    Gi0/0.1       10.10.10.5      06 0407 0A26   713K
Gi0/0.1       10.10.11.120    Gi0/0.1       10.10.10.14     06 0456 05D6   531K
Gi0/0.1       10.10.11.237    Gi0/0.1       10.10.10.27     06 238C 110E   527K
Gi0/0.1       10.10.11.62     Gi0/0.1       10.10.10.53     06 C00E 05D6   463K
Gi0/0.1       10.10.11.125    Gi0/0.1       10.10.10.30     06 12A1 1F90   355K
Gi0/0.1       10.10.11.115    Gi0/0.1       10.10.10.14     06 042C 05D6   336K
Gi0/0.1       10.10.11.137    Gi0/0.1       10.10.10.6      06 04AC 0D3D   244K
Gi0/0.1       10.10.11.154    Gi0/0.1       10.10.10.53     06 0A0D 0A26   216K
Gi0/0.1       10.10.11.66     Gi0/0.1       10.10.10.6      06 C018 05D6   195K
Gi0/0.1       10.10.11.91     Gi0/0.1       10.10.10.5      06 0439 05D6   145K
Gi0/0.1       10.10.11.58     Gi0/0.1       10.10.10.14     06 0458 05D6   134K
Gi0/0.1       10.10.11.127    Gi0/0.1       10.10.10.30     06 0618 1F90   115K
Gi0/0.1       10.10.11.18     Local         10.10.255.11    11 0800 0800    96K
Gi0/0.1       10.10.11.147    Gi0/0.1       10.10.10.14     06 118F 0A26    88K
Gi0/0.1       10.10.11.95     Gi0/0.1       10.10.10.14     06 0C35 0D3D    84K
Gi0/0.1       10.10.11.105    Gi0/0.1       10.10.10.27     06 C98F 01BD    70K
Gi0/0.1       10.10.11.117    Gi0/0.1       10.10.10.53     06 CB1A 0D3D    41K
Gi0/0.1       10.10.11.65     Gi0/0.1       10.10.10.14     06 0EF9 05D6    40K
Gi0/0.1       10.10.11.112    Gi0/0.1       10.10.10.21     06 08D5 0D3D    37K

Thanks!

Labels:
0 Helpful
1 Reply 1

nickmcpherson
Level 1
Level 1

‎03-02-2011 10:43 AM

I believe the problem is caused because I have the WAAS appliance in the same subnet as users.  I am using the 'egress-method negotiated-return intercept-method wccp' on the WAAS to send the traffic back to the router.  This uses GRE, which is causing the cache flow data to show up the way it is. 

I will have to move the WAAS to a different subnet and change the return method.

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card