cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7430
Views
5
Helpful
6
Replies
Highlighted
Beginner

ASR 1001-X / flexible netflow / export via mgmt-intf (VRF)

Hi,

I've got got an ASR 1001-X where I want to export netflow data to a collector connected to the Management-interface of the ASR.

Here's my setup wrt netflow:

flow exporter Flow-to-collector
 destination 192.168.1.99 vrf Mgmt-intf
 transport udp 2601
 export-protocol netflow-v5
!
!
flow monitor My-netflow
 exporter Flow-to-collector
 record netflow ipv4 original-input

 

and the management-interface is configured as follows:

interface GigabitEthernet0
 description Management-Interface
 vrf forwarding Mgmt-intf
 ip address 192.168.1.100 255.255.255.0
 negotiation auto

 

However export doesn't work. After ruling out usual suspects like no connectivity over the mgnt-interface, wrong subnet mask etc. I got errors on the router itself:

 

router#sh flow exporter statis
Flow Exporter Flow-to-collector:
  Packet send statistics (last cleared 1w2d ago):
    Successfully sent:         0                     (0 bytes)
    Reason not given:          8596868               (11363678976 bytes)

  Client send statistics:
    Client: Flow Monitor OeKB-netflow
      Records added:           236743312
        - failed to send:      236743312
      Bytes added:             2773744384
        - failed to send:      2773744384

router#

 

To cross check I reconfigured netflow export on the router so that I set the destination not via the Mgmt-intf VRF:

destination 192.168.1.99

Interestingly this seems to work...

 

However for security reasons I want to have netflow data out of the management interface.

 

So I wonder whether I did something wrong wrt by netflow-setup? Or is "netflow data out the management interface" not supported on an ASR 1001-X?

 

Thanks much in advance for any clue...

 

 

6 REPLIES 6
Beginner

Hi, we have the same problem.

Hi,

 

we have the same problem. One of our solution is, to configure the management staff within the global table and the other within separate VRF tables. Is there an IOS which works with management via the VRF interface?

Beginner

Hi,

Hi,

I have exactly the same problem.

Looking at some older posts from 5 years ago on a similar topic, the suggestion is that the ASR can't send the NetFlow data to the management vrf and will have to traverse the production vrf.

From a security perspective I am not comfortable with this.

Does anyone know whether this is indeed the case or whether a fix is available?

Regards

Beginner

HI,

HI,

ok I changed the mgmt interface to another interface gig 0/0/5. This works. The default "cisco" mgmt interface is not usable for all mgmt issues. The standard interfaces are ok for mgmt issues.

Beginner

Great to hear!

Great to hear!

But i would not say "mgmt interface is not usable for all mgmt issues".Stuff like TACAS, SSH, TFTP, SCP, Logging and so on works over that interface.

Cheers

Beginner

"all mgmt issues" means every

"all mgmt issues" means every single management function.

Netflow is a management function.

Netflow does not work over the mgmt interface.

Therefore "mgmt interface is not usable for all mgmt issues" is 100% accurate.

Beginner

Just for everyone else who

Just for everyone else who stumbles upon this older thread:

You might find in the log an entry like this:

%FMANRP_NETFLOW-3-EXPORTERSRCIFINVALID: Management interface (GigabitEthernet0) cannot be used as source for an exporter

The Management-Interface cannot be used as an Netflow exporter Interface.

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards