Just for everyone else who

ewald.jenisch · ‎02-26-2015

Hi,

I've got got an ASR 1001-X where I want to export netflow data to a collector connected to the Management-interface of the ASR.

Here's my setup wrt netflow:

flow exporter Flow-to-collector
destination 192.168.1.99 vrf Mgmt-intf
transport udp 2601
export-protocol netflow-v5
!
!
flow monitor My-netflow
exporter Flow-to-collector
record netflow ipv4 original-input

and the management-interface is configured as follows:

interface GigabitEthernet0
description Management-Interface
vrf forwarding Mgmt-intf
ip address 192.168.1.100 255.255.255.0
negotiation auto

However export doesn't work. After ruling out usual suspects like no connectivity over the mgnt-interface, wrong subnet mask etc. I got errors on the router itself:

router#sh flow exporter statis
Flow Exporter Flow-to-collector:
Packet send statistics (last cleared 1w2d ago):
Successfully sent: 0 (0 bytes)
Reason not given: 8596868 (11363678976 bytes)

Client send statistics:
    Client: Flow Monitor OeKB-netflow
      Records added:           236743312
        - failed to send:      236743312
      Bytes added:             2773744384
        - failed to send:      2773744384

router#

To cross check I reconfigured netflow export on the router so that I set the destination not via the Mgmt-intf VRF:

destination 192.168.1.99

Interestingly this seems to work...

However for security reasons I want to have netflow data out of the management interface.

So I wonder whether I did something wrong wrt by netflow-setup? Or is "netflow data out the management interface" not supported on an ASR 1001-X?

Thanks much in advance for any clue...

ul0305801 · ‎04-15-2015

Hi,

we have the same problem. One of our solution is, to configure the management staff within the global table and the other within separate VRF tables. Is there an IOS which works with management via the VRF interface?

m.haran · ‎12-31-2015

Hi,

I have exactly the same problem.

Looking at some older posts from 5 years ago on a similar topic, the suggestion is that the ASR can't send the NetFlow data to the management vrf and will have to traverse the production vrf.

From a security perspective I am not comfortable with this.

Does anyone know whether this is indeed the case or whether a fix is available?

Regards

ul0305801 · ‎06-28-2016

HI,

ok I changed the mgmt interface to another interface gig 0/0/5. This works. The default "cisco" mgmt interface is not usable for all mgmt issues. The standard interfaces are ok for mgmt issues.

Ich Nafi · ‎06-28-2016

Great to hear!

But i would not say "mgmt interface is not usable for all mgmt issues".Stuff like TACAS, SSH, TFTP, SCP, Logging and so on works over that interface.

Cheers

martin0641 · ‎12-09-2016

"all mgmt issues" means every single management function.

Netflow is a management function.

Netflow does not work over the mgmt interface.

Therefore "mgmt interface is not usable for all mgmt issues" is 100% accurate.

Ich Nafi · ‎06-28-2016

Just for everyone else who stumbles upon this older thread:

You might find in the log an entry like this:

%FMANRP_NETFLOW-3-EXPORTERSRCIFINVALID: Management interface (GigabitEthernet0) cannot be used as source for an exporter

The Management-Interface cannot be used as an Netflow exporter Interface.

mwannemacher · ‎01-07-2021

yes. this is the correct answer. mgmt interface is not supported for netflow export. must be any other interface.

best practice is to use a OOBM one

ASR 1001-X / flexible netflow / export via mgmt-intf (VRF)