I've got got an ASR 1001-X where I want to export netflow data to a collector connected to the Management-interface of the ASR.
Here's my setup wrt netflow:
flow exporter Flow-to-collector
destination 192.168.1.99 vrf Mgmt-intf
transport udp 2601
flow monitor My-netflow
record netflow ipv4 original-input
and the management-interface is configured as follows:
vrf forwarding Mgmt-intf
ip address 192.168.1.100 255.255.255.0
However export doesn't work. After ruling out usual suspects like no connectivity over the mgnt-interface, wrong subnet mask etc. I got errors on the router itself:
router#sh flow exporter statis
Flow Exporter Flow-to-collector:
Packet send statistics (last cleared 1w2d ago):
Successfully sent: 0 (0 bytes)
Reason not given: 8596868 (11363678976 bytes)
Client send statistics:
Client: Flow Monitor OeKB-netflow
Records added: 236743312
- failed to send: 236743312
Bytes added: 2773744384
- failed to send: 2773744384
To cross check I reconfigured netflow export on the router so that I set the destination not via the Mgmt-intf VRF:
Interestingly this seems to work...
However for security reasons I want to have netflow data out of the management interface.
So I wonder whether I did something wrong wrt by netflow-setup? Or is "netflow data out the management interface" not supported on an ASR 1001-X?
Thanks much in advance for any clue...
we have the same problem. One of our solution is, to configure the management staff within the global table and the other within separate VRF tables. Is there an IOS which works with management via the VRF interface?
I have exactly the same problem.
Looking at some older posts from 5 years ago on a similar topic, the suggestion is that the ASR can't send the NetFlow data to the management vrf and will have to traverse the production vrf.
From a security perspective I am not comfortable with this.
Does anyone know whether this is indeed the case or whether a fix is available?
ok I changed the mgmt interface to another interface gig 0/0/5. This works. The default "cisco" mgmt interface is not usable for all mgmt issues. The standard interfaces are ok for mgmt issues.
Great to hear!
But i would not say "mgmt interface is not usable for all mgmt issues".Stuff like TACAS, SSH, TFTP, SCP, Logging and so on works over that interface.
"all mgmt issues" means every single management function.
Netflow is a management function.
Netflow does not work over the mgmt interface.
Therefore "mgmt interface is not usable for all mgmt issues" is 100% accurate.
Just for everyone else who stumbles upon this older thread:
You might find in the log an entry like this:
%FMANRP_NETFLOW-3-EXPORTERSRCIFINVALID: Management interface (GigabitEthernet0) cannot be used as source for an exporter
The Management-Interface cannot be used as an Netflow exporter Interface.