Cisco Community
English
Register
We have 1 million community members! Join the celebration! Learn how.
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
991
Views
0
Helpful
0
Replies
adrianopinaffo1
Beginner
Beginner
‎01-02-2019 11:59 AM
‎01-02-2019 11:59 AM

Can´t export Netflow traffic

I have an architecture like below:

 

Site net --- local router --- border router <===VPN===> HO router --- Netflow collector

 

I´m trying to send Netflow traffic from local router to the Netflow collector back in the Head Office server. Traffic is not arriving at the Netflow collector, but I´m sure it´s due to my inability with it. Namely, I don´t understand the difference between flow commands ip flow commands.

 

To add insult to injury, from the local router I can only reach the HO network if the packet is sourced from the LAN interface. Result is that in the Netflow collector I don´t see packets arriving from the local router (I´m checking directly sing tcpdump), and I´m not entirely sure why. Can anyone help?

 

There are details below:

 

relevant config:

 

flow record NTArecord
 match ipv4 tos
 match ipv4 protocol
 match ipv4 source address
 match ipv4 destination address
 match transport source-port
 match transport destination-port
 match interface input
 collect interface output
 collect counter bytes long
 collect counter packets long
 collect timestamp sys-uptime first
 collect timestamp sys-uptime last
!
!
flow exporter NTAexporter
 destination 172.24.32.60
 source GigabitEthernet0/1
 transport udp 2055
 template data timeout 60
!
!
flow monitor NTAmonitor
 record NTArecord
 exporter NTAexporter
 cache timeout active 60


ip flow-cache timeout active 1

interface GigabitEthernet0/1
 description LAN
 ip address 172.16.15.2 255.255.255.224
 ip flow monitor NTAmonitor input
 ip flow monitor NTAmonitor output
 ip flow ingress
 ip flow egress


ip flow-export source GigabitEthernet0/1
ip flow-export version 9
ip flow-export destination 172.24.32.60 2055
ip flow-top-talkers
 top 10
 sort-by bytes

export info:

 

 

#sh ip flow export
Flow export v9 is enabled for main cache
  Export source and destination details :
  VRF ID : Default
    Source(1)       172.24.15.2 (GigabitEthernet0/1)
    Destination(1)  172.24.32.60 (2055)
  Version 9 flow records
  7444 flows exported in 476 udp datagrams
  0 flows failed due to lack of export packet
  0 export packets were sent up to process level
  0 export packets were dropped due to no fib
  0 export packets were dropped due to adjacency issues
  0 export packets were dropped due to fragmentation failures
  0 export packets were dropped due to encapsulation fixup failures

interface info:

 

 

#sh ip flow interface
GigabitEthernet0/1
  ip flow ingress
  ip flow egress

top-talkers:

 

 

#sh ip flow top-talkers

SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP Bytes
Gi0/1         <IP>            Gi0/0         <IP>            06 FD06 01BD    70K
Gi0/0         <IP>            Gi0/1*        <IP>            06 01BD FD06    41K
Gi0/1         <IP>            Gi0/0         <IP>            11 00A1 FD44    27K
Gi0/0         <IP>            Gi0/1*        <IP>            11 FD44 00A1    25K
Gi0/1         <IP>            Gi0/0         <IP>            06 FD07 01BD    14K
Gi0/1         <IP>            Gi0/0         <IP>            06 FD09 01BD    13K
Gi0/0         <IP>            Gi0/1*        <IP>            06 01BD FD07  5073
Gi0/1         <IP>            Gi0/0         <IP>            11 2454 F2A8  4689
Gi0/0         <IP>            Gi0/1*        <IP>            06 01BD FD09  4097
Gi0/1         <IP>            Gi0/0         <IP>            06 F06C 0050  3259
10 of 10 top talkers shown. 52 flows processed.

exporter info (flow):

 

#sh flow exporter
Flow Exporter NTAexporter:
  Description:              User defined
  Export protocol:          NetFlow Version 9
  Transport Configuration:
    Destination IP address: 172.24.32.60
    Source IP address:      172.24.15.2
    Source Interface:       GigabitEthernet0/1
    Transport Protocol:     UDP
    Destination Port:       2055
    Source Port:            56704
    DSCP:                   0x0
    TTL:                    255
    Output Features:        Not Used

interface info (flow):

#sh flow interface
Interface GigabitEthernet0/1
  FNF:  monitor:          NTAmonitor
        direction:        Input
        traffic(ip):      on
  FNF:  monitor:          NTAmonitor
        direction:        Output
        traffic(ip):      on

monitor info (flow):

#sh flow monitor
Flow Monitor NTAmonitor:
  Description:       User defined
  Flow Record:       NTArecord
  Flow Exporter:     NTAexporter
  Cache:
    Type:              normal
    Status:            allocated
    Size:              4096 entries / 311316 bytes
    Inactive Timeout:  15 secs
    Active Timeout:    60 secs
    Update Timeout:    1800 secs

record info (flow):

#sh flow record
flow record NTArecord:
  Description:        User defined
  No. of users:       1
  Total field space:  46 bytes
  Fields:
    match ipv4 tos
    match ipv4 protocol
    match ipv4 source address
    match ipv4 destination address
    match transport source-port
    match transport destination-port
    match interface input
    collect interface output
    collect counter bytes long
    collect counter packets long
    collect timestamp sys-uptime first
    collect timestamp sys-uptime last

ip cache flow output:

#sh ip cache flow
IP packet size distribution (1471924 total packets):
   1-32   64   96  128  160  192  224  256  288  320  352  384  416  448  480
   .000 .161 .065 .248 .175 .075 .031 .028 .018 .044 .047 .030 .018 .003 .001

    512  544  576 1024 1536 2048 2560 3072 3584 4096 4608
   .000 .000 .004 .004 .038 .000 .000 .000 .000 .000 .000

IP Flow Switching Cache, 278544 bytes
  75 active, 4021 inactive, 53881 added
  1116634 ager polls, 0 flow alloc failures
  Active flows timeout in 1 minutes
  Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 34056 bytes
  75 active, 949 inactive, 9699 added, 9699 added to flow
  0 alloc failures, 0 force free
  1 chunk, 4 chunks added
  last clearing of statistics never
Protocol         Total    Flows   Packets Bytes  Packets Active(Sec) Idle(Sec)
--------         Flows     /Sec     /Flow  /Pkt     /Sec     /Flow     /Flow
TCP-WWW          15341      0.0         4   353      0.0       2.6      14.5
TCP-other        12154      0.0        61   201      0.1       8.4       7.9
UDP-DNS           1604      0.0         1    69      0.0       0.0      15.4
UDP-NTP             84      0.0         1    79      0.0       0.0      15.7
UDP-Frag             1      0.0         1   727      0.0       0.0      15.4
UDP-other        23951      0.0        27   204      0.1       2.8      15.3
ICMP               671      0.0         4   365      0.0      14.6      14.7
Total:           53806      0.0        27   210      0.3       4.1      13.4

SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP  Pkts
...

 output of reachability:

#ping 172.24.32.60

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.24.32.60, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
#ping 172.24.32.60 source gig 0/1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.24.32.60, timeout is 2 seconds:
Packet sent with a source address of 172.24.15.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/8 ms

 

Labels:
0 Helpful
0 REPLIES 0
Latest Contents
(Podcast) S8|E37 Cisco Champion Unfiltered: I'll Fix That La...
Created by Amilee San Juan on 09-17-2021 01:12 PM
0
0
0
0
Listen: https://smarturl.it/CCRS8E37Follow us: twitter.com/ciscochampionSometimes, situations require temporary fixes. Sometimes, the network becomes an afterthought in overall office design and planning. In either situation, it may require netw... view more
Hear how great partnerships make smart building solutions
Created by Kelli Glass on 09-16-2021 03:33 PM
0
0
0
0
In this special edition of the Insider Series, we hear from Cisco partners who have taken steps to be more eco-friendly and sustainable. We hear what inspires ASHRAE, Southwire, Igor, and NTT to create a workplace that is centered around people and how th... view more
Demystifying OSPF DR Network LSA
Created by meddane on 09-15-2021 05:48 AM
0
0
0
0
We know that the Type-1 LSA describes the link type connected to the router, the neighbor router and the subnet number.In this topology, assume we dont have a Type-2 LSA, so each router will create its own Type-1 LSA, the Type-1 LSA will describe the neig... view more
Cisco DNA Center ATXs FAQ
Created by dilthaku on 09-12-2021 06:32 PM
0
0
0
0
Here are some commonly asked questions and answers to help with your adoption of Cisco DNA Center Wireless. Subscribe to this post to stay up-to-date with the latest Q&A and recommended Ask the Experts (ATXs) sessions to attend. Q. I have a Cisco Appl... view more
Why IETF changed and inverted OSPF Type-7 LSA VS Type-5 LSA ...
Created by meddane on 09-12-2021 05:54 PM
0
0
0
0
Why IETF changed and inverted OSPF Type-7 LSA VS Type-5 LSA election In RFC 3101 compared to OLD RFC 1587?Many people learns that the Type-7 LSA and Type-5 election (ON Versus OE routes) depends on RFC 3101 for NSSA published in 2003 and RFC 1587 for NSSA... view more
Ask a Question
Create
+ Discussion
+ Blog
+ Document
+ Event
+ Video
+ Project Story
Find more resources
Discussions
Blogs
Documents
Events
Videos
Project Gallery
New Community Member Guide
Recognize Your Peers
Spotlight Award Nomination
Content for Community-Ad