Buy or Renew
Buy or Renew
COMING SOON: Umbrella and Secure Access release notes are coming to Cisco Community. The community will be in read-only August 16 – 19. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1548
Views
0
Helpful
2
Replies

Interfaces send netflow data despite no flow config under interface

Go to solution
richardbergen
Level 1
Level 1

‎08-18-2011 12:23 PM

Just curious if anyone else has seen this behaviour?

Cisco 2951 w/ HWIC-4ESW

IOS 15.0(1)M5

#sh ip flow int

Vlan533

  ip flow ingress

  ip flow egress

#

The SVI sends the flow data just fine, however I also continue to receive flow data from most other interfaces.

I have attached a screenshot of one of our netflow collectors indicating that many of the interfaces are sending flow data even though not configured to do so. We have two different netflow collectors, from different vendors and both confirm the same interfaces sending flow data.

Normally I wouldn't care and ignore it, however one of them uses a license limit by interface and is a bit problematic.

Any input would be appreciated!

thanks

Labels:
Preview file
74 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Don Jacob
Level 1
Level 1

‎08-24-2011 06:44 AM

I guess the reason is NetFlow's ability to include information about the sender/receiving interface.

Say, you enable NetFlow Ingress on vlan533. This means IN traffic for vlan 533 is accounted for. This traffic flow will also have information about the interface through which packets are exiting the device. Thus the exit interface is also seen.

The same with NetFlow Egress. NetFlow Egress on vlan533 has information about all traffic exiting the vlan533. This traffic flow also has information on the interface through which traffic came into the device before exiting vlan 533.

So, in your scenario, if all the other interfaces either send traffic to vlan 533 or receive traffic from vlan 533, information about them will be present in the NetFlow cache and the NetFlow reporting tool will also detect and report on them which is why you see interfaces not enabled with NetFlow.

We have an interface based license option with ManageEngine NetFlow Analyzer and so have provided options to unmanage the interfaces about which you do not need reports for. I guess something similar might be available in your tool, using which you can unmanage interfaces you do not need reports for and thus save licensing.

Regards,

Don Thomas Jacob

ManageEngine NetFlow Analyzer

Regards, Don Thomas Jacob http://www.solarwinds.com/netflow-traffic-analyzer.aspx Head Geek @ SolarWinds NOTE: Please rate and close questions if you found any of the answers helpful.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Don Jacob
Level 1
Level 1

‎08-24-2011 06:44 AM

I guess the reason is NetFlow's ability to include information about the sender/receiving interface.

Say, you enable NetFlow Ingress on vlan533. This means IN traffic for vlan 533 is accounted for. This traffic flow will also have information about the interface through which packets are exiting the device. Thus the exit interface is also seen.

The same with NetFlow Egress. NetFlow Egress on vlan533 has information about all traffic exiting the vlan533. This traffic flow also has information on the interface through which traffic came into the device before exiting vlan 533.

So, in your scenario, if all the other interfaces either send traffic to vlan 533 or receive traffic from vlan 533, information about them will be present in the NetFlow cache and the NetFlow reporting tool will also detect and report on them which is why you see interfaces not enabled with NetFlow.

We have an interface based license option with ManageEngine NetFlow Analyzer and so have provided options to unmanage the interfaces about which you do not need reports for. I guess something similar might be available in your tool, using which you can unmanage interfaces you do not need reports for and thus save licensing.

Regards,

Don Thomas Jacob

ManageEngine NetFlow Analyzer

Regards, Don Thomas Jacob http://www.solarwinds.com/netflow-traffic-analyzer.aspx Head Geek @ SolarWinds NOTE: Please rate and close questions if you found any of the answers helpful.
0 Helpful

Go to solution
richardbergen
Level 1
Level 1
In response to Don Jacob

‎08-24-2011 07:15 AM

that is exactly right

The show ip cache flow output basically sums it all up. It lists the source / destination interfaces which makes sense why they showed up in the report..

0 Helpful
Customers Also Viewed These Support Documents