cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1329
Views
7
Helpful
4
Replies

Looking for a quick learn on NetFlow

joe.groess
Level 1
Level 1

I have a hub / spoke configuration, with about 9 spokes. All connect ot the main office over a VPN, all native Cisco routers (2900 series)

I want to use netflow to monitor traffic, and I started, but my results are not what I expected. I don't think I configured properly, so I'm looking for some clues.

Several interfaces have sub-interfaces, so if I'm reading correctly, I only export flow from the physical intyerface, not the sub-interfaces. Correct?

I want both inbound and outbound traffic, so do I use the command twice with ingress and egress?

What is the difference between V5 and V9?

Finally, how does NBAR fit in this? I want to see applications as well as just packets.

Thanks.

4 Replies 4

jakewilson
Level 1
Level 1

Hello Joe,

There are some great posts on the Internet releated to configuring Flexible NetFlow with NBAR exports which leverages NetFlow v9.  You can't get NBAR with NetFlow v5. You are correct in that you only need to configure NetFlow on the physical interfaces, the sub interfaces will show up automatically with unique instances. 

To gain details on both inbound and outbound traffic, you have a couple options:

  1. Enable both ingress and egress flows on the one interface
  2. Enable ingress on all interfaces of the router

NetFlow v5 Vs. NetFlow v9

There are many differences between NetFlow v5 and v9, the first is NBAR.  By using Flexible NetFlow to export NetFlow v9 you can gain details on mac addresses, VLANs and if you decide to export Cisco Performance Monitoring elements, you can gain metrics on latency, packet loss, jitter, packet length and more. 

You'll also need a NetFlow collector that can report on all of the unique NetFlow v9 exports.  For this I recommend Scrutinizer NetFlow and sFlow Analyzer however, other solutions may support these exports as well. Plixer offers free technical support during the evaluation period.

Please vote on my post if this helps.

Thanks for the reply.

I am using Scrutinizer for my exports. I have way too many instences, but what I'm really concerned about is the results.

Since I have all VPN traffic, what I see for output is the WAN side IPs and the encryped traffic. I see nothing from the LAN side or any LAN side IP information. So the best I can get out of this would be site traffic, not user or computer based traffic. Hopefully I'm missing something, or this is worthless with a VPN.

brett.harding
Level 1
Level 1

Hey Joe,

You want to configure netflow on your layer3 interface, preferably inbound on the LAN interface before the traffic is encrypted. In your instance it sounds like you are using sub-interface for your LAN networks. Configure an ingress flow monitor on the sub-interface and see if you have better results on your Scrutinizer reports. If you are using DMVPN tunnels then you may be able to configure the flow monitor on the GRE interface.

Cheers

Brett

Turns out that use GRE tunnels, as I am, I need to use flexible netflow.

This is a bit more duanting configuration, but not too dificult.

I'm making better progress with scrutinizer suppor than with Cisco support. Although it was Cisco who told me I would not get what I was looking for with standard netflow.

Review Cisco Networking for a $25 gift card