10-27-2013 01:12 PM
Hello Community,
I have configured flexible Netflow on our routers. An analysis of the cache reveals that my pc is communicating with the router via skype, however I'm not running skype on my desktop.
IPV4 SRC ADDR IPV4 DST ADDR TRNS SRC PORT TRNS DST PORT INTF INPUT IP PROT flows bytes time first app name
10.44.108.168 172.17.140.77 51956 161 Tu0 17 1 544 20:07 cisco skype
Can someone please tell me why I'm seeing skype being communicated between my desktop 10.44.108.168 to the router on 172.17.140.77?
Cheers
Carlton
10-27-2013 03:37 PM
10-27-2013 06:27 PM
Hi Marvin,
It's very strange indeed.
I'm going to download the Microsoft utility.
Cheers
10-28-2013 01:23 AM
I've seen similar behaviors with the first release of NBAR in NetFlow. NBAR2 in the latest IOS does a better job of identifying applications. Perhaps you can try it.
10-28-2013 02:42 AM
Hi Jake,
Thanks for responding.
Can you let me know how I would go about enabling NBAR2?
Cheers
Carlton
10-28-2013 07:28 AM
NBAR2 uses protocol packs to update application support. They are available under the "Software on Chassis" section of the downloads page for your platform (assuming it's an ISR G2 or ASR with the necessary license - those are the platforms with NBAR2 support).
See this example for the 2921: link.
For lots of info on AVC, NBAR2, FNF, licensing requirements, how to load and use protocol packs, etc. please see the Cisco Docwiki page on AVC.
10-28-2013 07:34 AM
Thanks Marvin,
One quick other question.
Can you tell me if its possible to configure Netflow Exporter with more than one destination?
Flow Exporter NETFLOW-TO-ORION:
Description: User defined
Export protocol: NetFlow Version 9
Transport Configuration:
Destination IP address: 150.50.5.2
Source IP address: 150.50.5.1
Source Interface: Ethernet1/3
Transport Protocol: UDP
Destination Port: 9995
Source Port: 53405
DSCP: 0x0
TTL: 255
Output Features: Not Used
I would like to add another destination to the above Flow Exporter
Cheers
Carlton
10-28-2013 08:23 AM
You're welcome.
A given exporter only goes to a single destination. You can create multiple exporters for a given monitor. (up to 10 with FNF, 2 with original Netflow)
See the configuration guide here.
Please rate helpful posts and marked your question as answered once it has been.
Best Regards,
- Marvin
10-28-2013 09:32 AM
Marvin,
Thanks again mate. You've been great.
I wonder if I could trouble again regarding Flow Exporters values?
Can you recommend timeout values. For example I think Cisco suggests the following:
ip flow-cache timeout active 1 | Breaks up long-lived flows into 1-minute fragments. You can choose any number of minutes between 1 and 60. If you leave it at the default of 30 minutes your traffic reports will have spikes. It is important to set this value to 1 minute in order to generate alerts and viewtroubleshooting data. |
ip flow-cache timeout inactive 15 | Ensures that flows that have finished are periodically exported. The default value is 15 seconds. You can choose any number of seconds between 10 and 600. However, if you choose a value greater than 250 seconds, NetFlow Analyzer may report traffic levels that are too low. |
Would you go along with this?
Cheers
Carlton
10-28-2013 10:15 AM
Absent any specific recommendations to the contrary from your Netflow management tool vendor, the Cisco recommendations are generally fine.
If you're using SolarWinds NTA, they have some suggestions on their technical references here:
10-28-2013 01:35 PM
I was told that NBAR2 is the result of upgrading to IOS XE 3.7 on the ASR1000 or to IOS 15.2(4)M on your ISR routers.
To configure multiple exporters, use Flexible NetFlow. It allows you to setup multiple (possibly unlimited) Flow Exporters and assign them to a Flow Monitor. Make sure you add all the exporters in step two of the Flexible NetFlow configuration process. Reach out to the team at plixer.com if you need help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide