12-14-2009 09:32 AM
Hi,
I have a few simple questions regarding netflow. Would anyone please clarify them for me?
1. I usually configured netflow with "ip route-cache flow" command. Anyway, I have seen articles mentioning "ip flow ingress" and "ip flow egress" commands. What is different exactly i.e. ip route-cache flow and ip flow ingress|egress? Which one should be used?
2. I understand netflow needs to be configured on every interface to export completely netflow data. Is it correct?
3. If there are 2 physical and 2 logical i.e. tunnel interfaces, how many/which interfaces should netflow be configured? Are only physical interfaces enough?
Please let me know if I misunderstand anything.
Thank you very much,
Nitass
12-14-2009 12:42 PM
AFAIK:
1. "ip route-cache flow" is deprecated starting in 12.2(18)SXD. See this URL for other IOS trains: http://www.cisco.com/en/US/docs/ios/netflow/command/reference/nf_01.html#wp1049320
2. It's generally correct, due to the unidirectional nature of NetFlow records. Otherwise, you run the risks such as only seeing one direction of a given "conversation".
3. My understanding was NetFlow cache could only be enabled on layer-3 interfaces. However, on the catalyst 6000s (and sup720?), you can get layer-2 bridged traffic between hosts in the same VLAN, using the following config:
ip flow ingress layer2-switched vlan
ip flow export layer2-switched vlan
Then, there's this recent thread that makes it sound promising that layer-2 ports could become NetFlow-enabled, though it's not clear (to me) how it works out in practice:
https://supportforums.cisco.com/message/678612#678612
So YMMV. The best bet is to actually attempt configuring it. Odds are the physical interfaces won't accept the "ip route-cache flow" or "ip flow ingress/egress" config.
12-15-2009 09:45 AM
2. I understand netflow needs to be enabled on every interface because it (netflow v5) works on an ingress basis. Anyway, if there are 4 interfaces; 2 are physical and 2 are logical (gre tunnel) interfaces. What is different between enabling only 2 physical interfaces and enabling all of them? I think maybe just 2 physical interfaces are enough because they are all physical. Please correct me if I misunderstand anything.
Thanks,
Nitass
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide