Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2127
Views
0
Helpful
2
Replies

netflow - interpretation

Go to solution
Przemyslaw Konitz
Level 1
Level 1

‎12-20-2010 07:13 AM

hi guys,

I've got a question about "show ip cache flow"

4500#sh ip cache flow

IP Flow Switching Cache, 17826816 bytes
  246 active, 261898 inactive, 389758 added
  3555295 ager polls, 0 flow alloc failures
  Active flows timeout in 30 minutes
  Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 1081480 bytes
  0 active, 65536 inactive, 0 added, 0 added to flow
  0 alloc failures, 0 force free
  1 chunk, 0 chunks added
  last clearing of statistics 01:59:41
Protocol         Total    Flows   Packets Bytes  Packets Active(Sec) Idle(Sec)
--------         Flows     /Sec     /Flow  /Pkt     /Sec     /Flow     /Flow
TCP-Telnet        1582      0.2        10    48      2.3 1968295.9      14.8
TCP-WWW          30687      4.2        55   775    237.7 1196240.8      14.7
TCP-SMTP         66863      9.3         7   104     69.8  917022.7      15.5
TCP-other        52181      7.2       485   451   3527.1 2451241.9      15.0
UDP-DNS          36011      5.0         1    74      5.6 4002987.3      15.7
UDP-NTP            596      0.0         2    76      0.1  425183.3      15.5
UDP-Frag            16      0.0         1   341      0.0 4026522.1      15.6
UDP-other       170155     23.6        11   147    281.1 3546346.6      15.6
ICMP             22167      3.0         1    57      5.0 3941159.0      15.6
Total:          380258     52.9        77   442   4129.1 2798909.5      15.4

SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP  Pkts
NULL          10.201.32.15    Null          xxx.xxx.xx.x    06 EBF9 0050     5
NULL          10.201.33.154   Null          yy.yy.yy.yy     06 07A0 0050     8
NULL          10.201.33.154   Null          yy.yy.yy.yy     06 079C 0050    11
NULL          10.204.4.234    Null          10.201.40.45    11 CDEA 0202     4
NULL          10.201.24.6     Null          10.201.40.45    11 00A1 E329    43
NULL          10.201.24.5     Null          10.201.40.45    11 00A1 E329    42
NULL          10.201.40.43    Null          10.204.4.242    01 0000 0000     3
NULL          10.201.40.43    Null          10.204.4.243    01 0000 0000     3
NULL          10.201.40.43    Null          10.204.4.245    01 0000 0000     3
NULL          10.201.32.15    Null          xxx.xxx.xx.x     06 9329 0050     5
NULL          xxx.xxx.xx.x   Null          10.201.32.15    06 0050 A92C    13
NULL          xxx.xxx.xx.x   Null          10.201.32.15    06 0050 B000    12
NULL          10.201.40.43    Null          10.201.1.41     06 0ED5 01BB     6

...

how to interpret that all source and destination itnerfaces are NULL ? By all I mean ALL!!!

in doc there is a note:

Generally, the input and output interface information are NULL. If the traffic is being switched on a VLAN that is associated with an SVI, the input and output interface information points to the same Layer 3 interface.

but this is not that case !!! all entries in  flow table has null - null interface pair even that traffic is routed between different vlans and goes through ASA to the public network (xxx.xxx.xxx.xx)

am I missing sth

netflow configuration is rather simple:

ip route-cache flow
ip flow ingress

ip flow ingress layer2-switched
ip flow-export source Vlan10
ip flow-export version 5
ip flow-export destination 10.201.40.45 2055
ip flow-export destination 10.201.40.40 2055
ip flow-top-talkers
top 100
sort-by bytes

thx for help

regards

Przemek

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
yjdabear
VIP Alumni
VIP Alumni

‎12-20-2010 11:40 AM

Does any of the following apply to your situation?

http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_example09186a0080721701.shtml#dst

"Source IP address and Destination IP address are not seen in IP Flow

These are the reasons for IP Flow does not show the source and destination IP address.

  • The packets are blocked by an ACL.

  • The packets are being process switched.

  • Multicast traffic

  • Packets destined for the router

  • Tunnels (IPIP, GRE, IPSEC, L2TP) & WCCP

  • Static route to null0

  • DstIf is NULL when the traffic is dropped because of CAR.

In order to avoid this issue, use the ip flow ingress infer-fields command in order to enable Netflow with inferred input/output interfaces and source/destination informations.

If the flows on the subinterfaces are need to be checked, then there are two options:

  1. Configure ip route-cache flow in the main interface. This sends the flows from all the subinterfaces.

  2. Configure ip flow ingress on the subinterfaces, which in this case, the main interface does not have any netflow configuration, and it sends the flow from each subinterface where the ip flow ingress command is enabled."

View solution in original post

0 Helpful
2 Replies 2

Go to solution
yjdabear
VIP Alumni
VIP Alumni

‎12-20-2010 11:40 AM

Does any of the following apply to your situation?

http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_example09186a0080721701.shtml#dst

"Source IP address and Destination IP address are not seen in IP Flow

These are the reasons for IP Flow does not show the source and destination IP address.

  • The packets are blocked by an ACL.

  • The packets are being process switched.

  • Multicast traffic

  • Packets destined for the router

  • Tunnels (IPIP, GRE, IPSEC, L2TP) & WCCP

  • Static route to null0

  • DstIf is NULL when the traffic is dropped because of CAR.

In order to avoid this issue, use the ip flow ingress infer-fields command in order to enable Netflow with inferred input/output interfaces and source/destination informations.

If the flows on the subinterfaces are need to be checked, then there are two options:

  1. Configure ip route-cache flow in the main interface. This sends the flows from all the subinterfaces.

  2. Configure ip flow ingress on the subinterfaces, which in this case, the main interface does not have any netflow configuration, and it sends the flow from each subinterface where the ip flow ingress command is enabled."

0 Helpful

Go to solution
Przemyslaw Konitz
Level 1
Level 1
In response to yjdabear

‎12-21-2010 12:24 AM

hi yjdabear,

actually none of these case suited me because:

1) there are no ACL

2) packets are being process switched (I think that it could occur only when there is fragmentation, so some flows should have normal source and destination interface pair but none had)

3) no multicast traffic

4) this is the core so most of the traffic are routed locally

5) no tunnels

6) no route to NULL interface

7) no CAR

nethertheless I did " ip flow ingress infer-fields " and now I've got what I wanted

thx again

regards

Przemek

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents