Solved: Netflow on cisco 2800

Trung Minh · ‎04-18-2013

Hi Experts,

I have configured the netflow to gathering flow from my cisco 2800 as below:

interface GigabitEthernet0/0

description ### To VNPT_FTTH_20M ###

no ip address

ip flow egress

ip route-cache flow

duplex auto

speed auto

pppoe enable

pppoe-client dial-pool-number 1

!

interface GigabitEthernet0/1

description ### To KVP_ISW_G0/2 ###

ip address 10.126.125.6 255.255.255.240

ip flow egress

ip route-cache flow

duplex auto

speed auto

!

interface FastEthernet1/0

description ### To KVP_FW1_P3 ###

duplex full

speed 100

!

interface FastEthernet1/1

description ### To KVP_FW2_P3 ###

duplex full

speed 100

!

interface Vlan1

ip address "ISP address"

ip flow ingress

ip flow egress

ip route-cache flow

!

interface Dialer1

ip address negotiated

ip mtu 1492

ip flow egress

encapsulation ppp

ip route-cache flow

ip tcp adjust-mss 1452

dialer pool 1

dialer-group 1

!

ip flow-cache timeout active 5

ip flow-export source Vlan1

ip flow-export version 5

ip flow-export destination 10.126.122.26 2055

!

But i still not see users addresses(each individual hosts will go though)

What and where i am configured wrong?

I also attached here the map network.

Any help is appreciated,

Thanks & Best regards,

Don Jacob · ‎05-07-2013

Seems you have NAT on a firewall between the hosts and the router. Because of this, the internal IP Addresses are hidden. This is the default behaviour from NetFlow when you have NAT - the internal hosts will be hidden by the NATed IP Address as your packets will carry the NAT IP and not the original IP Address as the source or destination.

Solution is to start traffic analytics on the firewall if your firewall supports flow export. In the scenario, one side will show the host IP and the other end will be the NAT IP.

Regards,
Don Thomas Jacob
http://www.solarwinds.com/netflow-traffic-analyzer.aspx

NOTE: Please rate posts and close questions if you have found the answers helpful.

Regards, Don Thomas Jacob http://www.solarwinds.com/netflow-traffic-analyzer.aspx Head Geek @ SolarWinds NOTE: Please rate and close questions if you found any of the answers helpful.

View solution in original post

Trung Minh · ‎04-22-2013

Hello all,

Any one can help me this?

Best regards,

Don Jacob · ‎05-06-2013

Hi,

I cant access the image you uploaded. So, are you saying you cannot see the hosts in your network and see a NAT IP or do you not see traffic in a particular direction? Say, maybe IN or OUT?

Regards,
Don Thomas Jacob
http://www.solarwinds.com/netflow-traffic-analyzer.aspx

NOTE: Please rate posts and close questions if you have found the answers helpful.

Regards, Don Thomas Jacob http://www.solarwinds.com/netflow-traffic-analyzer.aspx Head Geek @ SolarWinds NOTE: Please rate and close questions if you found any of the answers helpful.

Trung Minh · ‎05-06-2013

Hi,

I can not see the hosts in my network

Example for show ip cache flow:

SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts

Vi1 58.87.42.22 Vl1* 113.160.131.250 06 0050 E55F 1

Vi1 217.160.130.148 Vl1* 113.160.131.250 06 1732 6166 1

Vi1 217.160.130.148 Vl1 113.160.131.250 06 1732 6166 1

Vi1 61.18.6.23 Vl1 113.160.131.250 11 612A 7052 1

Vl1 113.160.131.250 Di1* 58.87.43.34 06 CB56 159A 2

Vl1 113.160.131.250 Di1 58.87.43.34 06 CB56 159A 2

Vi1 61.18.6.23 Vl1* 113.160.131.250 11 612A 7052 1

Vi1 49.143.75.11 Vl1* 113.160.131.250 11 CCE3 C052 1

Vi1 49.143.75.11 Vl1 113.160.131.250 11 CCE3 C052 1

Vl1 113.160.131.250 Di1* 208.91.112.52 11 0D1E 0035 2

Vl1 113.160.131.250 Di1 208.91.112.52 11 0D1E 0035 2

Vi1 58.87.42.22 Vl1* 113.160.131.250 06 0050 C6D5 7

Vi1 58.87.42.22 Vl1* 113.160.131.250 06 0050 96D6 3

Vi1 58.87.42.22 Vl1 113.160.131.250 06 0050 96D6 3

Vi1 58.87.42.22 Vl1 113.160.131.250 06 0050 C6D5 7

It seems all ISP addresses.

I also attached a picture here.

Any help would be appreciated,

Best regards,

sean.cline · ‎05-07-2013

Does this router perform any type of NAT or does that occur on an attached firewall? It looks like the net flow information being pulled would be correct if you where looking at un-NAT traffic from the Internet.

Sent from Cisco Technical Support iPad App

Don Jacob · ‎05-07-2013

Seems you have NAT on a firewall between the hosts and the router. Because of this, the internal IP Addresses are hidden. This is the default behaviour from NetFlow when you have NAT - the internal hosts will be hidden by the NATed IP Address as your packets will carry the NAT IP and not the original IP Address as the source or destination.

Solution is to start traffic analytics on the firewall if your firewall supports flow export. In the scenario, one side will show the host IP and the other end will be the NAT IP.

Regards,
Don Thomas Jacob
http://www.solarwinds.com/netflow-traffic-analyzer.aspx

NOTE: Please rate posts and close questions if you have found the answers helpful.

Regards, Don Thomas Jacob http://www.solarwinds.com/netflow-traffic-analyzer.aspx Head Geek @ SolarWinds NOTE: Please rate and close questions if you found any of the answers helpful.