07-08-2019 05:06 PM - edited 07-08-2019 07:19 PM
PC#3 at WANsite#2 is sending gobs of data to PCs 1 & 2 at WANsite#1, but the router interface at WANsite#3 also sees this conversation (NetFLOW) even though it is on a completely unrelated leg of the network. I am attaching a diagram showing how they are connected. Every blue line connecting 1 router to another is a /30 routed link.
Nothing at any of these sites overlaps with another. We are using 100% EIGRP throughout the network.
Question: WHY does the ISR4451-X at WANsite#3 see any of the conversation that took place between WANsite#1 and WANsite#2?
[No other WANsite connected to subCORE1 or subCORE2 saw this conversation or the huge amounts of data that flowed between those PCs]
07-09-2019 12:16 AM
Hello Tim,
if all blue links are routed links, if no overlapping IP subnets are used, the only way for ISR 4451-X of WAN site3 to see traffic between other two sites is an ERSPAN session with source on subCORE2 and destination on ISR4451-X of WAN site3.
Traffic flows between PC3 and PC1 and PC3 and PC2 have unicast destinations?
If they were multicast another possibility would be that ISR4451-X of WAN3 or a device in its internal LAN has joined the same multicast group.
If traffic is unicast I think that only an ERSPAN can explain what you see on netflow cache
Hope to help
Giuseppe
07-11-2019 06:09 PM - edited 07-11-2019 06:22 PM
No ERSPAN configured, and no multicast configured at any of the WANsites.
It is just really strange that my NetFlow data in SolarWinds shows at least half of the GB of data in that all-day-long conversation showed in (flowed through) the outside interface at WANsite3. idk
07-11-2019 11:39 PM
Hello Tim,
who is the device exporting netflow data to Solarwinds? the subcore2 multilayer switch or the ISR router at WAN3 ?
If it is the subcore2 have you configured snmp ifindex persist on it to have SNMP ifindex to be consistent across reloads?
>> It is just really strange that my NetFlow data in SolarWinds shows at least half of the GB of data in that all-day-long conversation showed in (flowed through) the outside interface at WANsite3.
If the netflow exporter is subcore2 a possible explanation is an error in the SNMP ifindex input interface in netflow flow data.
Hope to help
Giuseppe
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide