Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
682
Views
0
Helpful
3
Replies

data on wrong WAN path

tim.smith
Level 1
Level 1

‎07-08-2019 05:06 PM - edited ‎07-08-2019 07:19 PM

PC#3 at WANsite#2 is sending gobs of data to PCs 1 & 2 at WANsite#1, but the router interface at WANsite#3 also sees this conversation (NetFLOW) even though it is on a completely unrelated leg of the network.  I am attaching a diagram showing how they are connected.  Every blue line connecting 1 router to another is a /30 routed link.  

Nothing at any of these sites overlaps with another.  We are using 100% EIGRP throughout the network.

 

Question:  WHY does the ISR4451-X at WANsite#3 see any of the conversation that took place between WANsite#1 and WANsite#2?  

[No other WANsite connected to subCORE1 or subCORE2 saw this conversation or the huge amounts of data that flowed between those PCs]

July 5th - MYSTERY.jpg

Labels:
0 Helpful
3 Replies 3

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎07-09-2019 12:16 AM

Hello Tim,

if all blue links are routed links, if no overlapping IP subnets are used, the only way for ISR 4451-X of WAN site3 to see traffic between other two sites is an ERSPAN session with source on subCORE2 and destination on ISR4451-X of WAN site3.

Traffic flows between PC3 and PC1 and PC3 and PC2 have unicast destinations?

If they were multicast another possibility would be that ISR4451-X of WAN3 or a device in its internal LAN has joined the same multicast group.

If traffic is unicast I think that only an ERSPAN can explain what you see on netflow cache

 

Hope to help

Giuseppe

 

0 Helpful

tim.smith
Level 1
Level 1
In response to Giuseppe Larosa

‎07-11-2019 06:09 PM - edited ‎07-11-2019 06:22 PM

No ERSPAN configured, and no multicast configured at any of the WANsites.

It is just really strange that my NetFlow data in SolarWinds shows at least half of the GB of data in that all-day-long conversation showed in (flowed through) the outside interface at WANsite3.  idk

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to tim.smith

‎07-11-2019 11:39 PM

Hello Tim,

who is the device exporting netflow data to Solarwinds?  the subcore2 multilayer switch or the ISR router at WAN3 ?

If it is the subcore2 have you configured snmp ifindex persist on it to have SNMP ifindex to be consistent across reloads?

 

>> It is just really strange that my NetFlow data in SolarWinds shows at least half of the GB of data in that all-day-long conversation showed in (flowed through) the outside interface at WANsite3. 

If the netflow exporter is subcore2 a possible explanation is an error in the SNMP ifindex input interface in netflow flow data.

 

Hope to help

Giuseppe

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card