09-26-2010 10:31 AM - edited 03-04-2019 09:53 AM
Scenario:
I currently have Netflow enabled on all of my routers in my network.
However, I have a Cat3750, which does not support Netflow. The 3750 is at a larger remote site and I need visibility into the traffic that is traversing internal to that switch. All VLANs are configured on the 3750. I have an extra Cisco router, which I have theorized I could use as a Netflow probe.
Here is the idea, please excuse the crudeness of the diagram.
The 2811 Router has to FastEthernet ports.
F0/0 would be configured with no IP Address and would be connected to the 3750 on G0/1 with no VLANs configured.
F0/1 would be configured with a static IP and connected to the 3750 on port G/02 with the appropriate VLAN to ensure network connectivity.
On the 3750, configure a monitor session with a destination of Interface G0/1.
On the 2811, configure netflow to sent to the Netflow server and set F0/0 for ip flow ingress.
Obviously, it doesn't work. But I cannot figure out why.
Thoughts?
10-02-2010 05:19 AM
Hi Jeff,
I'm not sure the Cisco router will send NetFlow for packets it sees unless it routes them. Hopefully someone else can confirm this but, I don't think the router will passively snoop on packets and send out NetFlow datagrams on what it sees.
I suggest an nProbe from ntop.org. It is designed for this type of application and it is the first product I've seen to export URL details:
and latency information:
You might like these extra details.
The above is all in IPFIX (ie. NetFlow) for the flows it sees. Scrutinizer NetFlow Analyzer is the product to report on the data with.
I hope this helps.
Jake
10-02-2010 06:32 AM
Hello,
as Jake has noted netflow accounting on a router happens for flows that are processed/routed by it.
You should take his suggestion for a dedicated solution that can act as a probe
My customer is using nbox devices that run nprobe with good results.
Hope to help
Giuseppe
07-26-2011 06:53 AM
Sorry to jump on an old thread but after finding libpcap on CentOS dropping too many packets I also thought about using a couple of old 2800's as netflow probes. I realized that the router won't export any information unless it routes the flows but what if we set up the router as the OP designed then added a single static route like:
ip route 0.0.0.0 0.0.0.0 Null0
Turn off all dynamic routing and have only this one static route and one more specific route for the admin interface. Make sure that the admin interface is NOT in a subnet the probe side will ever see to prevent massive routing loops. I'm thinking this should work. I have a 2811 and 2821 sitting on my desk just waiting to try this out. Again, old thread but I'll update anyway with my results.
I'm guessing since all the data is coming IN from the router's view then only ingress netflow is needed on that interface.
jk
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide