Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1549
Views
5
Helpful
3
Replies

Flexible Netflow on Internet Router

Go to solution
amercer00
Level 5
Level 5

‎01-08-2016 09:39 AM - edited ‎03-05-2019 03:04 AM

I just got a couple of ISR 4431 routers to replace our existing internet routers and I would like to send netflow records to our Prime Infrastructure 3 server.  Each router will only use two interfaces, an inside to our firewall and and outside to our ISP.

Question 1)  After doing some reading, I am planning on just collection input and output flows on the ISP-facing interface.  I thought about collecting input flows on both interfaces, but it doesn't seem necessary.  This router will only ever have and inside and outside interface.  Would anyone have any reasons why I should collect input on both interfaces as opposed to input/output on the outside?

Question 2) I don't know if I should use "match flow direction" or "collect flow direction" when I set up my record.  Some examples use "match" and some use "collect".  I tried to think about it logically, and it doesn't seem like it would matter in the end, but if anyone has any thoughts on this, it would be helpful.

Thanks for any help that you can give.  It is much appreciated.

Allen

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
milan.kulik
Level 10
Level 10

‎01-12-2016 08:27 AM

Hi,

ad 1) IMHO, if you collect input on both interfaces, your NetFlow would also report the traffic received from the LAN and  dropped by your router for any reason.

This info will be lost if you collect on WAN interface only.

ad 2) Here is a nice explanation:

https://www.plixer.com/blog/flexible-netflow/flexible-netflow-collect-match-non-key-key-fields/

It says: "...everything matched is also collected."

But not vice versa!

Best regards,

Milan

View solution in original post

3 Replies 3

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

‎01-08-2016 10:14 PM

(1) Just do it on the one interface for the reason noted.

(2) No idea.

0 Helpful

Go to solution
Mark Malone
VIP Alumni
VIP Alumni
In response to Philip D'Ath

‎01-10-2016 10:24 AM

This is my setup and it works ok if that helps , using CA tool as the central recorder

interface Vlan15
 ip address x.x.x.x 255.255.255.0
 ip flow monitor xxxxx input
 ip flow monitor xxxxx output

flow record FLOW-RECORD
 description record to monitor network traffic
 match ipv4 tos
 match ipv4 protocol
 match ipv4 source address
 match ipv4 destination address
 match transport source-port
 match transport destination-port
 match interface input
 match interface output
 collect routing source as
 collect routing destination as
 collect routing next-hop address ipv4
 collect transport tcp flags
 collect counter bytes
 collect counter packets
 collect timestamp sys-uptime first
 collect timestamp sys-uptime last
!
!
flow exporter TEST
 description export Netflow traffic to HQ
 destination x.x.x.x
 source Loopback3
 template data timeout 300
 option interface-table timeout 1000
 option exporter-stats timeout 1000
!
!
flow monitor xxxxx
 description Used for ipv4 traffic analysis (Mapped To FLOW-RECORD)
 record FLOW-RECORD
 exporter TEST
 statistics packet protocol

0 Helpful

Go to solution
milan.kulik
Level 10
Level 10

‎01-12-2016 08:27 AM

Hi,

ad 1) IMHO, if you collect input on both interfaces, your NetFlow would also report the traffic received from the LAN and  dropped by your router for any reason.

This info will be lost if you collect on WAN interface only.

ad 2) Here is a nice explanation:

https://www.plixer.com/blog/flexible-netflow/flexible-netflow-collect-match-non-key-key-fields/

It says: "...everything matched is also collected."

But not vice versa!

Best regards,

Milan

Customers Also Viewed These Support Documents