cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
488
Views
5
Helpful
3
Replies
Highlighted
Contributor

Flexible Netflow on Internet Router

I just got a couple of ISR 4431 routers to replace our existing internet routers and I would like to send netflow records to our Prime Infrastructure 3 server.  Each router will only use two interfaces, an inside to our firewall and and outside to our ISP.

Question 1)  After doing some reading, I am planning on just collection input and output flows on the ISP-facing interface.  I thought about collecting input flows on both interfaces, but it doesn't seem necessary.  This router will only ever have and inside and outside interface.  Would anyone have any reasons why I should collect input on both interfaces as opposed to input/output on the outside?

Question 2) I don't know if I should use "match flow direction" or "collect flow direction" when I set up my record.  Some examples use "match" and some use "collect".  I tried to think about it logically, and it doesn't seem like it would matter in the end, but if anyone has any thoughts on this, it would be helpful.

Thanks for any help that you can give.  It is much appreciated.

Allen

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Advocate

Hi,

Hi,

ad 1) IMHO, if you collect input on both interfaces, your NetFlow would also report the traffic received from the LAN and  dropped by your router for any reason.

This info will be lost if you collect on WAN interface only.

ad 2) Here is a nice explanation:

https://www.plixer.com/blog/flexible-netflow/flexible-netflow-collect-match-non-key-key-fields/

It says: "...everything matched is also collected."

But not vice versa!

Best regards,

Milan

View solution in original post

3 REPLIES 3
Highlighted
Advisor

(1) Just do it on the one

(1) Just do it on the one interface for the reason noted.

(2) No idea.

Highlighted
VIP Mentor

This is my setup and it works

This is my setup and it works ok if that helps , using CA tool as the central recorder

interface Vlan15
 ip address x.x.x.x 255.255.255.0
 ip flow monitor xxxxx input
 ip flow monitor xxxxx output

flow record FLOW-RECORD
 description record to monitor network traffic
 match ipv4 tos
 match ipv4 protocol
 match ipv4 source address
 match ipv4 destination address
 match transport source-port
 match transport destination-port
 match interface input
 match interface output
 collect routing source as
 collect routing destination as
 collect routing next-hop address ipv4
 collect transport tcp flags
 collect counter bytes
 collect counter packets
 collect timestamp sys-uptime first
 collect timestamp sys-uptime last
!
!
flow exporter TEST
 description export Netflow traffic to HQ
 destination x.x.x.x
 source Loopback3
 template data timeout 300
 option interface-table timeout 1000
 option exporter-stats timeout 1000
!
!
flow monitor xxxxx
 description Used for ipv4 traffic analysis (Mapped To FLOW-RECORD)
 record FLOW-RECORD
 exporter TEST
 statistics packet protocol

Highlighted
Advocate

Hi,

Hi,

ad 1) IMHO, if you collect input on both interfaces, your NetFlow would also report the traffic received from the LAN and  dropped by your router for any reason.

This info will be lost if you collect on WAN interface only.

ad 2) Here is a nice explanation:

https://www.plixer.com/blog/flexible-netflow/flexible-netflow-collect-match-non-key-key-fields/

It says: "...everything matched is also collected."

But not vice versa!

Best regards,

Milan

View solution in original post