01-08-2016 09:39 AM - edited 03-05-2019 03:04 AM
I just got a couple of ISR 4431 routers to replace our existing internet routers and I would like to send netflow records to our Prime Infrastructure 3 server. Each router will only use two interfaces, an inside to our firewall and and outside to our ISP.
Question 1) After doing some reading, I am planning on just collection input and output flows on the ISP-facing interface. I thought about collecting input flows on both interfaces, but it doesn't seem necessary. This router will only ever have and inside and outside interface. Would anyone have any reasons why I should collect input on both interfaces as opposed to input/output on the outside?
Question 2) I don't know if I should use "match flow direction" or "collect flow direction" when I set up my record. Some examples use "match" and some use "collect". I tried to think about it logically, and it doesn't seem like it would matter in the end, but if anyone has any thoughts on this, it would be helpful.
Thanks for any help that you can give. It is much appreciated.
Allen
Solved! Go to Solution.
01-12-2016 08:27 AM
Hi,
ad 1) IMHO, if you collect input on both interfaces, your NetFlow would also report the traffic received from the LAN and dropped by your router for any reason.
This info will be lost if you collect on WAN interface only.
ad 2) Here is a nice explanation:
https://www.plixer.com/blog/flexible-netflow/flexible-netflow-collect-match-non-key-key-fields/
It says: "...everything matched is also collected."
But not vice versa!
Best regards,
Milan
01-08-2016 10:14 PM
(1) Just do it on the one interface for the reason noted.
(2) No idea.
01-10-2016 10:24 AM
This is my setup and it works ok if that helps , using CA tool as the central recorder
interface Vlan15
ip address x.x.x.x 255.255.255.0
ip flow monitor xxxxx input
ip flow monitor xxxxx output
flow record FLOW-RECORD
description record to monitor network traffic
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface input
match interface output
collect routing source as
collect routing destination as
collect routing next-hop address ipv4
collect transport tcp flags
collect counter bytes
collect counter packets
collect timestamp sys-uptime first
collect timestamp sys-uptime last
!
!
flow exporter TEST
description export Netflow traffic to HQ
destination x.x.x.x
source Loopback3
template data timeout 300
option interface-table timeout 1000
option exporter-stats timeout 1000
!
!
flow monitor xxxxx
description Used for ipv4 traffic analysis (Mapped To FLOW-RECORD)
record FLOW-RECORD
exporter TEST
statistics packet protocol
01-12-2016 08:27 AM
Hi,
ad 1) IMHO, if you collect input on both interfaces, your NetFlow would also report the traffic received from the LAN and dropped by your router for any reason.
This info will be lost if you collect on WAN interface only.
ad 2) Here is a nice explanation:
https://www.plixer.com/blog/flexible-netflow/flexible-netflow-collect-match-non-key-key-fields/
It says: "...everything matched is also collected."
But not vice versa!
Best regards,
Milan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide