Solved: Netflow

saquib.tandel · ‎01-08-2011

Hello

On a 2821 running 12.2 I am configuring Netflow
Do i need to configure "IP flow ingress" + "IP flow egress" + " IP route-cache flow on each Interface. which interface needs to be configured as source

LAN---(Gi 0/0) <<R1>>(fa0/2/0)-------------------------<<R2>>

--------------------------------------

<<< R1 configuration>>>>

--------------------------------------

interface GigabitEthernet0/0
description Connected to LAN
ip address 192.168.1.100 255.255.255.0

interface FastEthernet0/2/0.100
!
interface FastEthernet0/2/0.35
description Connected to WAN 2
encapsulation dot1Q 35
ip address 172.16.10.198 255.255.255.252

ip flow-export source XXXXX
ip flow-export version 5
ip flow-export destination 192.168.2.10 2055

Thanks

ST

cadet alain · ‎01-08-2011

Hi,

Do i need to configure "IP flow ingress" + "IP flow egress" + " IP route-cache flow on each Interface. which interface needs to be configured as source

for ingress and egress it depends what you want to capture:traffic going in or traffic going out of interface.

the source must be an ip address reachable by your netflow client.

IP 
route-cache flow

Is for enabling Netflow on interface

Regards.

Alain.

Don't forget to rate helpful posts.

View solution in original post

Richard Burts · ‎01-08-2011

Alain

I am puzzled by your response about the source address. The source address is an address on the client that will be used in building the export packets. Your response would make more sense if the question were about the destination address.

ST

If you are running 12.2 code on the router I wonder if flow ingress is an option supported in that version of code. Have you attempted the command on the router and was it accepted?

As for the source address - by default the router will choose the address of the outbound interface as the source address. The source address command allows you to choose some other address if you want. Many of my customers will use a loopback interface address as the source (assuming that the router has a loopback interface configured). This functionality is much like specifying a source address to be used for syslog messages, or for aaa tacacs messages. If your router is specifying source address for protocols like these then you probably also want to specify the source address for NetFlow. And if your router is not specifying source address for these other protocols then I would think that you would not bother to do it for NetFlow.

HTH

Rick

HTH

Rick

View solution in original post

cadet alain · ‎01-08-2011

Hi,

Do i need to configure "IP flow ingress" + "IP flow egress" + " IP route-cache flow on each Interface. which interface needs to be configured as source

for ingress and egress it depends what you want to capture:traffic going in or traffic going out of interface.

the source must be an ip address reachable by your netflow client.

IP 
route-cache flow

Is for enabling Netflow on interface

Regards.

Alain.

Don't forget to rate helpful posts.

Richard Burts · ‎01-08-2011

Alain

I am puzzled by your response about the source address. The source address is an address on the client that will be used in building the export packets. Your response would make more sense if the question were about the destination address.

ST

If you are running 12.2 code on the router I wonder if flow ingress is an option supported in that version of code. Have you attempted the command on the router and was it accepted?

As for the source address - by default the router will choose the address of the outbound interface as the source address. The source address command allows you to choose some other address if you want. Many of my customers will use a loopback interface address as the source (assuming that the router has a loopback interface configured). This functionality is much like specifying a source address to be used for syslog messages, or for aaa tacacs messages. If your router is specifying source address for protocols like these then you probably also want to specify the source address for NetFlow. And if your router is not specifying source address for these other protocols then I would think that you would not bother to do it for NetFlow.

HTH

Rick

HTH

Rick

cadet alain · ‎01-08-2011

Hi Richard,

I am puzzled by your response about the source address. The source address is an address on the client that will be used in building the export packets. Your response would make more sense if the question were about the destination address.

I inverted client and server, sorry. you are right.

Regards.

Alain

Don't forget to rate helpful posts.

saquib.tandel · ‎01-08-2011

So I need to enable " IP route-cache flow " on LAN Interface, Is this correct.

Users are on this interface.

plz comment

thanks

ST

sean_evershed · ‎01-08-2011

What is the Netflow collection software that you are using?

Manage Engine for example recommend that ip route-cache be enabled on all interfaces on a router in order to obtain accurate stats for in and out traffic:

http://www.manageengine.com/products/netflow/help/cisco-netflow/cisco-ios-netflow.html

A good reference for the Netflow technology can be found here

http://www.cisco.com/en/US/products/ps6601/products_ios_protocol_group_home.html

Please remember to rate all posts that are helpful

saquib.tandel · ‎01-08-2011

We are testing Solarwinds ( www.solarwinds.com )

Thanks

ST

sean_evershed · ‎01-08-2011

The same principle applies to Solar Winds.

If you want an accurate picture of all traffic flowing through the network then apply IP route-cache flow on all interfaces.

This is assuming that there is no licensing restriction with your software. Often Netflow engines are licensed based on the number of interfaces that you choose to monitor.