Solved: which port interface show i monitor (netflow) depends on diagram

amralrazzaz · ‎02-21-2018

i post a pic of my network diagram .. i already configure the netflow on lan interface g0/0(nat inside -lan) on frico router 2911

so should i make the configuration on g0/1 which is directly connected to isp router which i dont have access on it ? or its fine that i already configured netflow on g0/0 (defualt gateway for internal lan)?

which port show i monitor on frico router g0/0 (which already i configured) or g0/1 which directly connected to isp router ??

please see the attached pic

thanks

amr alrazzaz

Mark Malone · ‎02-21-2018

Do not remove or touch the export command its an optional command and as its configured will work fine

ip flow-export source interface-type interface-number
Example:
Router(config)# ip flow-export source gigabitethernet 6/2
(Optional) Specifies the interface from which the source IP address is derived for the UDP datagrams that are sent by NetFlow data export to the destination host.

all you need to do is add the egress and ingress to the g0/1, thats it to collect the g0/1 flows

INT G0/1
ip flow ingress
ip flow egress

View solution in original post

Mark Malone · ‎02-21-2018

personally i would try get it all working on one collector but yes you can do that as per doc extract below its possible

https://www.cisco.com/c/en/us/td/docs/ios/12_0s/feature/guide/12s_mdnf.html

Configuring Multiple NetFlow Export Destinations to a Router

To configure multiple NetFlow export destinations to a router, use the following commands in global configuration mode:
Command
Purpose
Step 1
Router(config)# ip flow-export destination ip-address
udp-port
Enables the exporting of information in NetFlow cache entries.
Step 2
Router(config)# ip flow-export destination ip-address
udp-port
Adds a second export destination.

View solution in original post

Mark Malone · ‎02-21-2018

Thats really up to you we monitor our wan and lan interfaces and also all of our vlan interfaces and export the netflow to a 3rd party monitoring system , the only thing we dont monitor is our mgmt ip interfaces

amralrazzaz · ‎02-21-2018

so is it okay if i monitor g0/0 lan interface that i already configured only and it will show me the traffic in and out for the users and know the internet bw consuming or i have to monitor the port g0/1 which directly connected to isp router ?(on frico router)

amr alrazzaz

amralrazzaz · ‎02-21-2018

here the configuration

put if i need to monitor also g0/1 what the configuration should i use?

because i address ip flow engrees and ingrees on g0/1 but when i put the ip flow export source g0/1 it deleted the previous source g0/0 (its not taking both source g0/0 and g0/1 its only one and other deleted )

interface GigabitEthernet0/0
ip address 192.168.2.207 255.255.255.0
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
ip address 192.168.1.207 255.255.255.0
ip nat outside
ip rip advertise 100
ip rip receive version 2
ip virtual-reassembly in
duplex auto
speed auto

ip flow-export source GigabitEthernet0/0 (i p flow-export source GigabitEthernet0/1 ) if i put it the source g0/0 deleted
ip flow-export version 9
ip flow-export destination 192.168.2.195 9996
ip flow-top-talkers
top 20
sort-by packets

amr alrazzaz

Mark Malone · ‎02-21-2018

I would monitor both
all you add is the commands below under the interface
leave the source alone thats separate you can even use a loopback for that ,once the actual egress ingress commands are under the G0/1 interface the flow is captured

INT G0/1
ip flow ingress
ip flow egress

amralrazzaz · ‎02-21-2018

should i delete ip flow-export source GigabitEthernet0/0 or (i p flow-export source GigabitEthernet0/1 )

the source and only configure egress ingress on both interfaces ... thats it ?

no need to mention the ip flow source port for g0/0 and g0/1?

amr alrazzaz

Mark Malone · ‎02-21-2018

Do not remove or touch the export command its an optional command and as its configured will work fine

ip flow-export source interface-type interface-number
Example:
Router(config)# ip flow-export source gigabitethernet 6/2
(Optional) Specifies the interface from which the source IP address is derived for the UDP datagrams that are sent by NetFlow data export to the destination host.

all you need to do is add the egress and ingress to the g0/1, thats it to collect the g0/1 flows

INT G0/1
ip flow ingress
ip flow egress

amralrazzaz · ‎02-21-2018

okay fine ill add it only and ill not touch the export source ill keep it as it is

the top talkers like below it show only the users how consuming bw right ?

doesn't matter with interface i configured ?

if i need to monitor traffic for both interface i already user free version of netflow analyzer but i monitor only port and other it shown but not data why ? that because free version ?

Router#show ip flow top-talkers

SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
Gi0/0 192.168.2.117 Gi0/1 74.125.133.189 11 C31C 01BB 150
Gi0/1 40.114.211.195 Gi0/0* 192.168.2.39 06 01BB C08A 148
Gi0/0 192.168.2.39 Gi0/1 40.114.211.195 06 C08A 01BB 148
Gi0/0 192.168.1.207 Gi0/1* 40.114.211.195 06 C08A 01BB 100
Gi0/1 40.114.211.195 Gi0/0 192.168.1.207 06 01BB C08A 99
Gi0/0 192.168.1.207 Gi0/1* 74.125.133.189 11 C31C 01BB 84
Gi0/1 23.50.198.100 Gi0/0 192.168.1.207 06 01BB 3CC5 24
Gi0/1 23.50.198.100 Gi0/0* 192.168.2.195 06 01BB 3CC5 24
Gi0/1 74.125.133.189 Gi0/0* 192.168.2.117 11 01BB C31C 22
Gi0/1 74.125.133.189 Gi0/0 192.168.1.207 11 01BB C31C 22
Gi0/1 93.184.220.97 Gi0/0 192.168.1.207 06 01BB 3CBF 17
Gi0/1 93.184.220.97 Gi0/0* 192.168.2.195 06 01BB 3CBF 17
Gi0/0 192.168.1.207 Gi0/1* 23.50.198.100 06 3CC5 01BB 16
Gi0/0 192.168.2.195 Gi0/1 23.50.198.100 06 3CC5 01BB 16
Gi0/0 192.168.2.195 Gi0/1 93.184.220.97 06 3CBF 01BB 15
Gi0/0 192.168.1.207 Gi0/1* 93.184.220.97 06 3CBF 01BB 15
Gi0/1 74.125.71.189 Gi0/0* 192.168.2.133 11 01BB E822 15
Gi0/1 74.125.71.189 Gi0/0 192.168.1.207 11 01BB E822 15
Gi0/0 192.168.1.207 Gi0/1* 40.101.18.18 06 CA1A 03E1 14
Gi0/1 204.79.197.200 Gi0/0* 192.168.2.195 06 01BB 3CC8 14
Gi0/1 204.79.197.200 Gi0/0 192.168.1.207 06 01BB 3CC8 14
Gi0/0 192.168.2.21 Gi0/1 40.101.18.18 06 CA1A 03E1 14
Gi0/0 192.168.2.195 Gi0/1 172.217.21.68 11 F8CF 01BB 13
Gi0/0 192.168.1.207 Gi0/1* 172.217.21.68 11 F8CF 01BB 13
Gi0/0 192.168.2.195 Gi0/1 72.163.10.10 06 3CCD 01BB 12
Gi0/1 172.217.21.68 Gi0/0* 192.168.2.195 11 01BB F8CF 12
Gi0/0 192.168.1.207 Gi0/1* 72.163.10.10 06 3CCD 01BB 12
Gi0/1 172.217.21.68 Gi0/0 192.168.1.207 11 01BB F8CF 12
Gi0/0 192.168.1.207 Gi0/1* 17.171.98.35 06 C19F 01BB 11
Gi0/1 40.101.18.18 Gi0/0* 192.168.2.21 06 03E1 CA1A 11
Gi0/1 40.101.18.18 Gi0/0 192.168.1.207 06 03E1 CA1A 11
Gi0/0 192.168.2.195 Gi0/1 204.79.197.200 06 3CC8 01BB 11
Gi0/0 192.168.1.207 Gi0/1* 204.79.197.200 06 3CC8 01BB 11
Gi0/0 192.168.2.11 Gi0/1 17.171.98.35 06 C19F 01BB 10
Gi0/1 34.211.171.230 Gi0/0 192.168.1.207 06 01BB 3CC3 9
Gi0/1 34.211.171.230 Gi0/0* 192.168.2.195 06 01BB 3CC3 9
Gi0/0 192.168.2.195 Null 8.8.4.4 01 0000 0303 8
Gi0/0 192.168.1.207 Gi0/1* 95.101.101.160 06 3CC6 01BB 8
Gi0/0 192.168.2.133 Gi0/1 66.102.1.188 06 DA0C 146C 8
Gi0/0 192.168.2.195 Gi0/1 95.101.101.160 06 3CC6 01BB 8
Gi0/0 192.168.1.207 Gi0/1* 34.211.171.230 06 3CC3 01BB 8
--More--

amr alrazzaz

Mark Malone · ‎02-21-2018

the top talkers like below it show only the users how consuming bw right ?
doesn't matter with interface i configured ?
Yes viewing netflow on an actual router is a limited view , you really need a 3rd party collector to be able to get full use out of it , packet breakdowns and flows of traffic graphed

It could be because its a free version does it state in the documentation there's any restrictions on the free version ?
we use live action and netqos and UIM as our netflow collectors but there not free

amralrazzaz · ‎02-21-2018

i have netflow analyzer and solar wind i already use netflow and can i use another software (solarwinds) for capturing incase if i configure another line ip flow-export destination 192.168.2.195 9996 same ip but different port so it can listening the traffic and collect it ?

i ahave already this

ip flow-export destination 192.168.2.195 9996

so can i for example user same but different port like

ip flow-export destination 192.168.2.195 9998 for example

so i have both line ?

amr alrazzaz

Mark Malone · ‎02-21-2018

personally i would try get it all working on one collector but yes you can do that as per doc extract below its possible

https://www.cisco.com/c/en/us/td/docs/ios/12_0s/feature/guide/12s_mdnf.html

Configuring Multiple NetFlow Export Destinations to a Router

To configure multiple NetFlow export destinations to a router, use the following commands in global configuration mode:
Command
Purpose
Step 1
Router(config)# ip flow-export destination ip-address
udp-port
Enables the exporting of information in NetFlow cache entries.
Step 2
Router(config)# ip flow-export destination ip-address
udp-port
Adds a second export destination.