IP net flow configuration issue

momchilandonov · ‎06-30-2017

Hello.

I basically want to log the top talkers in a Cisco router for an extended period of time - 10-24 hours for example. I need to see both downstream and upstream top talkers.

No matter how I configured it one of two things happen:

*The stats get to one value and stay like that and eventually change values but they don't increment. They stay on some low average values.

*The stats grow fast but they get "reset" and start to increment again.

#show ip flow top-talkers

SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Bytes
Gi0/1 192.168.16.25 Gi0/0* 10.1.10.67 06 0D3D DE2D 196K
Gi0/1 192.168.16.25 Gi0/0* 10.1.10.90 06 0D3D EEBF 170K

After a moment I see

#show ip flow top-talkers

SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Bytes
Gi0/1 192.168.16.25 Gi0/0* 10.1.10.77 06 0D3D D114 120K
Gi0/1 192.168.16.25 Gi0/0* 10.1.10.70 06 0D3D ECEF 68K

However I need to see the top talkers for a period of time and not a list which gets erased and generated again every 1 minute etc.

I don't have such issue while configuring IP accounting however it only works for outbound/upstream traffic so it doesn't help when I need to log the bi-directional top talkers traffic.

Note that I don't have the possibility to export the information elsewhere! I need to rely on the router's own memory!

Router model is CISCO1921/K9 iOS is Version 15.2(4)M2

Current config

#sh ip flow interface
GigabitEthernet0/0
ip flow ingress
ip flow egress

Gi0/0 is the LAN interface.

The information gets updated frequently after I edit the ip flow-cache to 1000 (every 1 second) but it results don't increment for a long period of time like 1 hour.

Diana Karolina Rojas · ‎07-03-2017

Hello! you have to ingress this commands to configure top-talkers propperly:

ip flow-top-talkers (Enters NetFlow Top Talkers configuration mode)

top number (Specifies the maximum number of top talkers that will be retrieved by a NetFlow top talkers query. • The range for the number argument is from 1 to 200 entries.)

sort-by [bytes | packets (Specifies the sort criterion for the top talkers. • The top talkers can be sorted either by the total number of packets of each top talker or the total number of bytes of each top talker.)

cache-timeout milliseconds (Reentering the top, sort-by, or cache-timeout command resets the timeout period, and the list of top talkers is recalculated the next time they are requested. • The list of top talkers is lost when the timeout period expires. You should configure a timeout period for at least as long as it takes the network management system (NMS) to retrieve all the required NetFlow top talkers. • If this timeout value is too large, the list of top talkers might not be updated quickly enough to display the latest top talkers. If a request to display the top talkers is made more than once during the timeout period, the same results will be displayed for each request. To ensure that the latest information is displayed while conserving CPU time, configure a large value for the timeout period and change the parameters of the cache-timeout, top, or sort-by command when a new list of top talkers is required. • The range for the number argument is from 1 to 3,600,000 milliseconds. The default is 5000 (5 seconds).

Like you can see in the last item you can specify the time of the flow cache, here you can configure a maximum of 1000 Hours.

---Do not forget to rate useful answers---

Regards,