Multiple Netflows from same Router

dctaylorit · ‎11-16-2012

What I’m looking to do is setup a net-flow monitor for traffic going across a PIX firewall. I know unfortunately I can’t do this directly from the PIX because it does not support net-flow.

I do have a 2921 router on the same network that I have net-flow enabled to monitor traffic across the MPLS Connection.

Since the traffic for the MPLS is going out a direct interface I have applied the IP Flow egress/ingress commands to that interface to obtain the net-flow data I need. The PIX firewall however is not a direct interface so this can’t be done. I have done a little reading and believe I could use a policy map to create a “filter” so that any traffic that meets the ACL associated with the Policy-Map would get sent to net-flow monitor.

My question is how do I set that up so that so I can have the two net-flow data “streams/sources” go to separate net-flow ports so that I can monitor them independently of each other or is that not possible?

Both devices are connected to a 3750X switch; however neither is connected to a 10GB port. To my understanding that means I can’t run net-flow on the switch itself.

Ed Willson · ‎11-16-2012

Without the 10GB module - There's no Netflow on the 3750x. What about using port span on the 3750 to an un-used port and Nprobe to get the flow source? I've been wanting to try it - so let me know if it works

Ed Willson · ‎12-06-2012

Joe - Did you make any progress, or have an update?

dctaylorit · ‎12-07-2012

Ed - Thank you for the reply. I haven't had a chance to follow up until this week. Was doing some more research and see that it appears Flexible Netflows would be able to address my need - however when I try to apply the monitor to the interface it doesn't take. I have opened a ticket with Cisco on the issue and will repost back when I get an answer.