Cisco Community
English
Register
We have 1 million community members! Join the celebration! Learn how.
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
176
Views
0
Helpful
0
Replies
Kevinjamesomahony
Beginner
Beginner
‎12-10-2019 04:29 AM
‎12-10-2019 04:29 AM

Net-flow , erroneous vlan export

Hello 

 

I doing a POC with various Netflow collectors and have noticed an odd occurrence across all of them the virtual appliances

for the POC i'm collecting Flows from ASA's some 4500's and a 6509 pair

 

There is one particular vlan I want to collect on our 6509 VSS Switch (Vlan 291) However after configuring the Flex Netflow's Export/Monitor/Record and Applying it to the SVI for 291 somehow the switch also exports records for Vlan 16 . As such the POC appliances recognize  vlan 16 as a new net-flow source . this has been consistent across the appliances we have been POC'ing (Riverbed , ManageEngine and Solarwinds)

 

Vlan 291 has a flow monitor POC-EXPORT input/output on the SVI vlan 16 does not

Im getting flow records id expect to see on both  I just cannot understand how Vlan 16 is getting exported too 

 

====Config Below====

 

#show run flow monitor

flow monitor POC-MONITOR
record POC-RECORD
exporter POC-EXPORT
cache timeout active 60
!
#show run flow export
Current configuration:
!
flow exporter POC-EXPORT
destination 10.*.*.* vrf *vrf name*
source Vlan291
transport udp 9991
!
#show run flow record
!
flow record POC-RECORD
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match flow direction
collect routing next-hop address ipv4
collect interface input
collect interface output
collect counter bytes
collect counter packets
!

!
interface Vlan291
ip vrf forwarding *vrf name*
ip address 172.*.*.* 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow monitor POC-MONITOR input
ip flow monitor POC-MONITOR output

#show run int vlan 16
!
interface Vlan16
ip address 172.*.*.* 255.255.0.0
no ip redirects
no ip unreachables
no ip proxy-arp
end

 

====SHOW Commands====

 

#show flow export
Flow Exporter POC-EXPORT:
Description: User defined
Export protocol: NetFlow Version 9
Transport Configuration:
Destination IP address: 10.*.*.*
VRF label: *vrf name*
Source IP address: 172.*.*.*
Source Interface: Vlan291
Transport Protocol: UDP
Destination Port: 9991
Source Port: 62828
DSCP: 0x0
TTL: 255
Output Features: Not Used


#show flow record
flow record POC-RECORD:
Description: User defined
No. of users: 1
Total field space: 35 bytes
Fields:
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match flow direction
collect routing next-hop address ipv4
collect interface input
collect interface output
collect counter bytes
collect counter packets

#show flow monitor
Flow Monitor POC-MONITOR:
Description: User defined
Flow Record: POC-RECORD
Flow Exporter: POC-EXPORT
Cache:
Type: normal
Status: allocated
Size: 4096 entries / 278544 bytes
Cache:
Type: normal (Platform cache)
Status: allocated
Size: Unknown
Timers:
Local Global
Inactive Timeout: 15 secs 60 secs
Active Timeout: 60 secs 60 secs
Update Timeout: 1800 secs
Fast Timeout: Disabled

Labels:
0 Helpful
0 REPLIES 0
Latest Contents
(Podcast) S8|E37 Cisco Champion Unfiltered: I'll Fix That La...
Created by Amilee San Juan on 09-17-2021 01:12 PM
0
0
0
0
Listen: https://smarturl.it/CCRS8E37Follow us: twitter.com/ciscochampionSometimes, situations require temporary fixes. Sometimes, the network becomes an afterthought in overall office design and planning. In either situation, it may require netw... view more
Hear how great partnerships make smart building solutions
Created by Kelli Glass on 09-16-2021 03:33 PM
0
0
0
0
In this special edition of the Insider Series, we hear from Cisco partners who have taken steps to be more eco-friendly and sustainable. We hear what inspires ASHRAE, Southwire, Igor, and NTT to create a workplace that is centered around people and how th... view more
Demystifying OSPF DR Network LSA
Created by meddane on 09-15-2021 05:48 AM
0
0
0
0
We know that the Type-1 LSA describes the link type connected to the router, the neighbor router and the subnet number.In this topology, assume we dont have a Type-2 LSA, so each router will create its own Type-1 LSA, the Type-1 LSA will describe the neig... view more
Cisco DNA Center ATXs FAQ
Created by dilthaku on 09-12-2021 06:32 PM
0
0
0
0
Here are some commonly asked questions and answers to help with your adoption of Cisco DNA Center Wireless. Subscribe to this post to stay up-to-date with the latest Q&A and recommended Ask the Experts (ATXs) sessions to attend. Q. I have a Cisco Appl... view more
Why IETF changed and inverted OSPF Type-7 LSA VS Type-5 LSA ...
Created by meddane on 09-12-2021 05:54 PM
0
0
0
0
Why IETF changed and inverted OSPF Type-7 LSA VS Type-5 LSA election In RFC 3101 compared to OLD RFC 1587?Many people learns that the Type-7 LSA and Type-5 election (ON Versus OE routes) depends on RFC 3101 for NSSA published in 2003 and RFC 1587 for NSSA... view more
Ask a Question
Create
+ Discussion
+ Blog
+ Document
+ Event
+ Video
+ Project Story
Find more resources
Discussions
Blogs
Documents
Events
Videos
Project Gallery
New Community Member Guide
Recognize Your Peers
Spotlight Award Nomination
Content for Community-Ad