Thanks John.

I want to enable netflow to provide me with info on the bandwidth usage of individual remote users. We have 250, 881s in the field that connect back via DMVPN to two headend routers. I beleive I should enable net flow on the interfaces on the head ends that face the remote 881s. Is this correct?

Will this do the trick?:

ip flow-export source gigabit0/0/0(interface facing remote users)

ip flow-export version 9

ip flow-export destination 10.10.10.10 port 2055

interface fastethernet0/0
ip flow egress
ip flow ingress

Is there more I should configure on the head ends or, is the information parsed by SolarWinds?

Thanks, Pat.

Patrick,

Netflow should be enabled on the interface that you expect the traffic coming in on or going out of. The flow-export source that you have marked as interface facing remote users should probably be the interface that netflow is configured on. Where is int fa0/0 in relation to this? You may not need it on fa0/0 at all.

John

Sorry, bad config example

ip flow-export source gigabit0/0/1(interface facing internal HQ network)

ip flow-export version 9

ip flow-export destination 10.10.10.10 port 2055

interface gigabitethernrt0/0/0(interface facing remote users)

ip flow egress
ip flow ingress

Thanks, Pat.

That looks good. You can also enable top talkers to see what you should be seeing on your collector:

ip flow-top-talkers

sort bytes

top 5

Then to see it, you'd do a "sho ip flow top".

I'm not sure if you're using Solarwinds now as a collector for other devices, but Solarwinds won't show you any data until you add it as an authorized source. In other words, Orion will get the data and just give you an error that it's unknow. They you have to click on the node that it sees the data coming from and add it to Netflow.

HTH,

John

So the device that I would have to add to netflow on SolarWinds would be the Headend routers, correct?

Also, I have to enable things that I want to monitor on the router? Such as: top-talkers?

I thought netflow was a generic dump to Solarwinds but, you make it sound like I can and should tweak the flow to what I want SolarWinds to get?

If this is true, do you know of a good doc that explains commands for different flows to send to SolarWinds?

Thanks, Pat.

So the device that I would have to add to netflow on SolarWinds would be the Headend routers, correct?

That's correct. Solarwinds will see new sources, but the netflow sources need to be managed by Solarwinds. When you click on the Netflow tab, you'll see the "Manage Sources" button and you should be able to see what sources are sending to your Solarwinds server.

 I have to enable things that I want to monitor on the router? Such as: top-talkers? 

Top talkers isn't necessary, but I use them everywhere. The router will update netflow cache faster than Solarwinds does, so that's why I enable it. Sometimes I'll have a location ask me what's taking up their link, so I can get in the router faster than I can Solarwinds. Solarwinds is good for historical data though because I've had to find out what was going on at 3AM when a location's link was saturated.

I thought netflow was a generic dump to Solarwinds but, you make it  sound like I can and should tweak the flow to what I want SolarWinds to  get?

It's a generic dump of everything that's going through the router and the sessions that the router sees. Solarwinds can chart the stuff for you where top talkers is cli-based. I'm not aware of being able to send selective flows (like only capture http traffic) with netflow.

HTH,

John

I wanted to give you  5 stars but, it would let me correct my selection. Sorry about that. Thanks for the info.

So, you saying any info  that I want to retrieve quickly, I could configure to send to the net flow internal buffer like "top-talkers" and view it quickly via cli?

Do you have a link with these types of settings.

thanks, Pat.

John, one more question. Should I apply the flow to the physical interface that faces the remote routers or the tunnel0 interface that terminates the DMVPN seesions?

Thanks, Pat.

Personally, I would put it on the tunnel interface if that's the only traffic that you're interested in. If you're interested in other traffic that would come through the physical interface, you could put it there as well. You can have more than one interface with netflow assigned.

John

sorry about this just one more

Little confused about the source command. I thought the source command was just used to point the net-flow packets out an interaface towards the SolarWinds server, almost like a route or picking the interface they leave the router.

Do I really need the source command?

Would the config below be just fine as the path to SolarWinds can only go out the g0/0/0 interface of the router?

config t

ip flow-export version 5

ip flow-export destination 172.20.8.211 9995

interface tunnel0(this is the tunnel interface that connects to the remote routers)

ip flow egress

ip flow ingress

!

end

wr

thanks, Pat.

Pat,

You're correct about the source interface being to specify what address that you want to source the traffic from. You don't really need it unless you want to always source from a certain interface. In case you have 2 paths out of a router to your Solarwinds server, you can source from the internal interface and it will always come from that interface as opposed to not sourcing and 1 path goes down, the other interface would be used to send the traffic and now your have inconsistencies in your sources.

Public 1: 172.23.3.1

Public 2: 192.168.1.1

Internal: 10.50.50.1

If didn't source, packets would come from 172.23.3.1. Suppose Public 1 went down, and now they're being sourced from Public 2 interface. If you set the source to be the Internal interface, it wouldn't matter if public 1 or 2 went down. This is obviously all of nothing if your interface is local to the Solarwinds server. Then you wouldn't need to worry about sourcing.

Your configuration looks fine to me...

HTH,

John