cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8105
Views
24
Helpful
15
Replies

Net Flow "ip flow route-cache flow"

Patrick McHenry
Level 4
Level 4

Quick question on net flow. I was configuring net flow for management to SolarWinds. I noticed that "ip flow route-cache flow" doesn't work on the interface of the ASR 1001 router. From what I understand, "ip flow route-cache flow" enables net flow to use CEF on the interface. So, I'm assuming that the command has been dropped because CEF is the default on the ASRs?

Thanks, Pat.

1 Accepted Solution

Accepted Solutions

Patrick,

No worries on the rating

Solarwinds updates when it gets the data, but it always defaults to the "last 15 minutes." I always set up my routers to hold a cache with top talkers. You don't have to do much more than what you already have other than enabling top talkers:

!

interface Serial0/2

ip address 172.12.0.2 255.255.255.0

ip flow ingress

ip flow egress

clock rate 2000000

end

ip flow-top-talkers

top 5

sort-by bytes

!

R2#sh ip flow top

SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP Bytes

Se0/2         172.12.0.1      Se0/0         172.47.0.7      01 0000 0800   500

Se0/1         172.47.0.7      Se0/2*        172.12.0.1      01 0000 0000   500

2 of 5 top talkers shown. 2 flows processed.

Here's a document that further explains it:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/products_feature_guide09186a0080259533.html#wp1131762

The SrcP and DstP are in hex. There are hex -> decimal calculators out there that you can use to find the port information. For example, if DstP was 0050, that would be port 80.

HTH,

John

HTH, John *** Please rate all useful posts ***

View solution in original post

15 Replies 15

John Blakley
VIP Alumni
VIP Alumni

Patrick,

Try "ip flow ingress" or "ip flow egress" (depending on the direction that you want).

HTH,

John

HTH, John *** Please rate all useful posts ***

Thanks John.

I want to enable netflow to provide me with info on the bandwidth usage of individual remote users. We have 250, 881s in the field that connect back via DMVPN to two headend routers. I beleive I should enable net flow on the interfaces on the head ends that face the remote 881s. Is this correct?

Will this do the trick?:

ip flow-export source gigabit0/0/0(interface facing remote users)

ip flow-export version 9

ip flow-export destination 10.10.10.10 port 2055

interface fastethernet0/0
ip flow egress
ip flow ingress

Is there more I should configure on the head ends or, is the information parsed by SolarWinds?

Thanks, Pat.

Patrick,

Netflow should be enabled on the interface that you expect the traffic coming in on or going out of. The flow-export source that you have marked as interface facing remote users should probably be the interface that netflow is configured on. Where is int fa0/0 in relation to this? You may not need it on fa0/0 at all.

John

HTH, John *** Please rate all useful posts ***

Sorry, bad config example

ip flow-export source gigabit0/0/1(interface facing internal HQ network)

ip flow-export version 9

ip flow-export destination 10.10.10.10 port 2055

interface gigabitethernrt0/0/0(interface facing remote users)

ip flow egress
ip flow ingress

Thanks, Pat.

That looks good. You can also enable top talkers to see what you should be seeing on your collector:

ip flow-top-talkers

sort bytes

top 5

Then to see it, you'd do a "sho ip flow top".

I'm not sure if you're using Solarwinds now as a collector for other devices, but Solarwinds won't show you any data until you add it as an authorized source. In other words, Orion will get the data and just give you an error that it's unknow. They you have to click on the node that it sees the data coming from and add it to Netflow.

HTH,

John

HTH, John *** Please rate all useful posts ***

So the device that I would have to add to netflow on SolarWinds would be the Headend routers, correct?

Also, I have to enable things that I want to monitor on the router? Such as: top-talkers?

I thought netflow was a generic dump to Solarwinds but, you make it sound like I can and should tweak the flow to what I want SolarWinds to get?

If this is true, do you know of a good doc that explains commands for different flows to send to SolarWinds?

Thanks, Pat.

So the device that I would have to add to netflow on SolarWinds would be the Headend routers, correct?

That's correct. Solarwinds will see new sources, but the netflow sources need to be managed by Solarwinds. When you click on the Netflow tab, you'll see the "Manage Sources" button and you should be able to see what sources are sending to your Solarwinds server.

I have to enable things that I want to monitor on the router? Such as: top-talkers?

Top talkers isn't necessary, but I use them everywhere. The router will update netflow cache faster than Solarwinds does, so that's why I enable it. Sometimes I'll have a location ask me what's taking up their link, so I can get in the router faster than I can Solarwinds. Solarwinds is good for historical data though because I've had to find out what was going on at 3AM when a location's link was saturated.

I thought netflow was a generic dump to Solarwinds but, you make it  sound like I can and should tweak the flow to what I want SolarWinds to  get?

It's a generic dump of everything that's going through the router and the sessions that the router sees. Solarwinds can chart the stuff for you where top talkers is cli-based. I'm not aware of being able to send selective flows (like only capture http traffic) with netflow.

HTH,

John

HTH, John *** Please rate all useful posts ***

I wanted to give you  5 stars but, it would let me correct my selection. Sorry about that. Thanks for the info.

So, you saying any info  that I want to retrieve quickly, I could configure to send to the net flow internal buffer like "top-talkers" and view it quickly via cli?

Do you have a link with these types of settings.

thanks, Pat.

Patrick,

No worries on the rating

Solarwinds updates when it gets the data, but it always defaults to the "last 15 minutes." I always set up my routers to hold a cache with top talkers. You don't have to do much more than what you already have other than enabling top talkers:

!

interface Serial0/2

ip address 172.12.0.2 255.255.255.0

ip flow ingress

ip flow egress

clock rate 2000000

end

ip flow-top-talkers

top 5

sort-by bytes

!

R2#sh ip flow top

SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP Bytes

Se0/2         172.12.0.1      Se0/0         172.47.0.7      01 0000 0800   500

Se0/1         172.47.0.7      Se0/2*        172.12.0.1      01 0000 0000   500

2 of 5 top talkers shown. 2 flows processed.

Here's a document that further explains it:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/products_feature_guide09186a0080259533.html#wp1131762

The SrcP and DstP are in hex. There are hex -> decimal calculators out there that you can use to find the port information. For example, if DstP was 0050, that would be port 80.

HTH,

John

HTH, John *** Please rate all useful posts ***

John, one more question. Should I apply the flow to the physical interface that faces the remote routers or the tunnel0 interface that terminates the DMVPN seesions?

Thanks, Pat.

Personally, I would put it on the tunnel interface if that's the only traffic that you're interested in. If you're interested in other traffic that would come through the physical interface, you could put it there as well. You can have more than one interface with netflow assigned.

John

HTH, John *** Please rate all useful posts ***

sorry about this just one more

Little confused about the source command. I thought the source command was just used to point the net-flow packets out an interaface towards the SolarWinds server, almost like a route or picking the interface they leave the router.

Do I really need the source command?

Would the config below be just fine as the path to SolarWinds can only go out the g0/0/0 interface of the router?

config t

ip flow-export version 5

ip flow-export destination 172.20.8.211 9995

interface tunnel0(this is the tunnel interface that connects to the remote routers)

ip flow egress

ip flow ingress

!

end

wr

thanks, Pat.

Pat,

You're correct about the source interface being to specify what address that you want to source the traffic from. You don't really need it unless you want to always source from a certain interface. In case you have 2 paths out of a router to your Solarwinds server, you can source from the internal interface and it will always come from that interface as opposed to not sourcing and 1 path goes down, the other interface would be used to send the traffic and now your have inconsistencies in your sources.

Public 1: 172.23.3.1

Public 2: 192.168.1.1

Internal: 10.50.50.1

If didn't source, packets would come from 172.23.3.1. Suppose Public 1 went down, and now they're being sourced from Public 2 interface. If you set the source to be the Internal interface, it wouldn't matter if public 1 or 2 went down. This is obviously all of nothing if your interface is local to the Solarwinds server. Then you wouldn't need to worry about sourcing.

Your configuration looks fine to me...

HTH,

John

HTH, John *** Please rate all useful posts ***

fb_webuser
Level 6
Level 6

Dear Pat,

Please install Managengine's Netflow analyser(You can use evaulation) and add the following command on the router.

ip flow-export destination x.x.x.x 9996

where x represents the ip of your Managengine Netflow analyser and usually it uses the port 9996.

Please note that you don't need to remove the flow-export command for solarwinds.

Please do this and see if you are receiving flows there as there can be problem with Solarwinds NTA module as well, just verify if you can see the flows on Managengine Netflow analyser or not if yes you need to contact Solarwinds support.

Also make sure the port 2225 on Solarwinds server is open to receive the flows.

Regards

Musabthe following command on the router

---

Posted by WebUser Musab Kiani from Cisco Support Community App

Review Cisco Networking for a $25 gift card