cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
1198
Views
0
Helpful
6
Replies
Jim Mueller
Beginner

Netflow: Send data only from certain interfaces?

We use Solarwinds Orion to accept Netflow and NBAR2 from our Cisco devices... we have ~140 of them in our environment. The product is licensed per interface, and we only bought enough licenses to monitor the 'important' interfaces on the devices, not all interfaces.

The Orion event log is being slammed with messages of this syntax:

NetFlow Receiver Service [Servername] is receiving flow data from unmanaged interface '#xxxxxxx' on [node] and it does not support SNMP. Click the "Add this interface" link to manage interface and process its flow data.

Solarwinds support says: "Another thing to check here is the Netflow Configuration of the device. It should not be sending flows from interfaces that you do not want to receive flows from. Controlling how the device will send flows will also help resolve this event. NTA will only show what the devices is sending.

So, how do I prevent certain interfaces from sending Netflow data?

Thanks!

Jim

6 REPLIES 6
Joseph W. Doherty
Hall of Fame Expert

I think setting flow cache on an interface triggers egress flow stats for that interface and/or configuring something like ip flow ingress also may trigger flow stats for that interface.

Any specific suggestions on what to change in the config above to prevent these warnings?

Reza Sharifi
Hall of Fame Expert

Hi,

Not sure what type of device you are trying to get Netflow from, but you usually add these commands to the interface you want to get the flow from

ip flow monitor Solarwinds input
ip flow monitor Solarwinds output

In this case "Solarwinds" is a user defined flow exporter.  You can name it whatever you want.

After configuring it, you can check the status with "sh flow interface"

HTH

I added a redacted config above and some command outputs. Also, it seems as if the only type of device having this issue is an 1811 which is out of support. I can try to update the firmware on a sample router to the latest to see if that takes care of it. Else I know that the offices with older routers are budgeted for a new router this fiscal year, just not sure when that project will begin.

Any specific suggestions on what to change in the config above to prevent these warnings?

Jim Mueller
Beginner

Here's a redacted config from a sample router experiencing the issue. This happens to be an 1811 router, but we also have 1711's and 891/891F's which would have the same setup. I've tried to highlight the netflow/nbar commands I found in red.

 ---begin---

Current configuration : 7575 bytes

!

! No configuration change since last restart

!

version 12.4

no service pad

service tcp-keepalives-in

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime localtime show-timezone

service password-encryption

service compress-config

!

hostname hostname

!

boot-start-marker

boot system flash c181x-advipservicesk9-mz.124-15.T17.bin

boot-end-marker

!

logging buffered 4096

!

no aaa new-model

clock timezone EST -5

clock summer-time EDT recurring

!

dot11 syslog

!

ip cef

!

no ip bootp server

no ip domain lookup

ip domain name domain.com

!

flow exporter NTAexp

destination 192.168.0.26

source Vlan1

transport udp 2055

template data timeout 60

!

flow record NTArec

match ipv4 tos

match ipv4 protocol

match ipv4 source address

match ipv4 destination address

match transport source-port

match transport destination-port

match interface input

collect interface output

collect counter bytes

collect counter packets

!

flow monitor NTAmon

description NetFlow nbar

record NTArec

exporter NTAexp

cache timeout inactive 10

cache timeout active 5

!

multilink bundle-name authenticated

!

vtp mode transparent

!

crypto isakmp policy 5

encr aes 256

authentication pre-share

group 5

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 5

crypto isakmp key * address 0.0.0.0 0.0.0.0

crypto isakmp keepalive 600

!

crypto ipsec transform-set esp-3des-sha-trans esp-3des esp-sha-hmac

mode transport

no crypto ipsec nat-transparency udp-encaps

!

crypto ipsec profile DMVPN

set transform-set esp-3des-sha-trans

set pfs group5

!

archive

log config

hidekeys

!

vlan 999

name GUEST

!

interface Loopback0

ip address 10.1.1.2 255.255.255.255

!

interface Tunnel1

description 2285 primary tunnel

bandwidth 1536

ip address 172.18.1.121 255.255.252.0

no ip redirects

ip mtu 1400

ip nhrp authentication *

ip nhrp map 172.18.0.1 *

ip nhrp map multicast *

ip nhrp network-id 1

ip nhrp holdtime 300

ip nhrp nhs 172.18.0.1

ip tcp adjust-mss 1360

ip policy route-map df-bit-clear

qos pre-classify

tunnel source FastEthernet0

tunnel mode gre multipoint

tunnel key 1

tunnel path-mtu-discovery

tunnel protection ipsec profile DMVPN shared

!

interface Tunnel2

description 2285 secondary tunnel

bandwidth 768

ip address 172.18.5.121 255.255.252.0

no ip redirects

ip mtu 1400

ip nhrp authentication *

ip nhrp map 172.18.4.1 *

ip nhrp map multicast *

ip nhrp network-id 2

ip nhrp holdtime 300

ip nhrp nhs 172.18.4.1

ip tcp adjust-mss 1360

ip policy route-map df-bit-clear

qos pre-classify

tunnel source FastEthernet0

tunnel mode gre multipoint

tunnel key 2

tunnel path-mtu-discovery

tunnel protection ipsec profile DMVPN shared

!

interface FastEthernet0

description 2285 WAN interface

bandwidth 2048

bandwidth receive 18432

ip address * 255.255.255.252

ip access-group internet-in-v2 in

ip nbar protocol-discovery

ip virtual-reassembly

duplex auto

speed auto

no cdp enable

!

interface FastEthernet1

no ip address

duplex auto

speed auto

no cdp enable

!

interface FastEthernet2

no cdp enable

!

interface FastEthernet3

no cdp enable

!

interface FastEthernet4

no cdp enable

!

interface FastEthernet5

no cdp enable

!

interface FastEthernet6

no cdp enable

!

interface FastEthernet7

no cdp enable

!

interface FastEthernet8

no cdp enable

!

interface FastEthernet9

no cdp enable

!

interface Vlan1

description 2285 LAN gateway

ip address 10.22.85.1 255.255.255.192

ip helper-address 192.168.0.12

no ip redirects

ip nbar protocol-discovery

ip flow monitor NTAmon input

ip flow monitor NTAmon output

ip flow ingress

ip virtual-reassembly

ip tcp adjust-mss 1400

ip policy route-map df-bit-clear

!

interface Async1

no ip address

encapsulation slip

async mode interactive

!

router eigrp 111

passive-interface default

no passive-interface Tunnel1

no passive-interface Tunnel2

network 10.22.85.0 0.0.0.63

network 172.18.0.0

no auto-summary

eigrp stub connected

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 *

!

ip flow-cache timeout active 1

ip flow-export source Vlan1

ip flow-export version 9 peer-as

ip flow-export destination 192.168.0.26 2055

!

no ip http server

ip http authentication local

no ip http secure-server

!

ip access-list standard ssh-in

permit * 0.0.0.15

permit * 0.0.0.255

deny   any log

ip access-list standard telnet-in

permit 172.18.4.1

permit 172.18.0.1

permit 172.16.13.0 0.0.0.15

permit 192.168.0.0 0.0.0.255

permit 192.168.3.0 0.0.0.255

permit 10.22.85.0 0.0.0.63

permit 172.16.22.0 0.0.0.255

permit 172.16.26.0 0.0.0.255

permit 172.16.28.0 0.0.0.255

deny   any log

!

ip access-list extended internet-in-v2

permit esp any host *

permit udp any eq isakmp host * eq isakmp

permit icmp any host * echo

permit icmp any host * echo-reply

permit tcp any host * eq 22

permit udp host 130.126.24.53 host * eq ntp

permit udp host 198.82.162.213 host * eq ntp

deny   ip any any log

!

access-list 10 permit 192.168.0.105

access-list 10 permit 192.168.0.26

access-list 10 permit 172.16.26.0 0.0.0.255

access-list 10 deny   any

access-list 15 permit 192.168.0.5

access-list 15 deny   any

snmp-server group * v3 priv access 10

snmp-server community * RO 10

snmp-server community * RW 10

snmp-server ifindex persist

snmp-server location *

snmp-server contact *

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps tty

snmp-server enable traps flash insertion removal

snmp-server enable traps cnpd

snmp-server enable traps config

snmp-server enable traps syslog

snmp-server enable traps isakmp policy add

snmp-server enable traps isakmp policy delete

snmp-server enable traps isakmp tunnel start

snmp-server enable traps isakmp tunnel stop

snmp-server enable traps ipsec cryptomap add

snmp-server enable traps ipsec cryptomap delete

snmp-server enable traps ipsec cryptomap attach

snmp-server enable traps ipsec cryptomap detach

snmp-server enable traps ipsec tunnel start

snmp-server enable traps ipsec tunnel stop

snmp-server enable traps ipsec too-many-sas

snmp-server file-transfer access-group 15 protocol tftp

no cdp run

!

route-map df-bit-clear permit 10

set ip df 0

!

control-plane

!

privilege exec level 15 connect

privilege exec level 15 telnet

privilege exec level 15 rlogin

privilege exec level 15 show ip access-lists

privilege exec level 1 show ip

privilege exec level 15 show access-lists

privilege exec level 15 show logging

privilege exec level 1 show

privilege exec level 10 debug

privilege exec level 2 clear line

privilege exec level 2 clear

!

line con 0

login local

line 1

login local

modem InOut

modem autoconfigure discovery

transport input all

autoselect ppp

stopbits 1

speed 115200

flowcontrol hardware

line aux 0

login local

line vty 0 4

access-class telnet-in in

privilege level 15

login local

transport input telnet

line vty 5 15

access-class ssh-in in

privilege level 15

login local

transport input ssh

!

ntp clock-period 17180179

ntp server 130.126.24.53

ntp server 198.82.162.213

end

---end---

And some status commands:

 

----snip----

 

hostname#sh ip flow export

Flow export v9 is enabled for main cache

Export source and destination details :

VRF ID : Default

   Source(1)       10.22.85.1 (Vlan1)

   Destination(1) 192.168.0.26 (2055)

Version 9 flow records, peer-as

2689091 flows exported in 585899 udp datagrams

0 flows failed due to lack of export packet

6374 export packets were sent up to process level

0 export packets were dropped due to no fib

0 export packets were dropped due to adjacency issues

0 export packets were dropped due to fragmentation failures

0 export packets were dropped due to encapsulation fixup failures

hostname#sh flow exporter NTAexp

Flow Exporter NTAexp:

Description:              User defined

Tranport Configuration:

   Destination IP address: 192.168.0.26

   Source IP address:     10.22.85.1

   Source Interface:       Vlan1

   Transport Protocol:     UDP

   Destination Port:       2055

   Source Port:           58185

   DSCP:                   0x0

   TTL:                   255

hostname#sh flow interface
Interface Vlan1
  FNF:  monitor:         NTAmon
        direction:       Input
        traffic(ip):     on
  FNF:  monitor:         NTAmon
        direction:       Output
        traffic(ip):     on

----snip----