cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
518
Views
0
Helpful
4
Replies

Not getting netflow from router 2921 through the firewall

edgar_pascal
Level 1
Level 1

Dear All,

From last few days i am trying to get the netflow logs from the new router 2921 to my Netflow servers but its not happening, currently ip have flow from c6500 series.

There is one firewall between router and system. can anyone tell me what exact port numbers need to be open on the firewall to get the logs.

internet router (2921)-------FW-----c3560----c6500----Netflow server.

i have created ACL permit udp port 161,162,2055,966 on router and open udp that port on the fw by fw team but flow still not hit.

Quick responce will be appreciated.

Regards,

Lian

4 Replies 4

For NetFlow, you don't need an ACL on the router. But the Firewall has to allow the right port. As there is no default-port for Netflow (although there are commonly used ports like UDP/2055), you have to look at your router which port is configured with the netflow destination. This port hast to be allowed. Then check the Netflow statistics on the router to see if logs are getting sent. And ask your FW-team if they see traffic coming from your router to the Netflow collector.

Karsten,

ok note i'll remove ACL on the router.

There is the flow export from router, are you see some thing not correct?

Can you define rule port for the fw to make sure.

Router_ISP-Telkom#sh ip flow export
Flow export v5 is enabled for main cache
Export source and destination details :
VRF ID : Default
Source(1) 222.124.222.99 (GigabitEthernet0/0)
Destination(1) 10.177.54.135 (2055)
Version 5 flow records
34920827 flows exported in 1164513 udp datagrams
0 flows failed due to lack of export packet
0 export packets were sent up to process level
0 export packets were dropped due to no fib
0 export packets were dropped due to adjacency issues
0 export packets were dropped due to fragmentation failures
0 export packets were dropped due to encapsulation fixup failures
Router_ISP-Telkom#
==============

Router_ISP-Telkom#sh ip cache flow
IP packet size distribution (511856053 total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.000 .440 .054 .013 .017 .007 .005 .004 .005 .003 .002 .002 .002 .002 .002

IP Flow Switching Cache, 278544 bytes
637 active, 3459 inactive, 33969912 added
382337761 ager polls, 0 flow alloc failures
Active flows timeout in 1 minutes
Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 66824 bytes
639 active, 1409 inactive, 33969716 added, 33969716 added to flow
0 alloc failures, 13630 force free
2 chunks, 518 chunks added
last clearing of statistics never
Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)
-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow
TCP-Telnet 39434 0.0 2 55 0.1 7.0 15.5
TCP-FTP 202011 0.3 12 58 4.2 5.9 2.2
TCP-FTPD 4 0.0 1 40 0.0 0.0 1.2
TCP-WWW 6128767 9.8 26 804 262.2 4.5 7.5
UDP-Frag 8 0.0 1 327 0.0 0.0 15.9
UDP-other 5021785 8.0 1 183 11.4 0.3 15.7
ICMP 96334 0.1 31 69 4.9 41.5 7.1
Total: 33967190 54.3 15 659 819.1 2.7 11.2

SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
Gi0/1 222.124.36.214 Gi0/0* 222.124.222.124 06 1276 01BB 758

Lian

That looks ok. Reach out to the FW-staff if they see the traffic.

How to test udp traffic from the router to fw and to netflow server?

Review Cisco Networking for a $25 gift card