Router Netflow Help Required

Ali Haider · ‎04-04-2013

Dear All,

I have one R1<-->connected to <-->R2 and R2 is connected to R3. i have enable the Netflow on R2 that is when R1 ping R3 IP it shoudl generate the netflow as follow.

Define an ip flow-top-talkers policy to be applied to R2 as follows:
- Display the top 5 talker for ICMP traffic
- Randomly sample traffic at a rate of one-out-of 10 packers
Verbose netflow output must display:
- IP addresses
- MAC Addresses
- VLAN IDs

Follwing are the configuration i made, it is only showing the IP address but i need to get the MAC Address and VLAN as well in show ip cache verbose flow command omn R2.

R2-Configuratoin

------------------------------

ip cef

!

class-map ICMP

match protocol icmp

!

ip flow-export version 9

!

flow-sampler-map NF

mode random one-out-of 10

!

ip flow-top-talkers

top 5

sort-by packets

match source address 7.7.6.0/24

match destination address 7.7.4.1/32

match flow-smapler NF

!

interface Gi0/1

flow sample NF

I make the ping from R1 to R3

R1#ping 7.7.4.1

following is the show output, i need to get the MAC and VLAn as well how i can do it?

show ip cache verbose flow

R6#sh ip cache verbose flow

IP packet size distribution (2228 total packets):

1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480

.000 .003 .724 .262 .004 .003 .000 .000 .000 .000 .000 .000 .000 .000 .000

512 544 576 1024 1536 2048 2560 3072 3584 4096 4608

.000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000

IP Flow Switching Cache, 4456704 bytes

2 active, 65534 inactive, 558 added

10614 ager polls, 0 flow alloc failures

Active flows timeout in 30 minutes

Inactive flows timeout in 15 seconds

IP Sub Flow Cache, 533256 bytes

0 active, 16384 inactive, 0 added, 0 added to flow

0 alloc failures, 0 force free

1 chunk, 1 chunk added

last clearing of statistics never

Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)

-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow

UDP-other 4 0.0 2 127 0.0 0.0 15.5

ICMP 6 0.0 3 90 0.0 1.8 15.3

IP-other 546 0.0 3 94 0.2 3.0 15.5

Total: 556 0.0 3 94 0.2 3.0 15.5

SrcIf SrcIPaddress DstIf DstIPaddress Pr TOS Flgs Pkts

Port Msk AS Port Msk AS NextHop B/Pk Active

Fa1/1.1 7.7.6.5 Fa1/0 7.7.8.2 32 C0 10 3

B0BA /0 0 0B7F /0 0 0.0.0.0 96 0.0

Sampler: 1

Fa1/1.1 7.7.6.4 Fa1/0 7.7.4.1 01 00 10 3

0000 /0 0 0800 /0 0 0.0.0.0 94 3.3

Sampler: 1

sh ip flow top-talkers

SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts

Fa1/1.1 7.7.6.4 Fa1/0 7.7.4.1 01 0000 0800 3

1 of 5 top talkers shown. 1 of 3 flows matched.

Regards,

Ali

Damien Miller · ‎04-11-2013

You may want to try the following two commands as vlan id and mac's are not recorded by default.

ip flow-capture mac-addresses

ip flow-capture vlan-id

ip flow-capture mac-addresses

The ip flow-capture mac-addresses command captures the incoming source mac-address and the outgoing destination mac-address from the first Layer 2 frame in the flow. If you discover that your network is being attacked by Layer 3 traffic, you can use these addresses to identify the device that is transmitting the traffic that is being received by the router and the next hop or final destination device to which the router is forwarding the traffic.

ip flow-capture vlan-id

A VLAN is a broadcast domain within a switched network. A broadcast domain is defined by the network boundaries within which a network propagates a broadcast frame generated by a station. Some switches can be configured to support single or multiple VLANs. Whenever a switch supports multiple VLANs, broadcasts within one VLAN never appear in another VLAN.

http://www.cisco.com/en/US/docs/ios/12_3t/netflow/command/reference/nfl_a1gt_ps5207_TSD_Products_Command_Reference_Chapter.html#wp1185290