Netflow over VPN

Unanswered Question
Mar 15th, 2007

I want to collect Netflow data from routers at remote sites in my Data Center. I have setup Netflow successfully and am receiving data from the devices local to the server. I have Site-Site VPNs to the remote offices and connectivity to the collector is not an issue. I have configured Netflow on the remote routers to use the IP address of the inside interface to source teh Netflow traffic ( also tested with Loopback interfaces) which should make this interesting traffic just like one would for RADUIS or Syslog. The issue is that the traffic generated does not get encrypted. I checked these message boards and have found others with the same issue but no solutions have been found. I can duplicate this issue on 830,1721,3700 series routers with varying versions of code. Does anyone have any suggestions on how to get the data to the server. Any help would be appreciated.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
pbwatson4 Wed, 03/21/2007 - 12:57

Thanks for the reply. I didn't have any luck finding this ID via the Bug toolkit, can you please verify the ID.

paitken Fri, 06/08/2007 - 12:54

Netflow export bypasses output features (such as crypto) for performance reasons.

To work around this, route the export traffic into a tunnel and configure crypto to run on the tunneled traffic.

Collin Clark Mon, 11/26/2007 - 13:43

interface Tunnel0

bandwidth 44210

ip address

ip route-cache flow

tunnel source Serial1/0

tunnel destination

crypto map vpn

interface Serial1/0

bandwidth 44210

ip address

dsu bandwidth 44210

framing c-bit

cablelength 250

serial restart-delay 0

crypto map vpn

In the VPN cfg you need to specify interesting traffic (ACL 120).

access-list 120 permit gre host host

HTH and please rate.

paitken Tue, 11/27/2007 - 03:35

Two things to add to Collin's config:

#1 you'll want to set "ip flow-export destination " to an address that's at the far end of that tunnel. You'll need some routing to do that - eg, a static route:

ip flow-export destination 9999

ip route

#2 You might not want to be running netflow on the tunnel, else everything you export through the tunnel will be accounted by netflow then exported through the tunnel... so you'll end up generating a lot of netflow stats about your netflow traffic...

int tun0

no ip route-cache flow


This Discussion