cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1222
Views
4
Helpful
6
Replies

Netflow over VPN

pbwatson4
Level 1
Level 1

I want to collect Netflow data from routers at remote sites in my Data Center. I have setup Netflow successfully and am receiving data from the devices local to the server. I have Site-Site VPNs to the remote offices and connectivity to the collector is not an issue. I have configured Netflow on the remote routers to use the IP address of the inside interface to source teh Netflow traffic ( also tested with Loopback interfaces) which should make this interesting traffic just like one would for RADUIS or Syslog. The issue is that the traffic generated does not get encrypted. I checked these message boards and have found others with the same issue but no solutions have been found. I can duplicate this issue on 830,1721,3700 series routers with varying versions of code. Does anyone have any suggestions on how to get the data to the server. Any help would be appreciated.

6 Replies 6

dsweeny
Level 3
Level 3

It looks like bug to me, check this bug-id:CSCef28662

Thanks for the reply. I didn't have any luck finding this ID via the Bug toolkit, can you please verify the ID.

paitken
Level 1
Level 1

Netflow export bypasses output features (such as crypto) for performance reasons.

To work around this, route the export traffic into a tunnel and configure crypto to run on the tunneled traffic.

Hi,

Would you have a sample configuration of this?

Thanks,

Gene

interface Tunnel0

bandwidth 44210

ip address 1.1.1.1 255.255.255.252

ip route-cache flow

tunnel source Serial1/0

tunnel destination 1.1.1.2

crypto map vpn

interface Serial1/0

bandwidth 44210

ip address 2.2.2.1 255.255.255.252

dsu bandwidth 44210

framing c-bit

cablelength 250

serial restart-delay 0

crypto map vpn

In the VPN cfg you need to specify interesting traffic (ACL 120).

access-list 120 permit gre host 1.1.1.1 host 1.1.1.2

HTH and please rate.

Two things to add to Collin's config:

#1 you'll want to set "ip flow-export destination

" to an address that's at the far end of that tunnel. You'll need some routing to do that - eg, a static route:

ip flow-export destination 5.5.5.5 9999

ip route 5.5.5.5 255.255.255.255 1.1.1.2

#2 You might not want to be running netflow on the tunnel, else everything you export through the tunnel will be accounted by netflow then exported through the tunnel... so you'll end up generating a lot of netflow stats about your netflow traffic...

int tun0

no ip route-cache flow

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: