03-15-2007 11:05 AM - edited 02-21-2020 02:55 PM
I want to collect Netflow data from routers at remote sites in my Data Center. I have setup Netflow successfully and am receiving data from the devices local to the server. I have Site-Site VPNs to the remote offices and connectivity to the collector is not an issue. I have configured Netflow on the remote routers to use the IP address of the inside interface to source teh Netflow traffic ( also tested with Loopback interfaces) which should make this interesting traffic just like one would for RADUIS or Syslog. The issue is that the traffic generated does not get encrypted. I checked these message boards and have found others with the same issue but no solutions have been found. I can duplicate this issue on 830,1721,3700 series routers with varying versions of code. Does anyone have any suggestions on how to get the data to the server. Any help would be appreciated.
03-21-2007 12:07 PM
It looks like bug to me, check this bug-id:CSCef28662
03-21-2007 12:57 PM
Thanks for the reply. I didn't have any luck finding this ID via the Bug toolkit, can you please verify the ID.
06-08-2007 12:54 PM
Netflow export bypasses output features (such as crypto) for performance reasons.
To work around this, route the export traffic into a tunnel and configure crypto to run on the tunneled traffic.
11-26-2007 01:37 PM
Hi,
Would you have a sample configuration of this?
Thanks,
Gene
11-26-2007 01:43 PM
interface Tunnel0
bandwidth 44210
ip address 1.1.1.1 255.255.255.252
ip route-cache flow
tunnel source Serial1/0
tunnel destination 1.1.1.2
crypto map vpn
interface Serial1/0
bandwidth 44210
ip address 2.2.2.1 255.255.255.252
dsu bandwidth 44210
framing c-bit
cablelength 250
serial restart-delay 0
crypto map vpn
In the VPN cfg you need to specify interesting traffic (ACL 120).
access-list 120 permit gre host 1.1.1.1 host 1.1.1.2
HTH and please rate.
11-27-2007 03:35 AM
Two things to add to Collin's config:
#1 you'll want to set "ip flow-export destination
" to an address that's at the far end of that tunnel. You'll need some routing to do that - eg, a static route:ip flow-export destination 5.5.5.5 9999
ip route 5.5.5.5 255.255.255.255 1.1.1.2
#2 You might not want to be running netflow on the tunnel, else everything you export through the tunnel will be accounted by netflow then exported through the tunnel... so you'll end up generating a lot of netflow stats about your netflow traffic...
int tun0
no ip route-cache flow
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: