Netflow confusion

Unanswered Question
Nov 28th, 2007

I have netflow enabled, but I don't think I did it right.

Right now everything has the source address of the NetScreen box which is understandable since everything is going through that, but when I goto the NetScreen nothing is matching up or just missing like it never went through.

I have Fe0 and Serial0.1 I thought one is in and on is out, but in scrutizizer each one has an inbound and outbound, but again, nothing matches.

S0.1 has an IP attached to it that I have never seen before and that's the interface that scutinizer says is 1.5Mb as speed and what it's showing everything going in and out of.

I attached to config and show int to see if someone can help me make sense of this. Thank you.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
steve.busby Wed, 11/28/2007 - 19:59

I'm not sure what you think is wrong. When you enable netflow on an interface (ip route-cache flow) it forwards all flows leaving that interface. This is why you have to enable and export netflow collection on all interfaces.

Most netflow collectors/reporters are capable of correlating these two flows to properly show you send and receive values.

If Scrutinizer is reporting incorrect ip addresses, you should contact Plixer for an update. I know this was an issue on some of their older versions (pre 5.0 and w/Netflow V9), but you shouldn't be seeing it with V5 flows.

Then again you do have the NetScreen box which I'm assuming is forwarding the netflow information to Scrutinizer? If not, then make sure Scrutinizer has SNMP RO access to your router. If all else fails or you question what Scrutinizer is reporting, send an email to [email protected], they have really good support.

HTH

Steve

Actions

This Discussion