netflow monitoring

Unanswered Question
Jun 4th, 2008

Hi there,

Thank you in advance for any help.

I run a network consisting of a Cisco 800 series router and about 75 workstations/servers. I'm gotten some complaints about network/internet performance which led me to research solutions available for monitoring bandwidth.

My research seemed to indicate that enabling netflow would be the best way to monitor internet usage. Would this be correct?

I went through the process of:

1. Enabling Netflow and streaming the data.

- interface Ethernet0

- ip route-cache flow

- ip flow-export 192.x.x.x 9996 version 5

2. I installed a program called ManageEngine NetFlow Analyzer. (Just picked it from a google search.

The streaming appears to be working because I'm getting some data... but the numbers don't seem entirely accurate? I tested by downloading files from various test stations and the totals being reported back are off. I've also found that the outbound traffic is not displayed (tested this with another analyzing application).

Any help would be appreciated. Any steps I may have missed when enabling netflow? Any suggestions for a better application to use? Better ways to monitor bandwidth usage?

Thanks alot.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Edison Ortiz Wed, 06/04/2008 - 12:47

What IOS version are you running on this router ?

Can you post the config you have thus far?

__

Edison.

Jan Nejman Wed, 06/04/2008 - 13:05

Hello,

did you run command ip route-cache flow on all L3 interfaces? You cna get the list via command:

show ip interface brief | exc unassign

Kind regards,

Jan Nejman

Caligare, Co.

http://www.caligare.com/

mattputnam100 Wed, 06/04/2008 - 14:01

I've been playing with this for a while now. I ran the follow commands:

1. conf t

2. interface ethernet 0

3. ip route-cache flow

4. exit

5. ip flow-export destination 192.168.x.x 9996

6. ip flow-export source ethernet 0

7. ip flow-export version 5

8. ip flow-cache timeout active 1

9. ip flow-cache timeout inactive 15

10. snmp-server ifindex persist

Do I need to run these commands for each interface: Ethernet 0-3? Or do I just enable netflow (the first 3 commands)? Was unclear after reading the documentation.

Numbers still seem off to me as well..

Thanks in advance.

Jan Nejman Wed, 06/04/2008 - 14:33

Hello,

repeat lines 2-4 for every ethernet interface.

It is important to enable route-cache flow on all layer3 interfaces.

Jan

mattputnam100 Thu, 06/05/2008 - 06:07

Well,

Does that include the FastEthernet interfaces? I noticed that once I selected any of the FastEthernet interfaces the 'ip route-cache flow' command couldn't be used?

Ethernet0-3 all allowed the command to be used.

Any reason why?

Also, one more question. How do you remove a an export destination? I mistakenly added the wrong IP and I'm not sure how to remove that entry?

Thanks for the help.

Jan Nejman Thu, 06/05/2008 - 06:14

Hello,

I'm sorry for my bad English, so I'm not sure if I understand. My recommendation is run the command:

show ip interface brief | exc unassign

And for all interfaces in the list use command ip route-cache flow

i.e

interfase Ethernet 0

ip route-cache flow

exit

interfase Ethernet 0

ip route-cache flow

exit

interfase Ethernet 1

ip route-cache flow

exit

interfase FastEthernet 0

ip route-cache flow

exit

interfase FastEthernet 1

ip route-cache flow

exit

Command ip route-cache flow must be on all layer3 interfaces (interfaces with IP address).

Ad export destination>

cisco supports two export destinations. If you add a new destination (the second), you can clear any destination via the command:

no ip flow-export destination ....

Kind regards,

Jan

PS.: To check how many flows was exported, you can use commands: show ip flow export or show ip cache flow

PS2.: I also recommend to set active and inactive timeouts:

router(config)# ip flow-cache timeout active 1

router(config)# ip flow-cache timeout inactive 15

mattputnam100 Thu, 06/05/2008 - 06:41

Thank you very much for the reply.

What does this:

show ip interface brief | exc unassign

do?

Next, I have made some progress but I have some questions.

Ok, I'm starting to see some data, but I'm still a bit confused. First, I have 4 interfaces listed:

IfIndex5 -

IfIndex6 -

IfIndex7 - I can tell by the IP's that this would be the computers on our DMZ.

IfIndex9 - No traffic used here.

Interface 5 - shows local lan IPs as SOURCE, and outside world IPs as Destination. It's responsible for: In Traffic: 8% Out Traffic: 68%

Displaying In Traffic isn't all that helpful. It shows specific IPs, but very minimal traffic (being only 8% total usage). When I show Out Traffic, the top destination is our outside world ip (91% of the total). This isn't very useful for tracking usage from specific users.

Interface 6 shows outside world ips as Source, and our router IP (as the world sees it) as destination. It's responsible for: In Traffic: 64% Out Traffic: 14%.

Question 1. Can someone describe these interfaces to me? A bit confused at what they are.

Question 2. How can I tell where this data is going (as opposed to seeing my outside router ip). I need to see real numbers for internal ips. Does this have anything to do with IP routing being enabled/disabled? The instructions on the Cisco site said to enable IP routing but I wasn't sure what that was all about.

Question 3. Some of the data I'm seeing is traffic to a box on the DMZ. This would be testing and uploading of files to a network server on our DMZ. Is there a way to exclude that?

Thanks for the help so far.

Jan Nejman Thu, 06/05/2008 - 06:54

1.

Command 'show ip interface brief | exc unassign' will display all interfaces with assigned IP address. It is useful for enabling netflow on these interfaces... for every interface in the list run the command 'ip route-cache flow'...

2. ifIndex numbers are SNMP interface index number. I don't know which analyzer do you using, but try to look SNMP configuration (you nned specify SNMP community string and enable SNMP server on your router).

You can use the command:

show if-mgr db interface ifName

if is supported by your IOS to manual resolving interface name...

3. You probably using NAT on your device. It is more difficult to present traffic flow in human format. Try more specify searching criteria in your analyzer application... there is not easy answer.

4. You can exclude DMZ traffic by specifying searching criteria in the analyzer (if it supports).

Jan

mattputnam100 Fri, 06/06/2008 - 07:04

Well,

Currently I think I have most of my issues resolved. The outstanding problem for me is that the bulk of the traffic is showing up under our world outside ip addy.

I'll see 94% of the bandwidth is being used by our broadcast ip.

The router knows what IPs are receiving the data... is there something I have misconfigured or something I can do to get the actual requesting ips instead of our broadcast ip?

Thanks again for the help.

Actions

This Discussion